Re: OCSP and CSL

[Joerg Seidel <seidel@xxxxxxxxxxxx>]

Massimiliano Pala schrieb:
> 
> Irene Gassko wrote:
> >
> > >2. once a cert is inserted into a CRL, it can *never* be
> > >deleted from it
> >
> > This is not true. Expired certificates are deleted from CRL.
> 
> I am not sure about this. If you delete it from the list how you can
> prove it is not valid from the revokation date on ??? The CRLs should
> provide an 'history' of all revoked certificates...

In order to prove the invalidity of a certain signature you need the CRL of
the point of time the signature was made. Well, more precisely the CRL which
was released next after the signature was made. If you want to be able to
prove the validity of a signature after the expiration date of the
corresponding certificate you need to store this CRL together with the
signature. Well and you need to prove the validity of the
CRL-Signing-Certificate at that time, so you need ... and so on until you are
got a CRL signed with a private key corresponding to a non-expired and
non-revoked certificate.

I just realized: Maybe there is a small security flaw in this system: If a
certificate gets revoked just before certificate expiration, but the next CRL
is released after the expiration time, the revocation might not been stated in
CRLs at all. The state of the signature is unknown.

Jörg Seidel
-- 
timeproof                               phone  +49-40-76629-1911
Development                             fax    +49-40-76629-551
Harburger Schloßstraße 6-12             mailto:seidel@timeproof.de
D-21079 Hamburg                         http://www.timeproof.de

     + + + timeproof CeBIT 2000 Hall 23 Stand A22/14 + + +