An Improved Delta and Over-issued Certificate Revocation Mechanism

With the increasing acceptance of digital certificates, how to find and revoke digital certificate which has been stopped has been become more and more important, which can avoid huge economic losses to end-user. At present the most popular choice is the use of lightweight directory access protocol (LDAP) directory server to issue the certificate revocation list (CRL). Based on the analysis of the certificate storage and publish in LDAP server, a new and more efficient certificate revocation mechanism is proposed in this paper. The new mechanism integrates Delta and over-issued CRL and windowed certificate revocation mechanism, which satisfies the scalability and flexibility requirements of certificate revocation mechanism, at the same time, and can provide near real-time certificate status when required. The design and performance of the new mechanism are analyzed in detail. CRL is organized in the form of binary sort tree structure in LDAP, which satisfies the query of the revocation of certificates rapidly in LDAP.