OCSP y revocación de certificados para la autenticación WiFi

Esta guía completa explora los mecanismos críticos de revocación de certificados en entornos WiFi empresariales, centrándose en la transición de CRL a OCSP. Proporciona estrategias de implementación accionables para equipos de TI que gestionan redes de gran escala y alta densidad donde la seguridad en tiempo real y la baja latencia son primordiales.

📖 6 min de lectura📝 1,362 palabras🔧 2 ejemplos❓ 3 preguntas📚 8 términos clave

🎧 Escucha esta guía

Ver transcripción

Welcome to the Purple Technical Briefing. I'm your host, and today we are diving deep into a critical security mechanism for enterprise WiFi networks: OCSP and Certificate Revocation.

If you are an IT manager, a network architect, or a CTO managing large-scale deployments in hospitality, retail, or public-sector environments, you know that certificate-based authentication—specifically EAP-TLS over 802.1X—is the gold standard for securing network access. But what happens when a device is compromised, lost, or an employee leaves? How do you ensure that a revoked certificate is instantly rejected by your network?

That is exactly what we are covering today. We will break down the differences between CRL and OCSP, explain how a RADIUS server checks revocation status, explore the concept of OCSP stapling in a WiFi context, and provide actionable implementation strategies.

Let's start with the basics: CRL versus OCSP.

When a device connects to your WiFi using a certificate, the RADIUS server needs to verify that the certificate is not only mathematically valid and unexpired, but also that it hasn't been explicitly revoked by the Certificate Authority, or CA.

Historically, this was done using a Certificate Revocation List, or CRL. A CRL is exactly what it sounds like: a big file containing the serial numbers of every revoked certificate. The RADIUS server downloads this list periodically—maybe once a day, or every few hours.

The problem with CRLs in modern, high-density environments is twofold: latency and bandwidth. If you have a large PKI deployment, that list gets huge. Downloading it takes bandwidth, and parsing it takes CPU cycles on your RADIUS server. Worse, there's a vulnerability window. If a device is compromised at 9 AM, but your RADIUS server doesn't pull the new CRL until noon, that compromised device has three hours of unfettered access to your network.

Enter OCSP: the Online Certificate Status Protocol.

OCSP is a real-time, targeted query. Instead of downloading a massive list of every revoked certificate, the RADIUS server simply asks the CA's OCSP responder: "Hey, is this specific certificate serial number valid right now?" The responder replies with a signed message: "Good," "Revoked," or "Unknown."

This drastically reduces bandwidth and processing overhead on the RADIUS server. More importantly, it closes the vulnerability window. Revocations are enforced immediately.

So, how does this work in a WiFi authentication flow?

When a client device—let's say a corporate laptop—tries to connect to the WiFi, it communicates with the Wireless Access Point. The AP acts as an authenticator, passing the EAP-TLS messages to the RADIUS server.

The laptop presents its client certificate. The RADIUS server validates the cryptographic signature against its trusted root CA. Then, the RADIUS server pauses the authentication process. It reaches out over the network to the OCSP responder URI embedded in the client's certificate. It waits for the response. If the response is "Good," the RADIUS server sends an Access-Accept message back to the AP, and the laptop gets online. If the response is "Revoked," it sends an Access-Reject.

Now, you might be thinking, "Doesn't that add latency to the connection process?" Yes, it does. Every single authentication requires an external DNS lookup and an HTTP request to the OCSP responder. In a busy stadium or a large hotel during peak check-in, that can cause authentication timeouts.

This brings us to a crucial concept: OCSP Stapling.

In the web server world, OCSP stapling is common. The web server periodically queries the OCSP responder for its own certificate status, gets a time-stamped, signed response, and "staples" that response to the certificate it sends to the client during the TLS handshake. The client doesn't have to query the CA; it just verifies the CA's signature on the stapled response.

Can we do this for WiFi? Yes, but it's complex.

In EAP-TLS, the RADIUS server also presents a server certificate to the client, so the client knows it's talking to the legitimate network and not an evil twin AP. The RADIUS server can use OCSP stapling here. It queries the CA for its own status and staples the response into the EAP-TLS Server Hello. This saves the client device from having to do an OCSP lookup on the RADIUS server's certificate.

