Why doesn’t my PKI website use HTTPS?
Websites that host Certificate Revocation Lists (CRLs) and Certification Practice Statements (CPS) often avoid using HTTPS/TLS for a mix of practical, historical, and architectural reasons. A breakdown of the key explanations is below:
CRL Distribution Points and TLS Dependency Deadlock
One of the main reasons CRL distribution points (CDPs) avoid HTTPS is to prevent a chicken-and-egg problem:
- When a client is verifying a certificate (say, during an HTTPS handshake), it may need to fetch the CRL to check whether the certificate has been revoked.
- If the CRL itself is hosted over HTTPS, the client must establish another TLS connection to fetch it.
- But this new TLS connection also requires certificate validation — which itself may require checking another CRL, possibly from the same server — creating a recursive dependency that can lead to failure or infinite loops.
Therefore, CDPs often use plain HTTP to ensure that CRLs are retrievable without triggering additional certificate validation requirements.
CRLs are Cryptographically Signed
The CRL is a signed file. The integrity and authenticity of the CRL are already protected by the CA’s digital signature.
Thus, the use of TLS is not necessary for data integrity or authenticity. Any tampering with the CRL content can be detected using the signature.
Minimal Dependencies during Bootstrap
Devices in constrained environments — such as embedded systems, legacy apps, or air-gapped systems — often do not support complex TLS stacks at early boot or provisioning stages.
HTTP ensures that CRLs can be downloaded without requiring pre-established trust anchors or DNS-over-TLS support.
CRL Distribution Design Philosophy
The design goal of CRL distribution is reliability and universality, not confidentiality.
Plain HTTP:
- Is lightweight
- Works without TLS dependencies
- Reduces risk of protocol layering issues in resource-limited environments
For OCSP (Online Certificate Status Protocol), this same logic applies — many OCSP responders are also reachable via HTTP for the same reasons.
Certification Practice Statements (CPS) and Public Access
CPS documents are public, non-sensitive information. Their purpose is to describe the CA’s practices transparently.
Since these documents are:
- Meant to be publicly accessible
- Not security-critical in transit
Hosting them over HTTP is typically considered acceptable.
Summary
Use Case | Reason for avoiding HTTPS |
CRL Distribution Points | Avoid certificate validation recursion |
OCSP Responses | Same TLS dependency avoidance |
CPS / CPs | Public, non-sensitive docs; minimal need for TLS |