CRL: Certificate Revocation List

• a list of revoked certificates published by a CA or a delegated CRL issuer
• a mechanism for canceling client-side certificate
• when issuing a certificate, the CA includes CRL infromation for the certificate in the certificate itself
• may or may not CDP information within the certificate
• the system compares the user's certificate against apporpriate CRL during authentication
  • It determined to be valid, the system caches certificate attributes and applies
  • if it determined that certificate is invalid, it cannot contact apporpriate CRL, or if CRL is expired, it denies the user access

CDP: CRL Distribution Point

• location on an LDAP directory server or Web server where CA publishes CRLs
• the system periodically contacts CDP to get an update of CRL
• the system downloads cRL information from CDP at the interval specified in the CRL, at interval that you specify during CRL configuration, and when manually download the CRL
• Use any of the following methods to notify the system of a certificate's CDO location
  • Specify the CDP in CA certificate
    • location of CDP may be included within the certificaate
  • Specify the CDP in client certificate
    • location of CDP may be included within the certificaate
  • Require administrator to mannually enter the CDP location
    • if neither CA or client certificate include the CDP llocation, you must manually specify how to download the CRL objecy