A revocation check is a critical security step that queries a Certificate Authority's (CA) database—typically via the Online Certificate Status Protocol (OCSP) or a Certificate Revocation List (CRL)—to confirm a digital certificate's current validity. A certificate used to sign a content credential may be revoked if its private key is compromised, the issuing organization's identity changes, or the CA's operational policies are violated, making this check essential for maintaining a verifiable trust anchor.
Glossary
Revocation Check

What is Revocation Check?
A revocation check is the real-time process of querying a Certificate Authority's database to verify that a digital certificate used to sign a content credential has not been invalidated before its stated expiration date.
In the C2PA provenance framework, a validator engine must perform a revocation check on the entire X.509 certificate chain, from the signer's leaf certificate up to the root CA. If any certificate in the chain is revoked, the cryptographic claim signature is rendered invalid, and the provenance verification fails, signaling that the content's authenticity can no longer be trusted.
Key Characteristics of Revocation Checks
A revocation check is the real-time validation process that confirms a digital certificate used to sign a content credential has not been invalidated by its issuing Certificate Authority (CA) before its stated expiration date. This mechanism is critical for maintaining the integrity of a provenance chain, ensuring that compromised or decommissioned signing keys cannot be used to create fraudulent attestations.
The OCSP Protocol
The Online Certificate Status Protocol (OCSP) is the primary mechanism for performing lightweight, real-time revocation checks. Instead of downloading a full Certificate Revocation List (CRL), a client sends a query containing the certificate's serial number to an OCSP Responder. The responder replies with a signed assertion indicating the certificate's status: good, revoked, or unknown. This minimizes bandwidth and latency, making it suitable for high-volume content credential validation workflows.
OCSP Stapling
OCSP stapling is a performance optimization where the presenter of a certificate (e.g., a web server or signing service) proactively fetches a time-stamped OCSP response and attaches it to the certificate during the TLS handshake or signing process. This eliminates the need for the verifier to make a separate outbound query to the CA, improving privacy and reducing latency. The stapled response must be within its validity window, typically a few hours.
Certificate Revocation Lists (CRLs)
A Certificate Revocation List (CRL) is a comprehensive, periodically published list of all revoked certificates issued by a specific CA. Verifiers download the entire list and check if a certificate's serial number is present. While thorough, CRLs can grow to tens of megabytes, making them inefficient for real-time checks. They are often used as a fallback mechanism when an OCSP responder is unreachable.
Revocation Reason Codes
When a certificate is revoked, the CA assigns a specific reason code that provides critical context for the verifier's trust decision. Common codes include:
- keyCompromise: The private key is suspected or known to be breached.
- affiliationChanged: The subject's organizational role has ended.
- superseded: A new certificate has been issued to replace this one.
- cessationOfOperation: The certificate is no longer needed. A keyCompromise reason is the most severe and should trigger immediate rejection.
Soft-Fail vs. Hard-Fail Validation
Validation policies define the behavior when a revocation check cannot be completed (e.g., network timeout). A hard-fail policy rejects the certificate immediately, prioritizing absolute security for high-value content credentials. A soft-fail policy accepts the certificate temporarily, prioritizing availability and user experience. For C2PA provenance verification, a hard-fail posture is recommended to prevent the acceptance of content signed with a potentially compromised key.
Frequently Asked Questions
Essential questions about the process of verifying that a digital certificate used to sign content credentials remains valid and has not been revoked by its issuing Certificate Authority.
A revocation check is the real-time validation process that queries a Certificate Authority's (CA) database to determine if an X.509 certificate used to sign a content credential has been revoked before its expiration date. The check works by sending a request containing the certificate's serial number to a responder—typically via the Online Certificate Status Protocol (OCSP)—which returns a signed response indicating 'good,' 'revoked,' or 'unknown.' This process is critical because a certificate's validity is not solely determined by its expiration timestamp; a private key could be compromised, an organization could dissolve, or an identity could be falsified, all necessitating revocation. In the context of C2PA content credentials, the validator engine performs this check during provenance verification to ensure the signing identity was trustworthy at the time of validation, not just at the time of signing.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding revocation checking requires familiarity with the broader certificate infrastructure, validation protocols, and trust models that underpin content credential verification.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us