Certificate revocation

RFC 2459 proposes ``CRL Distribution points'' as a ``non-critical'' extension to the X.509 certificate format. A certificate using this extension contains a list of CRL URLs.

Certifying principals should use the CRL extension and make CRLs available.

Node implementations may check CRLs when a certificate is presented. Node implementations may also reject certificates without declared CRL distribution points as a matter of policy.

**Figure:** X.509 certificate structure with CRL distribution point extension
$\resizebox*{0.5\textwidth}{!}{\includegraphics{images/certificate.eps}}$

Ulf Leonhardt 2001-08-16