subject: Guidelines For Designing A Revocation Policy [print this page] As a designer, you are not a security policy writer; however, you are often working with products and new processes for which there is no policy and for which few other people have the knowledge necessary to write one. You might also need to make design decisions that are really the purview of a policy. If no policy exists, as part of your design, use the following guidelines to design a policy for management approval: MCSE
Ensure that the policy specifies which of the reasons for revocation will be used and when. Having defined reasons will help prevent misunderstandings. If certificates are revoked and new certificates are required when specific job changes are made, users won't think having their certificates revoked means they have done something wrong.
Decide whether certificates should ever have their revocation removed. Policy might dictate that to avoid confusion this strategy should not be used, and operations might also play a role. For example, in a large infrastructure, lag time will always exist between when a certificate is revoked and when that information is actually available to the applications that depend on it. You will also see a delay between the time you revoke a certificate and the time it is actually removed, and this might make using this process inconvenient. On the other hand, if all revocations are final, the CA Manager or administrator might be reluctant to revoke a particular certificate, and that is not desirable either. Providing guidelines for the policy on when to revoke a certificate is an important part of the revocation process design. MCSE Certification
Decide who will make the revocation decision and who will implement it. This policy can list things such as "all user certificates will be revoked when the employee leaves the company," "if an employee forgets her smart card, a new smart card will be issued and the certificate assigned to the old smart card "will be revoked," and so on. As the smart-card statement hints, in addition to blanket statements, each use of certificates should be examined to determine when revocation is appropriate.
Determine when the CA administrator should manually publish a CRL. Reasons for doing so include: a large number of .new revocations have occurred, or revocation happened because of suspected or actual key compromise. However, if a verifier of a certificate has a valid CRL in its local cache, it does not attempt to retrieve another CRL from the CA. This means that even though a new CRL is published, it won't be retrieved until the current CRL validity period expires.
Design the location of CRL publication points.
Q By default, an enterprise CRL is published in the Active Directory and to the Web-enrollment pages.
Q Additional or different publication points need to be established before certificates are issued, as the CRL publication point must be part of the certificate. (Certificate verifiers use the publication point on the certificate to access a CRL if necessary.)
Q Consider the size of the implementation and the geographic dispersion to determine whether additional points are necessary. CRLs can be published to file locations, URLs, and LDAP directories.
Q Special consideration should be taken for offline root CAs. Their CRL publication points must be established on the network, and automatic publication must be turned off because the offline CA cannot publish to the network. A manual process must be established for periodic publication of the CRL. A long publication period should be established so that the manual publication and manual placement of the CRL on the network will be an infrequent chore. This approach is perfectly acceptable because it would be rare to revoke the root CA certificate. IT certification
Consider normal CRL processing by the certificate verifiers. Because they do not access a new CRL until the currently cached CRL expires, if it becomes necessary to revoke a certificate and a long publication period is established, the time needed for news of the CA revocation to reach certificate verifiers will be longer. The effect of this delay can be tempered by ensuring that the procedure for revoking a CA certificate includes the revocation of its entire certificate list first and a delay in revoking the CA certificate until all certificate verifiers have downloaded the new CRL.
