What if the CRL distribution points for a CA change?

["Tammy Green" <TGREEN@xxxxxxxxxx>]

Say a CA begins minting certificates with distribution points A, B, and C in the certificates.  It issues 10 certificates.  Then, at time t1, it changes the distribution points to A, D, and E and issues 10 more certificates.

Now say that at time t2 certificate 1 was revoked as well as certificate 11.  What should the CA do when it comes time to issue the CRL?  [Assume here that the CA is only issuing a basic CRL that is not subdivided by reason codes, etc.]  It appears that there are two options.

(a)  Issue one CRL containing entries for certificate 1 and 11.  Post that CRL to distribution points A, B, C, D, and E.

(b)  Issue one CRL containing entries for certificate 1 and 11 and post that CRL to distribution point A.  Then issue another CRL containing an entry for only certificate 1 and post that CRL to distribution points B and C.  Finally issue yet another CRL containing an entry for only certificate 10 and post that CRL to distribution points D and E.

Option a has the disadvantage of causing needless bloat to the CRLs posted on distribution points B, C, D, and E:  no one will look for revocation information about certificate 1 on distribution point D or E, and, likewise, no one will look for revocation information about certificate 11 on distribution point B or C.  Option a does have the advantage of being far easier to implement, however.

Option b has the disadvantage of being much more complex.  And, each time the set of distribution points is modified, the complexity increases as does the time required to generate all of the CRLs which are required.  However, the advantage is that the CRLs that are posted to the distribution points contain only useful information.

Are there other solutions?  Preferences?  Implementations?  Guidelines?


Tammy Green
tgreen@novell.com 
Software Engineer
Novell, Inc.