Definition[]
A Certificate Revocation List (CRL) is
- "An electronically signed, time-stamped list of serial numbers of CA public key certificates, including cross-certificates that have been revoked.[1]
- "A list of revoked public key certificates created and digitally signed by a certification authority."[2]
- "A list of revoked but un-expired certificates issued by a CA.[3]
Overview[]
The list is usually signed by the same entity that issued the certificates. Certificates may be revoked, for example, if the owner’s private key has been lost; the owner leaves the company or agency; or the owner’s name changes. CRLs also document the historical revocation status of certificates. That is, a dated signature may be presumed to be valid if the signature date was within the validity period of the certificate, and the current CRL of the issuing CA at that date did not show the certificate to be revoked.
References[]
- ↑ DM3595-001, at 4.
- ↑ NIST Special Publication 800-63.
- ↑ NIST Special Publication 800-21 (2d ed.).