Connected: An Internet Encyclopedia
3.5.1 X.509 CRLs

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1422
Up: 3. Architecture
Up: 3.5 Certificate Revocation
Prev: 3.5 Certificate Revocation
Next: 3.5.2 PEM CRL Format

3.5.1 X.509 CRLs

3.5.1 X.509 CRLs

X.509 states that it is a CA's responsibility to maintain: "a time- stamped list of the certificates it issued which have been revoked." There are two primary reasons for a CA to revoke a certificate, i.e., suspected compromise of a private component (invalidating the corresponding public component) or change of user affiliation (invalidating the DN). The use of Certificate Revocation Lists (CRLs) as defined in X.509 is one means of propagating information relative to certificate revocation, though it is not a perfect mechanism. In particular, an X.509 CRL indicates only the age of the information contained in it; it does not provide any basis for determining if the list is the most current CRL available from a given CA.

The proposed architecture establishes a format for a CRL in which not only the date of issue, but also the next scheduled date of issue is specified. Adopting this convention, when the next scheduled issue date arrives a CA (Throughout this section, when the term "CA" is employed, it should be interpreted broadly, to include the IPRA and PCAs as well as organizational, residential, and PERSONA CAs.) will issue a new CRL, even if there are no changes in the list of entries. In this fashion each CA can independently establish and advertise the frequency with which CRLs are issued by that CA. Note that this does not preclude CRL issuance on a more frequent basis, e.g., in case of some emergency, but no system-wide mechanisms are architected for alerting users that such an unscheduled issuance has taken place. This scheduled CRL issuance convention allows users (UAs) to determine whether a given CRL is "out of date," a facility not available from the (1988) X.509 CRL format.

The description of CRL management in the text and the format for CRLs specified in X.509 (1988) are inconsistent. For example, the latter associates an issuer distinguished name with each revoked certificate even though the text states that a CRL contains entries for only a single issuer (which is separately specified in the CRL format). The CRL format adopted for PEM is a (simplified) format consistent with the text of X.509, but not identical to the accompanying format. The ASN.1 format for CRLs used with PEM is provided in Appendix A.

X.509 also defines a syntax for the "time-stamped list of revoked certificates representing other CAs." This syntax, the "AuthorityRevocationList" (ARL) allows the list to include references to certificates issued by CAs other than the list maintainer. There is no syntactic difference between these two lists except as they are stored in directories. Since PEM is expected to be used prior to widespread directory deployment, this distinction between ARLs and CRLs is not syntactically significant. As a simplification, this document specifies the use the CRL format defined below for revocation both of user and of CA certificates.


Next: 3.5.2 PEM CRL Format

Connected: An Internet Encyclopedia
3.5.1 X.509 CRLs