Certificate revocation list

Certificate revocation list
Filename extension	.crl
Internet media type	application/pkix-crl
Initial release	May 1999
Container for	X.509 CRLs
Standard	RFC 2585
Website	https://www.iana.org/assignments/media-types/application/pkix-crl

In cryptography, a certificate revocation list (CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted".^[1]

Publicly trusted CAs in the Web PKI are required (including by the CA/Browser forum^[2]) to issue CRLs for their certificates, and they widely do.^[3]

Browsers and other relying parties might use CRLs, or might use alternate certificate revocation technologies (such as OCSP)^[4]^[5] or CRLSets (a dataset derived from CRLs^[6]) to check certificate revocation status. Note that OCSP is falling out of favor due to privacy^[7] and performance^[8] concerns.

Subscribers and other parties can also use ARI.^[9]

^ "What is Certificate Revocation List (CRL)? - Definition from WhatIs.com". TechTarget. Retrieved October 26, 2017.
^ "Baseline Requirements". CAB Forum. Archived from the original on 2024-07-11. Retrieved 2024-07-10.
^ Korzhitskii, Nikita; Carlsson, Niklas (2021). Revocation Statuses on the Internet. Passive and Active Measurement Conference. arXiv:2102.04288.
^ Cite error: The named reference :0 was invoked but never defined (see the help page).
^ Santesson, Stefan; Myers, Michael; Ankney, Rich; Malpani, Ambarish; Galperin, Slava; Adams, Carlisle (June 2013). "RFC 6960: X.509 Internet Public Key Infrastructure: Online Certificate Status Protocol - OCSP". Internet Engineering Task Force (IETF). Archived from the original on 2018-12-15. Retrieved 2021-11-24. In lieu of, or as a supplement to, checking against a periodic CRL, it may be necessary to obtain timely information regarding the revocation status of certificates. ... OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information.
^ "CRLSets".
^ "Some consequences of widespread use of OCSP for HTTPS".
^ "No, don't enable revocation checking".
^ "Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension".

[1] "What is Certificate Revocation List (CRL)? - Definition from WhatIs.com". TechTarget. Retrieved October 26, 2017.

[2] "Baseline Requirements". CAB Forum. Archived from the original on 2024-07-11. Retrieved 2024-07-10.

[3] Korzhitskii, Nikita; Carlsson, Niklas (2021). Revocation Statuses on the Internet. Passive and Active Measurement Conference. arXiv:2102.04288.

[:0-4] Cite error: The named reference :0 was invoked but never defined (see the help page).

[5] Santesson, Stefan; Myers, Michael; Ankney, Rich; Malpani, Ambarish; Galperin, Slava; Adams, Carlisle (June 2013). "RFC 6960: X.509 Internet Public Key Infrastructure: Online Certificate Status Protocol - OCSP". Internet Engineering Task Force (IETF). Archived from the original on 2018-12-15. Retrieved 2021-11-24. In lieu of, or as a supplement to, checking against a periodic CRL, it may be necessary to obtain timely information regarding the revocation status of certificates. ... OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information.

[6] "CRLSets".

[7] "Some consequences of widespread use of OCSP for HTTPS".

[8] "No, don't enable revocation checking".

[9] "Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

Filename extension	`.crl`
Internet media type	application/pkix-crl
Initial release	May 1999
Container for	X.509 CRLs
Standard	RFC 2585
Website	https://www.iana.org/assignments/media-types/application/pkix-crl