Using MiniCRLs

Introduction

In configurations in which a slow link provides limited bandwidth or there are numerous remote sites to be updated, it can be impractical to transmit large certificate revocation lists (CRLs) or numerous end-user certificates to remote locations frequently enough to maintain up-to-date credential status information. The compact MiniCRL format is an ideal solution for distributing certificate validation information in these situations.

ActivID Validation Deployment with MiniCRLs:

As shown in the above figure, a Validation Authority can generate MiniCRLs in addition to OCSP response lists and individual OCSP responses, and makes them available to relying parties.

The MiniCRL is a compact representation of a list of revoked certificates that can be consumed by relying parties or by a Tactical Validation Authority (TVA).

The Tactical Validation Authority is another instance of Validation Authority, configured with the URL at which the main Validation Authority makes MiniCRLs available.

Periodically, the Tactical Validation Authority checks to determine if updated MiniCRLs are available and retrieves new MiniCRLs.

The Tactical Validation Authority converts revocation data contained in the MiniCRL into OCSP response lists, and publishes these lists to Validation Responders which handle OCSP requests made by relying parties. The Tactical Validation Authority also uses the revocation data to generate individual responses to OCSP requests made to its Direct OCSP Interface.

MiniCRL Format

MiniCRLs provide the best available solution for performing certificate revocation status checking in environments with limited bandwidth between a Validation Authority and a relying party, where a minimal amount of information is necessary at the time of transaction to determine validity.

MiniCRLs can be processed and verified quickly by the relying party. The MiniCRL solution can scale to billions of credentials.

The MiniCRL format is a more efficient representation of a list of revoked certificates than a traditional CRL. The MiniCRL format offers all of the security and management simplicity of traditional CRLs, but allows transmission of the revocation list using only a small fraction of the bandwidth of a full X.509 CRL. This is possible because CRL data that is not normally used when checking certificate revocation status, such as the revocation reason code and revocation date, are excluded from MiniCRLs.

A relying party can trust a MiniCRL based on the integrity of the digital signature that Validation Authority applies to the MiniCRL. Like OCSP response lists, a MiniCRL can be generated from a standard X.509 CRL or from a set of certificates registered with Validation Authority.

In addition to its reduced size, scalability, security, and management simplicity, MiniCRLs provided by Validation Authority offer the following additional features:

Pre-generated - Created and published periodically, not based on specific requests.
Verifiable - Forged or tampered MiniCRLs can be distinguish from real MiniCRLs.
Bounded - Usable only for a specific period of time.

Management—Generation of MiniCRLs

This section describes additional Validation Authority management activities to be performed on the Validation Authority server used to generate MiniCRLs.

Configure MiniCRL Generation

Refer to Configure Data Input - MiniCRL Generation.

Schedule MiniCRL Generation

Refer to Administrator Operations - Jobs.

Validation Authority uses a separate job to generate MiniCRLs, as shown on the Jobs page depicted below:

You can schedule and run the MiniCRL Generator job in the same way that you would the OCSP Response List Pre-generator and Data Sources jobs.

Management - Consumption of MiniCRLs

This section describes additional Validation Authority management activities to be performed on the Validation Authority server used to consume MiniCRLs, also known as the Tactical Validation Authority.

Run the Data Sources job.

Schedule the generation of OCSP Response Lists

Run the OCSP Response List Pre-generator job, the same way you would when the data comes from a CRL instead of a miniCRL.