One such solution is a public key cryptosystem. In public key cryptosystems, entities may use certificates provided by a certificate authority to ensure that messages are authentic. A certificate authority may provide an entity with a certificate identifying the entity that the entity may attach to messages to provide authentication to another entity receiving the message. Such certificates provide signature generation and verification.
In some situations, a certificate authority may need to revoke a certificate before it expires, such as when an entity's private key is compromised, when an entity device is malfunctioning, or when an entity's access is revoked. To do this, a certificate authority manages a certificate revocation list (CRL) that contains the list of the revoked certificates that it may then provide to the entities to verify the validity of received certificates.
In some networks, such as vehicular networks for example, a certificate authority may issue tens of thousands of certificates to an entity so that the entity can change the certificate in use on a frequent basis, such as to protect the privacy or identity of the entity.
In such networks, a certificate revocation list may have to list the tens of thousands of certificates issued to an entity if the certificates need to be revoked, causing the certificate revocation list to become unmanageably large and requiring significant processing burden to verify certificates.