Definition
Certificate Revocation List
A certificate revocation list (CRL) is a list of certificates that have been revoked before their expiration date. It is periodically renewed by the CA.
Revocation is not reversible.
Reasons for Revocation
- The corresponding private key was lost or leaked
- The data contained in the certificate is no longer valid (e.g. address of the subject has changed)
Disadvantages
Update Lag
Revoked certificates are still accepted until the list is updated.
Size
Over time, the size of CRLs can become rather large, and updating them regularly is bandwidth-costly.