Explain the main characteristics of indirect CRLs.

What will be an ideal response?

---

A single PKI deployment might include several CAs. In this case, a PKI-enabled application must download CRLs from every single CA before any validation can be performed, which might cause performance and scalability issues. The goal of indirect CRL is to enable revocation information from multiple CAs to be issued within a single CRL. In this case, one indirect CRL can be used instead of multiple CRLs being downloaded from different CAs. The indirect CRL issuer must be trusted at the same level as the CA that issued the certificate in question.

To indicate the use of indirect CRL, the indirect CRL Boolean attribute in the issuing distribution point CRL extension must be set to TRUE. Furthermore, the certificate issuer field in the per-entry extension could be used to indicate the origination of the certificate in the CRL to distinguish among all the CAs associated with the indirect CRL. In a PKI environment with multiple CAs, the use of indirect CRL would improve overall performance, as only one CRL download is needed, and the number of replying parties will far exceed the number of indirect CRL issuers.