Certificate revocation lists (CRL)
Base or delta.
Complete / differences.
Signed list of identifiers of prematurely invalidated certificates.
Can tell the revocation reason.
Must be regularly fetched by verifiers.
e.g. once a day.
Single certificate validations.
OCSP (RFC 6960) query/response.
OCSP stapling (RFCs 6066, 6961, 8446).
Publication and distribution of CRLs.
Each CA keeps its CRL and allows public access to it.
CAs exchange CRLs to facilitate their widespread.
CRL and Delta CRL
Last updated