What is the rationale behind a Network Administrator wanting to use Certificate Revocation Lists (CRLs) in their IPSec implementations?

What is the rationale behind a Network Administrator wanting to use Certificate Revocation Lists (CRLs) in their IPSec implementations?

A.
CRLs allow netwotk administrators the ability to do “on the fly” authentication of revoked certificates.

B.
They help to keep a record of valid certificates that have been issued in their network

C.
CRLs allow network administrators to deny devices with certain certificates from being authenticated to their network.

D.
Wildcard keys are much more efficient and secure. CRLs should only be used as a last resort.