However, stapling the *client's* certificate status is different. The client can't staple its own status because the network doesn't trust the client yet. So, for client certificate validation, the RADIUS server still has to perform the traditional OCSP query.

To mitigate the latency of these queries, enterprise RADIUS servers use caching. They will cache a "Good" OCSP response for a configurable amount of time—say, 15 minutes or an hour. This means subsequent roam events or reconnects don't trigger a new external query, balancing security with performance.

Let's look at a real-world implementation scenario.

Imagine a large retail chain with thousands of point-of-sale devices and corporate laptops connecting via EAP-TLS. They are rolling out Purple's WiFi platform. They need strict security, but they can't afford POS devices timing out during authentication.

Here is the recommended approach:

First, ensure your CA infrastructure is robust. Your OCSP responders must be highly available, ideally behind a load balancer, and geographically distributed. If your RADIUS server can't reach the OCSP responder, it has to decide whether to "fail open" (allow the connection) or "fail closed" (deny the connection). In high-security environments, you fail closed. But if your OCSP responder goes down, nobody gets on the WiFi.

Second, configure OCSP caching on your RADIUS servers. A 30-minute cache is a good middle ground. It significantly reduces load on your CA and speeds up authentications, while keeping the revocation window reasonably tight.

Third, implement a fallback mechanism. Configure your RADIUS server to try OCSP first. If the OCSP responder is unreachable, fall back to a locally cached CRL. This provides resilience against CA outages.

Finally, consider the impact of certificate expiration. Expiration is not revocation. A certificate simply reaches its "Not After" date. Your RADIUS server will reject it automatically, without needing to check OCSP or a CRL. The operational challenge here is lifecycle management—ensuring certificates are renewed and deployed to devices *before* they expire.

Let's move to a quick rapid-fire Q&A based on common client questions.

Question 1: "We use a cloud-based MDM to push certificates. Do we still need OCSP?"
Answer: Absolutely. Your MDM issues the certificate, but the RADIUS server enforces network access. If you wipe a device in your MDM, the MDM tells the CA to revoke the certificate. But until the RADIUS server checks that revocation status via OCSP, the device can still connect to the WiFi.

Question 2: "What happens if a device is offline when we revoke its certificate?"
Answer: It doesn't matter if the device is offline. Revocation happens at the CA level. The next time that device tries to connect to the WiFi, the RADIUS server will check OCSP, see the "Revoked" status, and deny access.

Question 3: "Is OCSP traffic encrypted?"
Answer: Historically, OCSP requests were sent over plain HTTP. This was considered acceptable because the response itself is cryptographically signed by the CA, preventing tampering. However, modern implementations increasingly use HTTPS to protect privacy, preventing observers from seeing which certificates are being checked.

To summarize and outline next steps:

Certificate revocation is a non-negotiable component of a secure 802.1X deployment. While CRLs are acceptable for small networks, OCSP is essential for enterprise scale, providing real-time security and lower bandwidth overhead.

For your next steps:
1. Audit your current RADIUS configuration. Are you checking revocation status at all?
2. If you are using CRLs, evaluate the size of your list and your download frequency.
3. Plan a migration to OCSP. Ensure your CA infrastructure can handle the query load, and configure sensible caching on your RADIUS servers to optimize performance.

By implementing robust OCSP checking, you ensure that your Purple WiFi deployment remains secure, compliant, and performant, giving you absolute control over who—and what—can access your network.

Thank you for listening to this Purple Technical Briefing.

Resumen ejecutivo

Para recintos empresariales que operan redes WiFi de alta densidad —desde extensas cadenas de retail hasta modernos centros de convenciones— la autenticación basada en certificados (EAP-TLS) es el estándar definitivo para asegurar el acceso a la red. Sin embargo, emitir un certificado es solo la mitad del ciclo de vida. El desafío operativo crítico reside en la revocación: garantizar que cuando un dispositivo se vea comprometido, se pierda o se retire del servicio, su acceso a la red se termine de inmediato. Esta guía explora la arquitectura técnica de la revocación de certificados, contrastando las Listas de Revocación de Certificados (CRL) heredadas con el Protocolo de Estado de Certificados en Línea (OCSP). Detallamos cómo los servidores RADIUS se integran con la Infraestructura de Clave Pública (PKI) para aplicar la revocación en tiempo real, las complejidades del grapado OCSP en un contexto 802.1X y los modelos de despliegue estratégico necesarios para equilibrar una seguridad estricta con una experiencia de usuario fluida. Al implementar una verificación OCSP robusta, los operadores de recintos pueden mitigar riesgos, asegurar el cumplimiento y mantener el alto rendimiento requerido para el Guest WiFi y el acceso empresarial.

