Home |  Forum |  Submit Software |  Submit Book |  Link to Us |  Contact us  |   Sitemap

  Topics
Software
Books
Network Basics
Glossaries
SNMP
Networking
Links
  Forums
SnmpTools.net forum
  Search for Software

  Other
Submit Software
Submit Book
Link to Us
Contact Us

 


  Visit ActiveSocket Web Site
  Download ActiveSocket Network Communication Toolkit

CRL (Certificate Revocation List) - an explanation

Certificate Revocation List is achieved via a mechanism called the Certificate Revocation List (CRL), which contains a list of revoked and suspended certificates.More precisely, it contains some unique key to identify the certificate and its revocation time. The unique key could be the serial number of the certificate, or some other identifier. CRLs are usually stored in public directories which can be accessed by LDAP, HTTP or other protocols. Multiple CAs can share the same CRL directory. Every certificate may have a pointer to a specific CRL it uses, and this is defined when the certificate is created. The pointer identifies the place from where the CRL is to be retrieved. For instance, with X.509 this could be a URL with a HTTP server, or a server address with LDAP. However, in some cases no pointer exists and the application must have other knowledge of the CRL distribution site. How CRLs are made available by CAs varies considerably from CA to CA, and also by how much you are willing to pay for the service! A CA might, for example, have a default policy of publishing CRLs once a day. Institutions which require a more immediate notification of revoked certificates could be asked to pay extra for twice daily, two hourly, or even hourly publication. Most CAs provide a single, monolithic CRL which can be cumbersome to access and slow to check. Some, however, offer more efficient validation protocols such as a segmented CRL with separate distribution points that is very much quicker to interrogate, or via the use of Online Certificate Status Protocol (OCSP).