Revocation Methods

Revocation Methods	Description
Certificate Revocation List (CRL)	list of revoked certificates published periodically by the CA
Delta Certificate Revocation List (CRL)	only the changes since the previous issue are published
Online Revocation Servers	no CRL is published verifier queries a central server to check if a certificate has been revoked

Bad List vs Good List

List Type	Description
Bad List	keep a list of revoked certificates if a bogus certificate is issued to someone w/o keeping a log of it, no one would know its existence
Good List	keeping a list of valid certificates bogus certificates would not be honored. But would be a too-large and dynamic list

Where to Store Certificates	Description
Storing With Subject	the issuer may not have write access to the subject’s record for a root CA with many children, more convenient for down-certificates from the CA to be stored in subjects’ records
Storing With Issuer	if a key is compromised, the principal needs to inform everyone certifying his key & how to know cross-certifiers inform them? helps find a path toward a target name from the trust anchor