Certificate Revocation List Distribution System for the KAD Network

摘要

Many peer-to-peer (p2p) overlays require certain security services which could be provided through a Public Key Infrastructure. However, these infrastructures are bound up with a revocation system, such as Certificate Revocation Lists (CRLs). A system with a client/server structure, where a Certificate Authority plays a role of a central server, is prone to suffer from common problems of a single point of failure. If only one Authority has to distribute the whole CRL to all users, perhaps several millions in a structured p2p overlay, a bottleneck problem appears. Moreover, in these networks, users often have a set of pseudonyms that are bound to a certificate, which gives rise to two additional issues: issuing the CRL and assuring its freshness. On the one hand, the list size grows exponentially with the number of network users. On the other hand, these lists must be updated more frequently; otherwise the revocation data will not be fresh enough. To solve these problems, we propose a new distributed revocation system for the Kademlia network. Our system distributes CRLs using the overlay itself and, to not compromise the storage of nodes, lists are divided into segments. This mechanism improves the accessibility, increases the availability and guarantees the freshness of the revocation data.