| Filename extension | .crl |
|---|---|
| Internet media type | application/pkix-crl |
| Initial release | May 1999 |
| Container for | X.509 CRLs |
| Standard | RFC 2585 |
| Website | https://www.iana.org/assignments/media-types/application/pkix-crl |
Incryptography, acertificate revocation list (CRL) is "a list ofdigital certificates that have been revoked by the issuingcertificate authority (CA) before their scheduled expiration date and should no longer be trusted".[1]
Publicly trusted CAs in the Web PKI are required (including by theCA/Browser forum[2]) to issue CRLs for their certificates, and they widely do.[3]
Browsers and other relying parties might use CRLs, or might use alternatecertificate revocation technologies (such asOCSP)[4][5] or CRLSets (a dataset derived from CRLs[6]) to check certificate revocation status. Note that OCSP is falling out of favor due to privacy and performance concerns.[7][8][9]
Subscribers and other parties can also use ARI.[10]
There are two different states of revocation defined in RFC 5280:
Reasons to revoke, hold, or unlist a certificate according to RFC 5280[11] are:
unspecified (0)keyCompromise (1)cACompromise (2)affiliationChanged (3)superseded (4)cessationOfOperation (5)certificateHold (6)removeFromCRL (8)privilegeWithdrawn (9)aACompromise (10)Note that value 7 is not used.
A CRL is generated and published periodically, often at a defined interval. A CRL can also be published immediately after a certificate has been revoked. A CRL is issued by a CRL issuer, which is typically the CA which also issued the corresponding certificates, but could alternatively be some other trusted authority. All CRLs have a lifetime during which they are valid; this timeframe is often 24 hours or less. During a CRL's validity period, it may be consulted by a PKI-enabled application to verify a certificate prior to use.
To preventspoofing ordenial-of-service attacks, CRLs usually carry adigital signature associated with the CA by which they are published. To validate a specific CRL prior to relying on it, the certificate of its corresponding CA is needed.
The certificates for which a CRL should be maintained are oftenX.509/public key certificates, as this format is commonly used by PKI schemes.
Expiration dates are not a substitute for a CRL. While all expired certificates are considered invalid, not all unexpired certificates should be valid. CRLs or other certificate validation techniques are a necessary part of any properly operated PKI, as mistakes in certificate vetting and key management are expected to occur in real world operations.
In a noteworthy example, a certificate forMicrosoft was mistakenly issued to an unknown individual, who had successfully posed as Microsoft to the CA contracted to maintain theActiveX 'publisher certificate' system (VeriSign).[12] Microsoft saw the need to patch their cryptography subsystem so it would check the status of certificates before trusting them. As a short-term fix, a patch was issued for the relevant Microsoft software (most importantly Windows) specifically listing the two certificates in question as "revoked".[13]
Best practices require that wherever and however certificate status is maintained, it must be checked whenever one wants to rely on a certificate. Failing this, a revoked certificate may be incorrectly accepted as valid. This means that to use a PKI effectively, one must have access to current CRLs. This requirement of on-line validation negates one of the original major advantages of PKI oversymmetric cryptography protocols, namely that the certificate is "self-authenticating". Symmetric systems such asKerberos also depend on the existence of on-line services (akey distribution center in the case of Kerberos).
The existence of a CRL implies the need for someone (or some organization) to enforce policy and revoke certificates deemed counter to operational policy. If a certificate is mistakenly revoked, significant problems can arise. As the certificate authority is tasked with enforcing the operational policy for issuing certificates, they typically are responsible for determining if and when revocation is appropriate by interpreting the operational policy.
The necessity of consulting a CRL (or other certificate status service) prior to accepting a certificate raises a potentialdenial-of-service attack against the PKI. If acceptance of a certificate fails in the absence of an available valid CRL, then no operations depending upon certificate acceptance can take place. This issue exists for Kerberos systems as well, where failure to retrieve a current authentication token will prevent system access.
An alternative to using CRLs is the certificate validation protocol known asOnline Certificate Status Protocol (OCSP). OCSP has the primary benefit of requiring less network bandwidth, enabling real-time and near real-time status checks for high volume or high-value operations.
As of Firefox 28, Mozilla has announced they are deprecating CRL in favour of OCSP.[4]
CRL files may grow quite large over time e.g. in US government, for certain institution multiple megabytes. Therefore, incremental CRLs have been designed[14] sometimes referred to as "delta CRLs". However, only a few clients implement them.[15]
Anauthority revocation list (ARL) is a form of CRL containing revoked certificates issued tocertificate authorities, contrary to CRLs which contain revoked end-entity certificates.[16][17]
In lieu of, or as a supplement to, checking against a periodic CRL, it may be necessary to obtain timely information regarding the revocation status of certificates. ... OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information.