Publishing of CRLsChapter 19 Setting Up LDAP Publishing 613Revocation Checking by Netscape ClientsAt the time of this writing, Netscape Communicator versions 4.7 and later, whenused in conjunction with the security module called Netscape Personal SecurityManager, enable automatic revocation-status verification of certificates using theOCSP protocol. Chapter 21, “Setting Up an OCSP Responder” explains how therevocation status of a certificate is verified in an OCSP-compliant PKI setup.Earlier versions of Netscape client products do not have the ability to automaticallycheck to see whether a certificate has been revoked. However, these clients do givethe user the ability to check the revocation status of a certificate if it includes theNetscapeRevocationURL extension. For details about this extension, check thissite: http://home.netscape.com/eng/security/cert-exts.htmlIn addition, from the Retrieval tab of the CMS end-entity interface, Netscape clientusers can manually check the revocation status of a particular certificate andautomatically import the latest version of the CRL into their browsers. If your usersare not using Netscape clients, they can download the latest CRL in binary form toa local file, and then import this file into their browsers by an appropriate method.Users can also view the header information of the master or full CRL published bythe Certificate Manager, which contains the date and time of the latest update, andthen compare this information to that in their browser’s CRL to see if they have thelatest version.Revocation Checking by Netscape ServersBecause Netscape servers currently cannot check the revocation status of acertificate, you should use other forms of access control. For example, you canremove individual users from access groups to prevent them from accessing theserver.Because Certificate Management System can check the revocation status of thecertificates that it issues, you do not need to rely on other forms of access control.