Inferensys

Glossary

Revocation Check

A revocation check is the process of querying a certificate authority's database, often via OCSP, to ensure the digital certificate used to sign a content credential has not been revoked before its expiration date.
Engineer reviewing vector database search results on laptop, embeddings visualization on screen, home office coding session.
CERTIFICATE LIFECYCLE VALIDATION

What is Revocation Check?

A revocation check is the real-time process of querying a Certificate Authority's database to verify that a digital certificate used to sign a content credential has not been invalidated before its stated expiration date.

A revocation check is a critical security step that queries a Certificate Authority's (CA) database—typically via the Online Certificate Status Protocol (OCSP) or a Certificate Revocation List (CRL)—to confirm a digital certificate's current validity. A certificate used to sign a content credential may be revoked if its private key is compromised, the issuing organization's identity changes, or the CA's operational policies are violated, making this check essential for maintaining a verifiable trust anchor.

In the C2PA provenance framework, a validator engine must perform a revocation check on the entire X.509 certificate chain, from the signer's leaf certificate up to the root CA. If any certificate in the chain is revoked, the cryptographic claim signature is rendered invalid, and the provenance verification fails, signaling that the content's authenticity can no longer be trusted.

CERTIFICATE LIFECYCLE MANAGEMENT

Key Characteristics of Revocation Checks

A revocation check is the real-time validation process that confirms a digital certificate used to sign a content credential has not been invalidated by its issuing Certificate Authority (CA) before its stated expiration date. This mechanism is critical for maintaining the integrity of a provenance chain, ensuring that compromised or decommissioned signing keys cannot be used to create fraudulent attestations.

01

The OCSP Protocol

The Online Certificate Status Protocol (OCSP) is the primary mechanism for performing lightweight, real-time revocation checks. Instead of downloading a full Certificate Revocation List (CRL), a client sends a query containing the certificate's serial number to an OCSP Responder. The responder replies with a signed assertion indicating the certificate's status: good, revoked, or unknown. This minimizes bandwidth and latency, making it suitable for high-volume content credential validation workflows.

< 100ms
Typical OCSP Response Time
02

OCSP Stapling

OCSP stapling is a performance optimization where the presenter of a certificate (e.g., a web server or signing service) proactively fetches a time-stamped OCSP response and attaches it to the certificate during the TLS handshake or signing process. This eliminates the need for the verifier to make a separate outbound query to the CA, improving privacy and reducing latency. The stapled response must be within its validity window, typically a few hours.

Zero
Verifier Outbound Queries
03

Certificate Revocation Lists (CRLs)

A Certificate Revocation List (CRL) is a comprehensive, periodically published list of all revoked certificates issued by a specific CA. Verifiers download the entire list and check if a certificate's serial number is present. While thorough, CRLs can grow to tens of megabytes, making them inefficient for real-time checks. They are often used as a fallback mechanism when an OCSP responder is unreachable.

24 Hours
Typical CRL Update Interval
04

Revocation Reason Codes

When a certificate is revoked, the CA assigns a specific reason code that provides critical context for the verifier's trust decision. Common codes include:

  • keyCompromise: The private key is suspected or known to be breached.
  • affiliationChanged: The subject's organizational role has ended.
  • superseded: A new certificate has been issued to replace this one.
  • cessationOfOperation: The certificate is no longer needed. A keyCompromise reason is the most severe and should trigger immediate rejection.
05

Soft-Fail vs. Hard-Fail Validation

Validation policies define the behavior when a revocation check cannot be completed (e.g., network timeout). A hard-fail policy rejects the certificate immediately, prioritizing absolute security for high-value content credentials. A soft-fail policy accepts the certificate temporarily, prioritizing availability and user experience. For C2PA provenance verification, a hard-fail posture is recommended to prevent the acceptance of content signed with a potentially compromised key.

REVOCATION CHECK

Frequently Asked Questions

Essential questions about the process of verifying that a digital certificate used to sign content credentials remains valid and has not been revoked by its issuing Certificate Authority.

A revocation check is the real-time validation process that queries a Certificate Authority's (CA) database to determine if an X.509 certificate used to sign a content credential has been revoked before its expiration date. The check works by sending a request containing the certificate's serial number to a responder—typically via the Online Certificate Status Protocol (OCSP)—which returns a signed response indicating 'good,' 'revoked,' or 'unknown.' This process is critical because a certificate's validity is not solely determined by its expiration timestamp; a private key could be compromised, an organization could dissolve, or an identity could be falsified, all necessitating revocation. In the context of C2PA content credentials, the validator engine performs this check during provenance verification to ensure the signing identity was trustworthy at the time of validation, not just at the time of signing.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.