Introduction |
CRLs are the traditional method of certificate validation. Each CA publishes signed lists of revoked certificates. The verifier downloads these lists, checks the signature on the list, makes sure the list is recent, verifies the date of the list, and searches the list to make sure that the serial number of the certificate in question is not on the list.
CRLs are ill-suited to many applications because downloading the lists becomes impractical as the number of certificates in circulation and on the lists increases. Further, verifiers may have to collect lists from multiple CAs. In short, the network bandwidth, reliability, latency and processing effort of handling CRLs directly are likely to be--or to become--unacceptably large.
For more detailed technical information on CRLs, see RFC 2459 at:
ValiCert, Inc. http://www.valicert.com Voice: +1.650.567.5469 Fax: (+1.650.254.2148 support@valicert.com |