LLMpediaThe first transparent, open encyclopedia generated by LLMs

Certificate Revocation List

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Online Certificate Status Protocol Hop 4
Expansion Funnel Raw 89 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted89
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Certificate Revocation List
NameCertificate Revocation List
TypeSecurity mechanism
Introduced1990s
DeveloperInternet Engineering Task Force, RSA Security, Microsoft Corporation
RelatedX.509, Public key infrastructure

Certificate Revocation List is a digitally signed list used to indicate that specific public key certificates issued by a Certificate Authority are no longer valid before their scheduled expiration. It functions as a revocation mechanism in X.509 and other Public key infrastructure deployments, enabling relying parties such as Microsoft Corporation, Mozilla Foundation, Google LLC, Apple Inc. and enterprise environments like IBM or Oracle Corporation to check certificate status when establishing secure channels with services including Apache HTTP Server, Nginx, OpenSSL-based servers or Microsoft Exchange Server.

Overview

A revocation list is generated and signed by a Certificate Authority such as Let's Encrypt, VeriSign, DigiCert, Entrust, or GlobalSign to assert that particular certificates should be treated as invalid. Relying parties controlled by organizations like Facebook, Amazon (company), Twitter, LinkedIn, Netflix and governmental entities such as United States Department of Defense or European Commission consult these lists during TLS, S/MIME, SSH, VPN and code-signing operations. Historical incidents involving compromised keys—comparable in impact to events like the Equifax data breach or controversies involving RSA Security—have driven adoption of revocation mechanisms. Major browser vendors including Mozilla Foundation, Google LLC, Microsoft Corporation and Apple Inc. incorporate revocation checks into trust decisions.

Technical Details

A revocation list contains entries referencing certificate serial numbers, revocation reasons, and revocation timestamps; it is itself signed using algorithms standardized by bodies such as the Internet Engineering Task Force, International Telecommunication Union, and influenced by standards from Institute of Electrical and Electronics Engineers. Cryptographic primitives from RSA (cryptosystem), Elliptic-curve cryptography, SHA-1, SHA-256 and AES are used in signatures and transport. CRLs follow data models like X.509 extensions and can include fields for distribution points, authority key identifiers and next-update times. Implementations in OpenSSL, Bouncy Castle, GnuTLS and Microsoft CryptoAPI parse and validate signed CRL structures, applying policy constraints similar to those in RFC 5280 and other IETF specifications. The validity model interacts with time sources such as Network Time Protocol services maintained by organizations like National Institute of Standards and Technology and IANA.

Distribution and Access Methods

CRLs are typically published via Hypertext Transfer Protocol servers operated by entities like Amazon (company), Cloudflare, Inc., Akamai Technologies, or institutional domains such as Harvard University and MIT. Alternative distribution channels include LDAP (protocol) directories used by Active Directory domains, OCSP responders operated by DigiCert or Let’s Encrypt, and offline transfer for air-gapped systems in Department of Defense enclaves. Clients fetch CRLs through user agents such as Mozilla Firefox, Google Chrome, Microsoft Edge and libraries like LibreSSL; enterprise appliances from Cisco Systems, Juniper Networks, Fortinet often cache CRLs. Distribution must account for scale seen in platforms like Amazon Web Services and Microsoft Azure.

Use Cases and Limitations

CRLs are applied to revoke certificates issued to compromised actors in incidents reminiscent of breaches affecting Sony Pictures Entertainment or Target Corporation, to remove certificates after key compromise, termination of employment at organizations like Goldman Sachs and Barclays, or to withdraw code-signing certificates used in malware campaigns linked by researchers at Kaspersky Lab and Symantec. Limitations include latency between issuance and ingestion similar to issues in DNS propagation, bandwidth costs at scale experienced by services like YouTube or Netflix, and privacy exposure if clients contact CA endpoints revealing browsing choices—a concern raised by privacy advocates associated with organizations like Electronic Frontier Foundation and ACLU. CRLs can grow large for CAs with millions of certificates, creating performance challenges in systems like Android (operating system), iOS, Windows Server and embedded devices produced by Siemens or Bosch.

Alternatives and Complementary Mechanisms

Online Certificate Status Protocol responders by entities such as DigiCert, GlobalSign and Let's Encrypt provide per-certificate status with lower bandwidth but introduce latency and availability considerations similar to those faced by Content Delivery Network operators like Cloudflare, Inc. and Akamai Technologies. OCSP stapling, deployed by NGINX, Apache HTTP Server and major CDNs, reduces client-side queries; experimental approaches like OCSP Must-Staple have been advocated by browser vendors including Mozilla Foundation and Google LLC. Short-lived certificates used by Let's Encrypt and automated tooling like Certbot reduce reliance on revocation lists. Transparency initiatives such as Certificate Transparency logs maintained by organizations including Google LLC and monitored by projects at EFF complement revocation by enabling faster detection of mis-issuance.

Standards and Implementations

CRL formats and processing are specified in IETF documents such as RFC 5280 and related standards; implementations exist in OpenSSL, GnuTLS, Bouncy Castle, Microsoft CryptoAPI, Mozilla NSS and commercial TLS stacks from F5 Networks and Symantec. Major enterprises and platforms including Amazon Web Services, Microsoft Azure, Google Cloud Platform, and content providers like Akamai Technologies implement CRL handling in their certificate lifecycle systems. Academic and standards research from institutions such as Stanford University, Massachusetts Institute of Technology, ETH Zurich and Carnegie Mellon University has informed improvements and alternatives adopted by industry consortia including the Internet Engineering Task Force and the CA/Browser Forum.

Category:Public key infrastructure