ESYAE-imza Kütüphaneleri

Once a certificate is published it is impossible to make it totally inaccessible due to its revocation. For this reasons CAs publish Certificate Revocation Lists(CRL) in order to announce everyone that the certificates in the CRL are revoked.

Certificate Revocation Lists has the following properties:

• They are digital.
• They consist of the serial numbers of untrusted certificates that are not expired.
• They include the issue and expiry date.
• They include issuer's name and signature.
• They are published on the electronic media like internet with small periods

A sample CRL can be as follows:

In PKI systems it is mandatory for every agent performing a certificate-based operation to check CRL while validating certificates. If the serial number of a certificate included in the CRL, it must be considered as invalid and the operation must be cancelled.

CRLs are indeed required in PKI for two main reasons:

• The information of the certificate's owner may have changed.
• The key pair of the certificate's owner may have changed.

CRLs can become very long on large CAs that have experienced significant amounts of certificate revocation. This can become a burden for clients to download frequently. To help minimize frequent downloads of lengthy CRLs, delta CRLs can be published. This allows the client to download the most current delta CRL and combine that with the most current base CRL to have a complete list of revoked certificates.