An application programming interface (API) is a set of functions and procedures provided by an operating system to higher-level software applications executing within a computer system. APIs provide the software application with the ability to interact with the operating system and lower-level system utilities and services implemented by the operating system. One important service typically implemented in the operating system is the ability to communicate over a computer network. An API that provides access to these network services may be referred to as a network interface API. Network interface APIs are provided by the operating system to provide higher-level software applications with the ability to communicate with other software applications running on different computing systems reachable by the computer network. Operating systems generally implement a network stack conforming to the Open Systems Interconnection (OSI) reference model in order to provide a plurality of layered networking protocols to enable this communication. One common form of a network stack conforms to the TCP/IP model in which the Transmission Control Protocol (TCP) is utilized within the transport layer of the network stack while the Internet Protocol (IP) is utilized in the Internet layer.
Some network protocols are designed to provide secure communications over a network. One such networking protocol is the Secure Socket Layer (SSL) protocol. Another such networking protocol is the Transport Layer Security (TLS) protocol. The SSL protocol generally provides secure communication over the network, even if the network itself is insecure, using asymmetric key cryptography to transmit a symmetric key that two parties to a communication session may use thereafter to encrypt session data. In this manner, the two parties exchange a symmetric key without the symmetric key being intercepted by a third party. Asymmetric key cryptography typically requires the use of public key and private key pairs. Each computer participating in the SSL protocol maintains a secret private key, while also distributing an associated public key to other computers on the network. Public keys may be distributed within a digital certificate. The certificate may include other information in addition to the public key, such as a computer identifier and an identifier for a trusted certificate authority. Network applications may use an API that is provided by an implementation of SSL (referred to herein as an SSL API) to create and maintain a secure connection over a computer network. Typically, each application running on a computer initiates a unique SSL session through the SSL API.
In many cases, two communicating parties may each not know whether the other party can or should be trusted. As a result, it is common to use a certificate authority, which is an entity that issues digital certificates and operates as a trusted third party of each of the two communicating parties. The certificate authority issues a certificate to each of the two communicating parties to indicate that the two parties are trustworthy. The certificate authority also issues certificate lists that include identifiers of trusted parties.
In operation, a certificate authority typically maintains a certificate revocation list (CRL) which is a list of certificates that have been revoked or are no longer valid and, therefore, should not be relied upon. A certificate authority may, for example, revoke a certificate upon discovering that the entity to which the certificate was issued failed to comply with certain policies. Other reasons for revoking a certificate include revocation when the private key has been compromised, the certificate has been superseded by another certificate, privileges for the individual have been withdrawn and the like. The certificate authority republishes the CRLs periodically or immediately upon revocation of one or more certificates. The other parties may then refuse to initiate or continue communication with the distrusted party.
When implementing a secure communication session, a computing device verifies that the digital certificate of the other party is valid by reference to internally stored copies of certificate lists and CRLs. The computing device implementing SSL or other secure communication protocols generally store certificates, certificate lists, and CRLs in one or more files or databases. Generally, when a new certificate or CRL is received, the computing device terminates all current network communication sessions, updates its certificate lists and/or CRLs in its files or databases, and then allows network communication to restart. The network entity may typically receive updates to certificates and CRLs from a certificate authority.