A certificate revocation list (CRL) is a list of digital certificates that have been revoked by a particular Certificate Authority (CA). Any certificates on this list should no longer be trusted by system users.
Certificates are most frequently revoked when the private key of an asymmetric encryption key pair (whose public key has been certified by the CA) is stolen. In such a situation, anybody with the private key could decrypt all communication between a user and the certified entity.
A certificate would also be revoked if a CA found that it should not have issued the certificate in the first place because the entity misrepresented itself or did not adhere to certain policy requirements.
CRLs may be issued periodically, in which case certificates that have expired may be tagged as revoked, or they may be issued as soon as a certificate is revoked. To keep CRLs from being faked, they are signed by the public key of the CA and contain a timestamp, after which the CRLs themselves expire.
References
- Certificate Revocation List
(Wikipedia) - What are Certificate Revocation Lists (CRLs)? (RSA Security)
Print view
Email to a friend
Submit to Reddit
Save to del.icio.us
Submit to Digg.com
Stumble It!