3.4.4.4 CA Responsibilities for CRL Management

As X.500 directory servers become available, CRLs should be maintained and accessed via these servers. However, prior to widespread deployment of X.500 directories, this document adopts some additional requirements for CRL management by CAs and PCAs. As per X.509, each CA is required to maintain a CRL (in the format specified by this document in Appendix A) which contains entries for all certificates issued and later revoked by the CA. Once a certificate is entered on a CRL it remains there until the validity interval expires. Each PCA is required to maintain a CRL for revoked CA certificates within its domain. The interval at which a CA issues a CRL is not fixed by this document, but the PCAs may establish minimum and maximum intervals for such issuance.

As noted earlier, each PCA will provide access to a database containing CRLs issued by the IPRA, PCAs, and all CAs. In support of this requirement, each CA must supply its current CRL to its PCA in a fashion consistent with CRL issuance rules imposed by the PCA and with the next scheduled issue date specified by the CA (see Section 3.5.1). CAs may distribute CRLs to subordinate UAs using the CRL processing type available in PEM messages (see RFC 1421). CAs also may provide access to CRLs via the database mechanism described in RFC 1424 and alluded to immediately above.