Abstract
In the Public Key Infrastructure (PKI) model, digital certificates play a vital role in securing online communication. Communicating parties exchange and validate these certificates and the validation should fail if the certificate has been revoked. However, some existing studies [1,2] raise an alarm as the certificate revocation check is skipped in the existing PKI model for a number of reasons including network latency overheads, bandwidth costs, storage costs and privacy issues. In this article, we propose a Certificate Revocation Guard (CRG) to efficiently check certificate revocation while minimising bandwidth, latency and storage overheads. CRG is based on OCSP, which caches the revocation status of certificates locally, thus strengthening user privacy for subsequent requests. CRG is a plug and play component that could be installed on the user's machine, at the organisational proxy or even in the ISP network. Compared to a naive approach (where a client checks the revocation status of all certificates in the chain on every request), CRG decreases the bandwidth overheads and network latencies by 95%. Using CRG incurs 69% lower storage overheads compared to the CRL method. Our results demonstrate the effectiveness of our approach to improve the certificate revocation process. (C) 2019 Elsevier Ltd. All rights reserved.