CertiGuide to Security+  9  Chapter 4:  Basics of Cryptography (Domain 4.0; 15%)       9  4.5  Key Management and Certificate Lifecycles            9  4.5.5  Revocation

Certificate Revocation Techniques 1 4.5.6 Suspension

In general, before trusting a party’s certificate for an important transaction, you should check to make sure that it is still valid, and has not been revoked. This is called checking its status. If the certificate does not come back as valid, proceed with the transaction at your own risk.

The process, and the potential consequences for not doing it, is similar to the common practice of a merchant authorizing your credit card before accepting it as payment.

Normally status checking would be performed by referring to information from the certificate’s issuing CA, which may be in the form of a published CRL, or perhaps in the form of an OCSP site. Additionally, as pointed out in a Microsoft paper on certificate status checking in closed PKI environments⁴⁰⁷ (rather than public environments with external CA’s), other protocols can be used to perform similar validity checks, depending on how the CA wishes to set it up. Be aware that many email clients are notoriously bad at checking for revoked certificates, so when sending or receiving signed email, you may wish to check certificate validity independently.

A certificate status check may tell you the certificate status (valid, suspended, revoked, and expired) as well as list a reason code explaining the current status (such as “requested by user”, “compromise suspected”, etc.)

Certificate Revocation Techniques 1 4.5.6 Suspension