As network-enabled devices are deployed within a network, there is a need to perform such operations as authentication, configuration, software updates and monitoring in an as automated fashion as possible. As the number of devices within a network grows larger, a general problem for network operators becomes how to locate the various types of information pertaining to the devices which is needed to perform those operations. Specific examples of the information a network operator may need concerning a device deployed in its network may include the device manufacturer, type, capability and operational information based on the device manufacturer and model. Maintaining large device information databases is not desirable because of storage, administration and other availability issues. The problem is exacerbated when the devices are supplied by multiple manufacturers.
Even though device information databases can be maintained by the vendors and accessed by network operators, the network operator still needs to maintain the addresses for these databases, which can itself be a difficult task, particularly if the number of vendors is large. The ability to locate device information databases does not have a scalable and automated solution and thus may be a significant administrative burden, possibly requiring specific signaling protocols to indicate such information.
Another information database a network operator or other devices in the network may need to access is a certificate revocation lists (CRL), which include a list of revoked digital certificates. Digital certificates are widely used over communication networks and in the field of electronic commerce for document and identity authentication purposes. In general, such digital certificates are used to certify the identity of an entity in the digital world, particularly as defined by the public key infrastructure (PKI). In a PKI, a certificate authority (CA) is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, router, server, an end device or other entity that uses a certificate to identify itself.
As digital certificates are issued and used, they may also be revoked for various reasons. Revocation can be defined as the expiry of a certificate's validity prior to its certificate expiration date. A typical example would be when an employee holding a private key on the part of a corporation leaves that corporation. Another example is when the memory holding a device private key is exposed. In those cases it would be necessary for certificates associated with that private key to be revoked. Otherwise any person holding the private key, with the proper access knowledge, could perform unauthorized transactions on the part of the corporation.
Many other situations may require the placement of a certificate on the CRL. For example, each of the following cases illustrate situations involving revoked certificates: when the relationship between an issuing party and an organization is severed or suspended, an issuing authority ceases to operate, there is suspected private key compromise, a certificate is no longer required by the client, etc.
In other situations, digital certificates may be revoked or placed on hold pending some future event. In such a case, a user may have misplaced a private key, associated with a particular certificate, and is currently searching for it. Also, a user may have forgotten the password needed to access the private key. In that case, the associated digital certificate is revoked until the password issue is resolved. Additionally, a user may go on vacation, and request that a digital certificate associated with the user's private key be revoked until the user's return from vacation.
A fundamental requirement of a PKI is to maintain a path or chain of trust. It is therefore essential to have a mechanism by which digital certificates can be verified as to their validity. One solution amongst many standards in use today is the Certificate Revocation List (CRL). The CRL is a published data structure that is periodically updated. The CRL contains a list of revoked certificate serial numbers. The CRL is time-stamped and digitally signed by the CA who issues the certificates, or other third party entities, such as a revocation service. CRLs are currently defined in the X.509 standard and its various versions.
While ideally CRLs are small lists, they may potentially be required to contain as many data items as the number of outstanding certificates in a system. CRLs may grow large under many circumstances, e.g. in environments in which certificates are revoked whenever personnel change jobs or job roles. Large CRLs are a practical concern in systems supporting very large numbers of users. The size of CRLs is a particular concern in systems which require that CRLs be retrieved under the following conditions: from public directories; over low-bandwidth channels; and/or on a frequent basis. The situation is increasingly problematic in systems requiring that several CRLs be checked in order to verify a single public key, such as in the case when chains of certificates must be verified, e.g. as per ITU Recommendation X.509.