Escuche nuestro informe ejecutivo de 10 minutos sobre este tema:

Inmersión técnica profunda

La mecánica de la revocación en 802.1X

En un flujo de autenticación 802.1X, el punto de acceso inalámbrico (AP) actúa como un autenticador, pasando mensajes del Protocolo de Autenticación Extensible (EAP) entre el dispositivo cliente (suplicante) y el servidor RADIUS. Cuando un cliente presenta un certificado durante el saludo EAP-TLS, el servidor RADIUS debe validar su integridad criptográfica, verificar su cadena de confianza y confirmar su estado de revocación actual.

Históricamente, esto se lograba a través de una Lista de Revocación de Certificados (CRL). Una CRL es un archivo firmado digitalmente que contiene los números de serie de todos los certificados revocados emitidos por una Autoridad de Certificación (CA) específica. El servidor RADIUS descarga este archivo periódicamente y lo almacena localmente en caché. Aunque es sencillo de implementar, las CRL presentan desafíos de escalabilidad significativos. En grandes entornos empresariales, como los que se encuentran en el sector de Retail , las CRL pueden crecer hasta alcanzar megabytes de tamaño. Descargar y analizar estas listas consume ancho de banda y ciclos de procesamiento. Lo que es más crítico, las CRL introducen una ventana de vulnerabilidad: el tiempo entre que un certificado es revocado en la CA y el servidor RADIUS descarga la lista actualizada.

La transición a OCSP

Para abordar las limitaciones de las CRL, se desarrolló el Protocolo de Estado de Certificados en Línea (OCSP). OCSP reemplaza el modelo de descarga masiva con un mecanismo de consulta en tiempo real y específico. Cuando un cliente presenta un certificado, el servidor RADIUS extrae el URI del respondedor OCSP de la extensión de Acceso a la Información de la Autoridad (AIA) del certificado. Luego envía una solicitud HTTP ligera al respondedor, consultando el estado de ese número de serie de certificado específico. El respondedor devuelve una respuesta firmada indicando si el certificado es 'Bueno', 'Revocado' o 'Desconocido'.

Este enfoque elimina la ventana de vulnerabilidad asociada con las CRL, aplicando las revocaciones de inmediato. También reduce significativamente el consumo de ancho de banda, ya que el servidor RADIUS solo solicita datos para los certificados que intentan autenticarse activamente.

Grapado OCSP en entornos WiFi

El grapado OCSP es una técnica de optimización del rendimiento ampliamente utilizada en servidores web. En lugar de que el cliente consulte al respondedor OCSP, el servidor consulta periódicamente al respondedor sobre su propio estado de certificado. Luego 'grapa' la respuesta firmada al certificado que presenta al cliente durante el saludo TLS. Esto traslada la carga de la consulta del cliente al servidor y reduce el número de conexiones de red externas requeridas.

En el contexto de la autenticación WiFi, el grapado OCSP es muy relevante pero tiene matices. Durante EAP-TLS, el servidor RADIUS presenta su propio certificado de servidor al cliente para demostrar su identidad. El servidor RADIUS puede utilizar el grapado OCSP aquí, adjuntando la respuesta OCSP al Server Hello de EAP-TLS. Esto permite que el dispositivo cliente verifique el estado de revocación del servidor RADIUS sin requerir su propia conexión a internet, una característica crítica para dispositivos a los que aún no se les ha concedido acceso a la red.

Sin embargo, grapar el estado del certificado del cliente no es factible. El cliente no puede grapar su propio estado porque la red aún no confía en él. Por lo tanto, para la validación del certificado del cliente, el servidor RADIUS debe realizar una consulta OCSP tradicional a la CA.

Guía de implementación

Desplegar OCSP en un entorno empresarial de alta densidad requiere una planificación arquitectónica cuidadosa para garantizar tanto la seguridad como la disponibilidad. Los siguientes pasos describen una estrategia de despliegue robusta.

