Certificate revocation lists (CRL)

Base or delta.

• Complete / differences.

Signed list of identifiers of prematurely invalidated certificates.

• Can tell the revocation reason.

• Must be regularly fetched by verifiers.

  • e.g. once a day.

Single certificate validations.

• OCSP (RFC 6960) query/response.

• OCSP stapling (RFCs 6066, 6961, 8446).

Publication and distribution of CRLs.

• Each CA keeps its CRL and allows public access to it.

• CAs exchange CRLs to facilitate their widespread.

CRL and Delta CRL