3.5.2 PEM CRL Format

Appendix A contains the ASN.1 description of CRLs specified by this document. This section provides an informal description of CRL components analogous to that provided for certificates in Section 3.3.

1. signature (signature algorithm ID and parameters)

2. issuer

3. last update

4. next update

5. revoked certificates

The "signature" is a data item completely analogous to the signature data item in a certificate. Similarly, the "issuer" is the DN of the CA which signed the CRL. The "last update" and "next update" fields contain time and date values (UTCT format) which specify, respectively, when this CRL was issued and when the next CRL is scheduled to be issued. Finally, "revoked certificates" is a sequence of ordered pairs, in which the first element is the serial number of the revoked certificate and the second element is the time and date of the revocation for that certificate.

The semantics for this second element are not made clear in X.509. For example, the time and date specified might indicate when a private component was thought to have been compromised or it may reflect when the report of such compromise was reported to the CA.

For uniformity, this document adopts the latter convention, i.e., the revocation date specifies the time and date at which a CA formally acknowledges a report of a compromise or a change or DN attributes. As with certificates, it is recommended that the UTCT values be of no finer granularity than minutes and that all values be stated in terms of Zulu.