Providing effective certificate revocation status is an important yet burdensome aspect of PKI. It is widely assumed that certificate revocation lists (CRLs) [12] cannot provide bandwidth-efficient online certificate status. Using our reference delta CRL scheme, we show that this assumption is not true. Clients using reference delta CRLs never download complete CRLs - they construct revocation lists locally. Our scheme performs significantly better than any earlier CRL scheme and has comparable bandwidth performance with respect to OCSP [10].
展开▼