2

Is there a CRL size that is beyond a practical limit? I did not find anything in the RFC. Is there any limit at all on the size of CRLs?

Engineer2021
  • 601
  • 8
  • 25

2 Answers2

4

I don't think there is a size limit, though other practical and security limitations should limit their size. The largest I've seen was one from Thawte at ~5MB. Most CRLs are distributed with Delta locations so clients don't need to constantly pull the whole thing.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Is the theoretical limit 16^160? – Engineer2021 Feb 15 '12 at 15:42
  • Just as a note, there most certainly can be CRLs larger than 5MB out in the wild, so best not to use that as a high water mark. If you absolutely must tolerate large CRLs, consider if Delta Locations are available, which let you avoid having to download the entire CRL. Or just don't use CRL at all. – ecnepsnai May 29 '21 at 05:20
3

The length of your CRL will be directly proportional to the number of certificates you've revoked. There's no limit on the number of Certificates you can sign, therefore there's no limit on the number you can revoke. By the fact itself, there's no limit on the length of your CRL.

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148