1. Infraestructura de CA de alta disponibilidad

El cambio a OCSP introduce una dependencia crítica de la infraestructura del respondedor de la CA. Si el servidor RADIUS no puede comunicarse con el respondedor OCSP, no puede verificar de manera definitiva el estado del certificado. Por lo tanto, el respondedor OCSP debe ser altamente disponible, estar distribuido geográficamente y ubicarse detrás de balanceadores de carga para manejar picos de autenticación, como los que se experimentan durante una gran conferencia o evento deportivo.

2. Configuración y almacenamiento en caché del servidor RADIUS

Para mitigar la latencia introducida por las consultas OCSP en tiempo real, los servidores RADIUS empresariales deben configurarse con mecanismos de almacenamiento en caché inteligentes. Cuando un servidor RADIUS recibe una respuesta 'Buena' del respondedor OCSP, debe almacenar esa respuesta en caché durante una duración configurable, generalmente entre 15 y 60 minutos. Las solicitudes de autenticación posteriores del mismo cliente dentro de esa ventana se validarán contra la caché, omitiendo la consulta externa. Esto equilibra la necesidad de seguridad en tiempo real con los requisitos de rendimiento de una red ocupada.

3. Mecanismos de failover y resiliencia

Los arquitectos de red deben definir el comportamiento del servidor RADIUS en caso de que el respondedor OCSP no esté disponible. Esto se conoce como 'falla abierta' frente a 'falla cerrada'. En una configuración de 'falla cerrada', el servidor RADIUS denegará el acceso si no puede verificar el estado del certificado. Esta es la postura más segura, pero conlleva el riesgo de interrupciones generalizadas si la infraestructura de la CA falla. En una configuración de 'falla abierta', el servidor RADIUS permitirá el acceso si el respondedor no está disponible, priorizando la disponibilidad sobre la seguridad estricta.

Un enfoque híbrido recomendado consiste en configurar el servidor RADIUS para que intente primero una consulta OCSP. Si el respondedor no está disponible, el servidor recurre a una CRL almacenada localmente en caché. Esto proporciona resiliencia contra interrupciones de la CA mientras se mantiene un nivel básico de verificación de revocación.

Mejores prácticas

Minimizar la vida útil de los certificados: Si bien la revocación maneja la invalidación prematura, el control de seguridad más efectivo es una vida útil corta del certificado. Implemente el aprovisionamiento automatizado de certificados a través de MDM para emitir certificados válidos por días o semanas, en lugar de años. Esto reduce por completo la dependencia de los mecanismos de revocación. Para leer más sobre la seguridad de los dispositivos modernos, consulte nuestra guía sobre Autenticación 802.1X: Asegurando el acceso a la red en dispositivos modernos .
Monitorear la latencia de OCSP: Monitoree continuamente la latencia de las consultas OCSP desde sus servidores RADIUS a la infraestructura de la CA. Una latencia alta afectará directamente la experiencia del usuario, provocando tiempos de espera de autenticación y caídas de conexión.
Implementar controles de acceso estrictos a la CA: La seguridad de su red WiFi está intrínsecamente ligada a la seguridad de su CA. Asegúrese de que existan controles de acceso estrictos, autenticación multifactor y auditorías exhaustivas para todas las interfaces de gestión de la CA.

Solución de problemas y mitigación de riesgos

Al desplegar OCSP, los equipos de TI suelen encontrarse con varios modos de falla comunes:

Tiempos de espera de autenticación: Si el respondedor OCSP tarda en responder, el saludo EAP-TLS puede agotar el tiempo de espera. Esto suele ser causado por la congestión de la red o una infraestructura de CA con recursos insuficientes. La mitigación implica optimizar el almacenamiento en caché de OCSP en el servidor RADIUS y escalar la infraestructura del respondedor.
Desviación del reloj: Las respuestas OCSP están selladas en tiempo y firmadas. Si el reloj del servidor RADIUS no está sincronizado con la CA, el servidor puede rechazar una respuesta OCSP válida por considerarla expirada. Asegúrese de que todos los componentes de la infraestructura estén sincronizados a través de servidores NTP confiables.
Bloqueo de firewall: Las consultas OCSP suelen utilizar HTTP (puerto 80) o HTTPS (puerto 443). Asegúrese de que los firewalls entre el servidor RADIUS y la infraestructura de la CA estén configurados para permitir este tráfico. Las implementaciones modernas utilizan cada vez más HTTPS para proteger la privacidad y evitar que observadores de red analicen las consultas de certificados.

