CRL
CA-signed X.509 revocation list.
Definition
The TLS client fetches the CRL via the CRLDP URL in the X.509 extension (usually HTTP/HTTPS). Drawbacks: growing size (can reach MB), latency, validity window (next update). OCSP and OCSP Stapling are the preferred successors. Still present in legacy banking code.
Origin
CRL standardised in X.509 v1 (1988) ; ASN.1 DER format defined in RFC 5280.
Example in context
A VPN gateway checks the internal PKI CRL every 4 hours to reject recently revoked users.
Related terms
- OCSP Stapling — successor.