A trend in the upcoming generation of communication networks shows that network nodes can provide high-speed network access in a relatively small area only. Therefore a number of such network nodes in a communication network is expected to be high. For example, a communication network will comprise numerous nano- and pico-base stations, and associated supporting Internet Protocol (IP) connectivity nodes. Supporting IP connectivity nodes aggregate the traffic from several base stations and connect them to an IP transport network.
As these network nodes are in large quantity, a configuration and management of a node of these network nodes should be as automated as possible. The configuration and management of the network node should be simple, and only the actual physical installation and removal of the node should require on-site support. Moreover the network nodes should maintain their security by themselves. As the subscribers' needs continuously changes, the communication network also is continuously evolving. Network nodes are added and other network nodes are decommissioned. Network nodes may also break down over time. As a result, a typical communication network is expected to be highly fluctuating.
The network nodes are placed in an unsecure environment comprising several menacing risks such as physical access or active man-in-the-middle attacks. Accordingly, the already large number of network nodes is not only dynamically fluctuating, but also security threatening attacks are further increasing this dynamism.
To prevent that an attacker gains access to some part of the communication network, nodes need to be authenticated. In the above mentioned scenario, a usage of certificates is a beneficial method for identification. The digital certificates are issued by trusted Certificate Authorities (CA) which are usually situated in the Network Management Systems (NMS). If a network node is suspected to be compromised, a certificate can be invalidated and thus be revoked. The certificate of the compromised network node is placed on a Certificate Revocation List (CRL) which is maintained by the associated CA having issued the digital certificate. The CRL is downloaded, and is verified by the network nodes to identify which are the invalidated certificates. The network nodes also usually store a list of trusted CAs, in order to identify whether or not a CA is trusted.
Usually, a lifetime of a CA in a communication network is set to several years. Therefore the CRL of the CAs will grow over time, and may become extensively large. Thus a retrieval, storage and processing of the CRL will become resource consuming, especially for small processing network nodes such as pico-, nano-base stations and for associated supporting IP connectivity nodes. Further, a signaling load in the communication network may be high during the retrieval of the CRL.