[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRL sequence issues

To: ietf-pkix@xxxxxxx
Subject: Re: CRL sequence issues
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Thu, 09 Jun 2005 12:50:21 +0200
In-reply-to: <AFC8540FEA0CF146A0256CEEC7FCEC6F02B7A130@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <AFC8540FEA0CF146A0256CEEC7FCEC6F02B7A130@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fr-FR; rv:1.8b2) Gecko/20050527


Vittek Robert wrote:

RFC 3280 states that:
An entry MUST NOT be removed
from the CRL until it appears on one regularly scheduled CRL issued
beyond the revoked certificate's validity period.

This CRL may be crucial for the validation process, hence I MUST NOT
miss it.
[...]

The retention period may decrease the probability of missing revocation
information of recently expired certificate to the acceptable limit.

I'd say that with it you *know* that you have the information or thatyou don't have it, so you quit the current state of uncertainty, andit's not just decreasing a probability.

Has this been standardized already? In what RFC (or perhaps ETSI
document)?

It has been standardized in OCSP. It's the Archive Cutoff extension. RFC2560/&4.4.4


Not including an equivalent for CRL was an amazing oversight.

I'm 100% for porting that extension from OCSP to 3280bis's CRL profile,the only question is if we keep the same OID, which would a bitillogical there : "id-pkix-ocsp 6"

References:
- RE: CRL sequence issues
  - From: Vittek Robert

Prev by Date: Re: RE: CRL sequence issues
Next by Date: RE: RE: CRL sequence issues
Previous by thread: RE: CRL sequence issues
Next by thread: Re: CRL sequence issues
Index(es):
- Date
- Thread