How would a certificate authority create and maintain a certificate revocation list? When I browse through some CRLs I notice the number of certificates are huge (Eg - http://crl3.digicert.com/ssca-sha2-g6.crl)
Is the CRL maintained/stored as a List<thumbprint, revocationDate> ?
What does a revocation check look like? Is it internally maintained as a HashMap for quicker lookup, but does that scale if the list goes too big?
Here is the specification: https://www.rfc-editor.org/rfc/rfc5280
Depending on the implementation often databases are used internally as source to produce the CRLs.