Selecting a CRL Type

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Server 2003 includes two types of CRLs: base CRLs and delta CRLs. Base CRLs include a complete list of revoked certificates, and therefore they can grow quickly in organizations that issue a large number of certificates. Because updating base CRLs consumes a large amount of network bandwidth, you must weigh the benefits of publishing expired certificates against the costs in terms of time and network resources. Base CRLs must be published frequently to ensure that they remain current.

Delta CRLs enable you to simplify CRL management. A delta CRL contains information only about the certificates that have been revoked after the last base or delta CRL was published; therefore the data in a delta CRL is accurate throughout its lifetime. Because delta CRLs are smaller than base CRLs, they require less bandwidth to replicate across the network, and they can be published more frequently, thereby enhancing the security of your PKI. By combining base and delta CRLs, you can maximize the effectiveness of the CRLs in your organization and reduce the management effort required.

Whether to use delta CRLs in conjunction with your base CRLs depends on the following factors:

• Compatibility. Only Windows XP clients can recognize delta CRLs.

• Volume. If you revoke a large number of certificates, your delta CRLs can approach base CRLs in size. Therefore, it is not useful to use delta CRLs when large numbers of certificates are revoked between base CRL publication dates.

• Online status. It is best if delta CRLs are not used with offline CAs.

Figure 16.20 shows the process for selecting a CRL type.

Figure 16.20   Selecting a CRL Type