As discussed in Chapter 6, certificates are used to bind a name with their corresponding public key. Normally, this binding is valid for the full lifetime of the issued certificate. However, circumstances arise when an issued certificate should no longer be considered valid, even when the certificate has not yet expired. Reasons for revocation vary, but they may involve anything from a change in job status to a suspected private-key compromise. Therefore, an efficient and reliable method must be provided to revoke a public-key certificate before it might naturally expire.

As we will discuss in Chapter 9, certificates must pass a well-established validation process before they can be used. Part of that validation ...