key">
A certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date. There are several reasons why a certificate might need to be revoked and placed on a CRL. For instance, the key specified in the certificate might have been compromised, or, the user specified in the certificate may no longer have authority to use the key. For example, suppose the user name associated with a key is "Alice Avery, Vice President, Argo Corp." If Alice were fired, her company would not want her to be able to sign messages with that key, and therefore, the company would place the certificate on a CRL.
When verifying a signature, one can check the relevant CRL to make sure the signer's certificate has not been revoked. Whether it is worth the time to perform this check depends on the importance of the signed document.
CRLs are maintained by CAs and provide information about revoked certificates that were issued by the CA. CRLs only list current certificates, since expired certificates should not be accepted in any case; when a revoked certificate is past its original expiration date, it is removed from the CRL. Although CRLs are maintained in a distributed manner, there may be central repositories for CRLs, that is, network sites containing the latest CRLs from many organizations. An institution like a bank might want an in-house CRL repository to make CRL searches on every transaction feasible.
The original CRL proposals often required a list, per issuer,
of all revoked certificates; new certificate revocation methods
(e.g., in X.509 version 3, see Question 165) are more flexible.