Certificate Revocation
Dec 21, 2015
There are three
separate aspects to a certificate’s revocation, three types of revocation:
internal revocation, externally propagated revocation and externally induced
revocation.
- Internal revocation Internal revocation affects the certificate’s status as maintained by XenMobile (in its database). This status is taken into account when XenMobile evaluates a certificate presented to it, or when it has to provide OCSP status information for some certificate). The Credential Provider configuration determines how this status is affected under various conditions. For instance, the Credential Provider may specify that certificates obtained through it should be (flagged as) revoked when they have been deleted from the device.
- Externally propagated revocation Also known as “Revocation from XenMobile”, this type of revocation applies to certificates obtained from an external PKI, and means that the certificate will be revoked on the PKI when it is internally revoked by XenMobile (under the conditions defined by the Credential Provider configuration). The call to perform the revocation requires a revoke-capable GPKI Entity.
- Externally induced revocation Also known as “Revocation from PKI”, this type of revocation also only applies to certificates obtained from an external PKI, and means that whenever XenMobile evaluates a given certificate’s status, it will query the PKI as to that status, and, if the PKI returns that the certificate is revoked, will internally revoke it. This mechanism uses the OCSP protocol.
These three types are not exclusive, but rather apply together: the internal revocation is caused either by an external revocation or by independent findings, and in turn it potentially effects an external revocation.