A certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date. There are several reasons why a certificate might need to be revoked and placed on a CRL. For instance, the key specified in the certificate might have been compromised or the user specified in the certificate may no longer have authority to use the key. For example, suppose the user name associated with a key is ``Alice Avery, Vice President, Argo Corp.'' If Alice were fired, her company would not want her to be able to sign messages with that key, and therefore the company would place the certificate on a CRL.
When verifying a signature, one examines the relevant CRL to make sure the signer's certificate has not been revoked. Whether it is worth the time to perform this check depends on the importance of the signed document. A CRL is maintained by a CA, and it provides information about revoked certificates that were issued by that CA. CRLs only list current certificates, since expired certificates should not be accepted in any case: when a revoked certificate's expiration date occurs, that certificate can be removed from the CRL.
CRLs are usually distributed in one of two ways. In the ``pull'' model, verifiers download the CRL from the CA, as needed. In the ``push'' model, the CA sends the CRL to the verifiers at regular intervals. Some systems use a hybrid approach where the CRL is pushed to several intermediate repositories from which the verifiers may retrieve it as needed.
Although CRLs are maintained in a distributed manner, there may be central repositories for CRLs, such as, network sites containing the latest CRLs from many organizations. An institution like a bank might want an in-house CRL repository to make CRL searches on every transaction feasible. The original CRL proposals often required a list, per issuer, of all revoked certificates; new certificate revocation methods (for example, in X.509 version 3; see Question 5.3.2) are more flexible.