There are several types of CRLs: full CRLs (also known as base CRLs), delta CRLs, and CRL Distribution Points (CDPs). Delta CRLs contain only the status of all certificates that have changed status between the issuance the last Base CRL.
CRL Distribution Points are used to anchor a well-known location for Base, Delta, and even partitioned CRLs..
The best way to start a discussion of certificate revocation and status checking is to look at how an end user sees the effects of certificate revocation and status checking in the Windows XP and Windows 2000 user interfaces.
This section will look at scenarios where a certificate chain is both valid and invalid.
The scope and audience of this White paper is to assist organizational system architects and administrators in understanding how certificate chaining and revocation work in Windows 2000 and Windows XP to allow the administrators to troubleshoot problems related to certificate chaining and revocation.
For an introduction to PKI and Certificate Services, please refer to following terms are used in this white paper: Authority Information Access (AIA).
This method involves each CA periodically issuing a signed data structure called a certificate revocation list (CRL).
The AKI can contain the issuer name and serial number, public key information, or no information at all.
The PKI provides validation of certificate-based credentials and ensures that the credentials are not revoked, corrupted, or modified. A certificate extension included in CA certificates that contains a hash of the CA certificate's public key.
This hash is placed in the Authority Key Identifier (AKI) extension of all issued certificates to facilitate chain building. Certificate chaining is defined as the trust validation of an x.509 certificate as it is compared to a trust anchor such as a root certificate.
Each revoked certificate is identified in a CRL by its certificate serial number.
When a certificate aware system uses a certificate (for example, for verifying a remote user's digital signature), that system should not only check the certificate signature and time validity, but it should also acquire a suitably recent certificate status to ensure the certificate being presented is not revoked.