Revocation checking is the process of determining whether a certificate that appears valid by date has been explicitly marked untrusted before expiration. It matters because compromised or misissued certificates should not remain accepted just because their calendar validity period has not ended yet.
What is Revocation Checking?
Systems may perform revocation checking through CRLs, OCSP, stapled responses, or related mechanisms. The goal is to detect whether a certificate has been withdrawn from trust because of compromise, misissuance, ownership change, or policy reasons.
What Revocation Checking Commonly Supports
Common uses include browser trust evaluation, enterprise PKI validation, certificate-incident response, and higher-assurance TLS behavior.
Revocation Checking vs. Expiration-Only Validation
Expiration-only validation checks whether a certificate is still within date range. Revocation checking also asks whether it has been actively withdrawn from trust early.
Frequently Asked Questions
Why is revocation checking important?
Because trust incidents can happen long before a certificate would naturally expire.
Is revocation checking always perfect in practice?
No. Performance, privacy, availability, and policy tradeoffs affect how well it works in real environments.
Related Cybersecurity Terms
- Certificate Revocation List (CRL)
- Online Certificate Status Protocol (OCSP)
- OCSP Stapling
- Certificate Misissuance
