Current location - Quotes Website - Signature design - What is revocation?
What is revocation?
CRL

Certificate revocation list

Certificate revocation list

Origin: ITU/T X.509 | ISO/IEC 9594-8: 2001,GB/T 16264.8-2005.

Definition: A signature list that specifies a set of certificates that the certificate issuer considers invalid. In addition to ordinary CRL, some special CRL types are defined to cover CRL in special fields.

Explanation: CRL must be signed by CA. You can use the same private key as the certificate, or you can use a special CRL to issue the private key. The CRL contains the serial number of the revoked certificate.

Certificate revocation

Certificates have a specified lifetime, but CA can shorten this lifetime through a process called certificate revocation. CA publishes a certificate revocation list (CRL), which lists the serial numbers of certificates that are considered no longer available. The lifetime specified by CRL is usually much shorter than that specified by certificate. CA can also add the reason for certificate revocation in CRL. It can also add a start date that is considered applicable to this status change.

You can specify the following as the reason for revoking the certificate:

Leak key

Leaking CA

Affiliation change

replace

Business termination

Certificate holding (this is the only reason code that allows you to change the status of a revoked certificate, which is very useful when there is a problem with the status of the certificate)

CA revoking the certificate means that CA revokes its statement that the key pair is allowed to be used before the certificate expires normally. After the revoked certificate expires, the relevant entries in the CRL will be deleted to shorten the size of the CRL list.

During signature verification, an application can check the CRL to determine whether a given certificate and key pair is still trustworthy (some applications use the Microsoft certificate chain verification API in CryptoAPI to accomplish this task). If it is not credible, the application can judge whether the reason or date of revocation has an impact on the use of the certificate. If the certificate is used to verify the signature, and the signature date is earlier than the date when the CA revokes the certificate, the signature is still considered valid.

After the application obtains the CRL, the client caches the CRL, and the client will use it until it expires. If the CA publishes a new CRL, the application with a valid CRL will not use the new CRL until the CRL owned by the application expires.

Reference answer: /view/950459.htm