Conventional secure online systems employ a certificate revocation list (CRL) to indicate which certificates have been revoked so that if those certificates are presented again, the system will know they are no longer valid. The list conventionally includes the serial numbers for certificates that are revoked.
Certificate revocation lists have a lifetime during which they are valid; this lifetime is conventionally 24 hours or less. The timing for the publication of the CRL depends on whether the system needs immediate notification or if hourly or daily publication is sufficient.
To operate a secure system effectively, the system must access current CRLs. For large-scale systems the CRLS may be quite large making managing them and distributing them to a broad audience inefficient. Moreover, requiring a system to check a remotely-located CRL takes time and opens the system to potential security attacks.
To reach levels of scalability, a robust authentication technology is needed to allow individual private gateway server nodes to authenticate any one of a large number of certificates in the face of possible loss of connectivity to the backend authentication databases.