ROI e impacto empresarial

La implementación de mecanismos robustos de revocación de certificados ofrece un valor empresarial medible más allá del simple cumplimiento de seguridad.

Mitigación de riesgos: Al eliminar la ventana de vulnerabilidad asociada con las CRL, OCSP reduce significativamente el riesgo de que un dispositivo comprometido acceda a recursos corporativos sensibles. Esto protege la propiedad intelectual y mitiga el daño financiero y de reputación de una brecha de datos.
Eficiencia operativa: La automatización de las verificaciones de revocación a través de OCSP reduce la carga administrativa asociada con la gestión de archivos CRL masivos. Los equipos de TI pueden centrarse en iniciativas estratégicas en lugar de solucionar fallas en la descarga de CRL.
Habilitación del cumplimiento: Para los recintos que operan en industrias reguladas, como Sector Salud o finanzas, los controles de acceso estrictos y la revocación en tiempo real suelen ser requisitos de cumplimiento obligatorios (por ejemplo, HIPAA, PCI DSS). Un despliegue robusto de OCSP garantiza el cumplimiento continuo y simplifica los procesos de auditoría.

Términos clave y definiciones

OCSP (Online Certificate Status Protocol)

An internet protocol used for obtaining the revocation status of an X.509 digital certificate in real-time.

Used by RADIUS servers to instantly verify if a device's certificate has been revoked, closing the vulnerability window associated with legacy CRLs.

CRL (Certificate Revocation List)

A periodically updated, digitally signed list of certificate serial numbers that have been revoked by the issuing Certificate Authority.

The legacy method for revocation checking. It suffers from scalability issues and introduces a vulnerability window between updates.

OCSP Stapling

A mechanism where the certificate presenter (e.g., a RADIUS server) obtains a time-stamped OCSP response from the CA and appends it to the certificate during the TLS handshake.

Used to improve performance and privacy by offloading the OCSP query burden from the client device.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

A highly secure 802.1X authentication method that requires mutual certificate-based authentication between the client and the RADIUS server.

The standard protocol used in enterprise WiFi environments that necessitates robust certificate revocation checking.

Vulnerability Window

The period of time between a certificate being revoked at the CA and the enforcing system (e.g., RADIUS server) becoming aware of the revocation.

A primary driver for adopting OCSP over CRLs, as OCSP effectively reduces this window to near zero.

Fail Open vs. Fail Closed

A configuration decision determining the system's behaviour when a dependency (like an OCSP responder) is unreachable. 'Fail open' allows access; 'fail closed' denies access.

A critical architectural decision for IT teams balancing network availability against strict security compliance.

AIA (Authority Information Access)

An extension within an X.509 certificate that indicates how to access information and services for the issuer of the certificate, including the OCSP responder URI.

The RADIUS server reads this extension to determine exactly where to send the OCSP query for a specific client certificate.

Supplicant

The software client on a device (e.g., a laptop or smartphone) that attempts to access the network and responds to authentication requests.

The entity presenting the client certificate that the RADIUS server must validate against the OCSP responder.

Casos de éxito

A 500-room luxury hotel in the [Hospitality](/industries/hospitality) sector is upgrading its back-of-house WiFi network to use EAP-TLS for staff devices. They currently use a centralized RADIUS server in their corporate data centre, connected via SD-WAN. They are concerned that real-time OCSP queries to their cloud-based CA will cause authentication timeouts during shift changes when hundreds of staff connect simultaneously.

The implementation must prioritize low-latency authentication without compromising security. The solution involves three steps: 1) Deploy a localized RADIUS proxy at the hotel property to handle the initial EAP termination. 2) Configure the RADIUS proxy to perform OCSP queries and cache the 'Good' responses for 60 minutes. 3) Implement a fallback mechanism where the RADIUS proxy relies on a locally downloaded, daily CRL if the SD-WAN link to the cloud CA fails.

Notas de implementación: This approach effectively mitigates the latency risk. By caching OCSP responses locally at the edge, the hotel avoids sending hundreds of simultaneous queries across the WAN during a shift change. The 60-minute cache window is a pragmatic compromise, keeping the vulnerability window small while ensuring high availability. The CRL fallback provides critical resilience against WAN outages, ensuring staff can still authenticate even if the cloud CA is temporarily unreachable. This architecture aligns with the principles discussed in our article on [The Core SD WAN Benefits for Modern Businesses](/blog/sd-wan-benefits).

