CRLs – ARLs

Revoked Certificates Lists


 

Public repositories, you can consult the general registers:

 

 

 


In accordance with the provisions of Certificate Practice Statement of ANF AC, relying parties who receive electronic signatures generated with certificates issued by ANF AC have the obligation to verify the validity of the certificate used.


 

The extinction of the validity of an electronic certificate has effect since the Certification Authority indicates it in its General Register. 

The revocation of a certificate is definitive: it implies the loss of its effectiveness and prevents the user from using it legitimately. This process has immediate effects and makes it impossible to renew the certificate and the operation of the signature creation approved device.

The capacity to revoke the end entity certificates is held by: the certificate holder, his/her legal representative, the Registration Authority that processed the certificate, the Issuance Reports Manager or a Legal Authority.

 

 

Legal framework 
 
 
“Art. 8.3 The extinction of the validity of an electronic certificate will have effects against third parties, in the cases of expiration of its validity period, provided that this circumstance occurs and, in the other cases, provided that the indication of said extinction is included in the consultation service on the validity of the certificates of the certification services provider.”
 
Certification Authority Revocation Lists (ARLs) collect the serial numbers of those certificates of Intermediate Certification Authorities that have been revoked prior to the expiration of their validity period. For each certificate, date, time and cause of revocation are specified.
 
Certificate Revocation Lists (CRLs) record the serial numbers of those end-entity electronic certificates that have been revoked prior to the expiration of their validity period. For each certificate, date, time and cause of revocation are specified.
 
Root Certification Authorities certificates that have been revoked prior to the expiration of their term will be published on the ANF AC corporate website. During ANF AC's certification service provision, no CA Root certificate has been revoked.
 
Important notice
 
• Signatures generated with revoked or expired certificates are not legally valid.
• As established in ANF AC's Certification Practice Statement, electronic signatures receivers are required to verify the validity status of the certificate used before relying on them.
• Revoked certificates may be withdrawn from a CRL three months after expiration. However, ANF AC maintains permanently and accessible to the public a history of all issued CRLs.
• In the field "Next Update", it is noted that reference standard RFC-3280 v.1 does not establish as mandatory the aforementioned value, but version 2 requires it. In order to ensure the interoperability with other PKI systems its inclusion has been made.
• The date that is outlined in that field, indicates exclusively the deadline on which a new CRL will be published. In no case it supposes that no new update will be published before such date.
• It is expressly forbidden to use the validation services of ANF AC to provide validation services to third parties. The Validation Policy establishes penalties for non-compliance.
• The download of a CRL does not accredit the received electronic signature verification obligation. It does not allow to determine the moment when it was downloaded, nor when the consultation was carried out.
 
Subscribers responsibility 
 
The possible loss, subtraction of the device or simple fear that the signature activation PIN is at risk, requires its responsible to notify this fact to ANF AC, to revoke the certificate contained therein. These facts, among others, constitute reasons for extinction of the certificate, in accordance with the provisions of articles 8 (b and c) and 9 of the Spanish Electronic Signature Law. The person in charge of the device is obliged to carry out adequate escrow and maintain the privacy of the keys, the risk of misuse of the certificate is assumed by the owner of the signature, because he/she has control over its use.
 
Failure to notify a certificate risk situation, or change of the information recorded in it, presupposes on behalf of the holder a serious negligence in the fulfillment of its obligations in preserving the signature creation data, in the assurance of its confidentiality and in the protection of all access or disclosure (art. 23.1.c Spanish Electronic Signature Law). This provision is related to the expressed evidence in the certificate, that the subscriber has control over the signature creation data (art. 11.2.f Spanish Electronic Signature Law); of the verification of its possession by ANF AC, prior to the issuance of the certificate (art. 12.c Spanish Electronic Signature Law). The opposite exception could only be rejected by the certification service provider, if the fact of the loss, abduction or improper use of the Certificate was brought to the attention of the certification services provider and did not comply or was delayed in recording the contingency in the consultation Service on the Validity of the certificates (art. 22.3, in relation with 10.2 Spanish Electronic Signature Law)