Certificate revocation list

[1] Publicly trusted CAs in the Web PKI are required (including by the CA/Browser forum[2]) to issue CRLs for their certificates, and they widely do.

During a CRL's validity period, it may be consulted by a PKI-enabled application to verify a certificate prior to use.

To prevent spoofing or denial-of-service attacks, CRLs usually carry a digital signature associated with the CA by which they are published.

[12] Microsoft saw the need to patch their cryptography subsystem so it would check the status of certificates before trusting them.

As a short-term fix, a patch was issued for the relevant Microsoft software (most importantly Windows) specifically listing the two certificates in question as "revoked".

This requirement of on-line validation negates one of the original major advantages of PKI over symmetric cryptography protocols, namely that the certificate is "self-authenticating".

[4] CRL files may grow quite large over time e.g. in US government, for certain institution multiple megabytes.

CRL for a revoked cert of Verisign CA