The CA maintains a database of certificates; a certificate is a binding
signed by the CA between a principal and its public key.
The CA's vulnerability is reduced by keeping the service off-line.
To facilitate revocation, each certificate contains an expiration date and a serial number. At regular intervals, the CA signs and distributes a certification revocation list (CRL). The CRL contains the serial number and date of issue for every compromised key that has a valid expiration date. A principal will not use a public key that has either expired or is in the CRL.
Rather than using expiration dates and CRLs, certificates could be re-evaluated at the time of use. This approach, however, requires that the CA is on-line which would increase the service's vulnerability.
A discussion on multiple CAs was started at the end of this lecture and completed during the next class. Please refer to Lec12 for the complete notes.