We discussed certification revocation list in class $$trust intermediaries$.$ Instead of keeping a CRL $($that is$,$ a bad$-$list$)$ which contains all the invalid certificates, the system can also be implemented by letting the server keep a good$-$list, that is$,$ a list containing all the valid certificates.

However, these two approaches are implemented differently. A bad$-$list only need to contain the serial numbers of all the invalid certificate, but a good$-$list needs to include both the serial number and the hash of the complete certificate $($remind that a certificate contains serial number, subject name, issuer, and many other information, as I have shown in class$).$

Why is it important for a good$-$list to keep hashes of the valid certificates, why it is not enough to include the serial number only?

Hint: think the example of credit card, if a bank wants to maintain a list of valid credit cards, is it sufficient to keep the card number only?