I'm not understanding something. There's a concept called embedding the CRL in a pdf so that if my private key is stolen, I could report it to the CA and they would update their CRL on the web site. I've been reading that the purpose of embedding the CRL in a pdf is good for pdf files with many pages so that the pdf doesn't have to go online to and check for each and every page. Well, problem is, if the CRL is embedded in the pdf instead of having the pdf go check with the CA, then wouldn't it be impossible for revoked certificates to be discovered if the CRL is embedded in the PDF? Am I missing something?
Update: Even with a TSA time stamp, what is to prevent the thief from using old certificate and embed a CRL that doesn't say his certificate is revoked? This is what I don't get, that to me, the only assured way to prove doc is genuine is both TSA timestamp AND online OCSP. Otherwise, I don't see how an embedded CRL and TSA can ever be enough. With the CRL, it's like allowing the thief to say he is not a thief. Otherwise, there's some sort of misunderstanding on my part about embedded CRL.
Update2 10/1/2014 8:06am pst: Answer below. "CRLs at top level contain a datetime thisUpdate which indicates the issue date of this CRL. Furthermore it optionally may also contain a datetime nextUpdate" Is there a date and time for each revoked Certificate? A CRL can have many Certificates. If each revoked certificate doesn't have an invalid date, I don't see how it can be determined from what period the certificate and therefore signed document is bad. Answer, page 76 of the white paper does show what a Revocation List look like: it contains the serial numbers of the certificates along with the revocation date. this is how it's determines when the signed documents are bad. However, there appears to be gap of uncertainty after the last signed legit pdf to the time the certificate is reported stolen.
Thanks.