A large public-sector organisation is deploying [Sensors](/products/sensors) across multiple municipal buildings. These IoT devices authenticate via 802.1X using certificates with a 5-year lifespan. The IT security team requires immediate network disconnection if a sensor is reported stolen.

Given the long certificate lifespan, robust revocation is critical. The organisation must configure their RADIUS servers to perform mandatory OCSP queries for every authentication request from the sensor VLAN. Caching should be disabled or set to a very short duration (e.g., 5 minutes). The RADIUS servers must be configured to 'fail closed'—if the OCSP responder is unreachable, the sensor is denied access.

Notas de implementación: While long-lived certificates are generally discouraged, they are common in IoT deployments due to the difficulty of automated renewal. In this scenario, OCSP is the only effective security control. Disabling caching ensures that a revoked certificate is rejected almost immediately upon the next authentication attempt. The 'fail closed' configuration prioritizes security over availability, which is appropriate given the risk of a compromised physical sensor providing a bridgehead into the municipal network.

Análisis de escenarios

Q1. Your organisation is migrating from a daily CRL download to real-time OCSP checking for your corporate WiFi. During the pilot phase, you notice a significant increase in authentication timeouts, particularly for users roaming between buildings. What is the most likely cause and the recommended mitigation?

💡 Sugerencia:Consider the latency introduced by external network queries during the EAP-TLS handshake.

Mostrar enfoque recomendado

The timeouts are likely caused by the latency of performing an external HTTP query to the OCSP responder for every authentication event, including fast reconnects during roaming. The recommended mitigation is to configure OCSP caching on the RADIUS server. By caching 'Good' responses for a period (e.g., 30 minutes), subsequent roam events will be validated locally against the cache, eliminating the external query latency and preventing timeouts.

Q2. A critical security audit requires that no compromised device can access the network for more than 5 minutes after its certificate is revoked in the MDM platform. Your RADIUS server is configured to use OCSP with a 60-minute cache. Does this configuration meet the audit requirement?

💡 Sugerencia:Analyze the relationship between the cache duration and the vulnerability window.

Mostrar enfoque recomendado

No, this configuration fails the audit requirement. The 60-minute cache creates a vulnerability window of up to one hour. If a device authenticates and its 'Good' status is cached, and the certificate is revoked 1 minute later, the RADIUS server will continue to permit access for the remaining 59 minutes based on the cached response. To meet the 5-minute requirement, the OCSP cache duration must be reduced to 5 minutes or less, though this will increase the query load on the CA infrastructure.

Q3. During a major ISP outage, your cloud-based OCSP responder becomes unreachable. Your RADIUS server is configured for OCSP checking with a 'fail closed' policy. What is the impact on the network, and how could the architecture be improved for resilience?

💡 Sugerencia:Consider the implications of 'fail closed' when a critical dependency is unavailable.

Mostrar enfoque recomendado

The impact is a total outage for all new WiFi authentications. Because the RADIUS server cannot reach the responder and is configured to 'fail closed', it will deny all access requests. To improve resilience, the architecture should implement a fallback mechanism. The RADIUS server should be configured to attempt OCSP first, and if unreachable, fall back to a locally cached CRL. This allows authentications to proceed using the last known good revocation state during the ISP outage.

Conclusiones clave

✓OCSP replaces bulky CRL downloads with real-time, targeted certificate status queries, eliminating the vulnerability window.
✓In 802.1X environments, the RADIUS server performs the OCSP query to validate the client's certificate before granting network access.
✓OCSP stapling allows the RADIUS server to prove its own validity to the client without requiring the client to query the CA.
✓Intelligent caching of 'Good' OCSP responses on the RADIUS server is critical to prevent authentication timeouts in high-density venues.
✓Implementing a CRL fallback mechanism ensures network resilience if the primary OCSP responder becomes unreachable.
✓A 'fail closed' configuration maximizes security but risks widespread outages, whereas 'fail open' prioritizes availability.
✓Robust certificate lifecycle management, including short certificate lifespans, reduces reliance on revocation mechanisms.