Mueller, TobiasStübs, MariusFederrath, HannesRoßnagel, HeikoWagner, SvenHühnlein, Detlef2019-03-252019-03-252019978-3-88579-687-9https://dl.gi.de/handle/20.500.12116/20983Distributing cryptographic keys and asserting their validity is a challenge for any system relying on such keys, for example the World Wide Web with HTTPS or OpenPGP encrypted email. When keys get stolen or compromised, it is desirable to shorten the time during which an attacker can decrypt or sign messages. This is usually achieved by revoking the affected certificates. We investigate the security requirements for distributing key revocations in the context of asynchronous decentralised messaging and analyse the status quo with respect to these requirements. We show that equivocation, integrity protection, and non-repudiation pose a challenge in today’s revocation distribution infrastructure. We find that a publicly verifiable append-only data structure serves our purpose and notice that operating such an infrastructure is expensive. We propose a revocation distribution scheme that fulfils our requirements. Our scheme uses the already existing Certificate Transparency (CT) logs of the WebPKI as a publicly verifiable append-only data structure for storing revocations through specially crafted TLS certificates. The security of our system largely stems from the properties of these CT logs. Additionally, we analyse the computational and bandwidth requirements of our scheme and show limitations of the protocol we propose.enkey revocationasynchronous decentralised messagingemailPKItrustOpenPGPLet’s Revoke! Mitigating Revocation Equivocation by re-purposing the Certificate Transparency Log1617-5468