Re: draft delta crl text

[Dr S N Henson <drh@xxxxxxxxxxx>]

"David A. Cooper" wrote:
> 
> 
> First, we did not intend to include events such as the creation or expiration of a certificate as a "status change". 
> 
[snip]
> 
> I noticed, however, that X.509 states:
> 
>          The removeFromCRL reason code is for use with delta-CRLs (see 8.6) only
>          and indicates that an existing CRL entry should now be removed owing to
>          certificate expiration or hold release. An entry with this reason code shall be
>          used in delta-CRLs for which the corresponding base CRL or any subsequent
>          (delta or complete for scope) CRL contains an entry for the same certificate
>          with reason code certificateHold.
> 

Just a quick comment here wrt removeFromCRL and expiry of previous CRL
entries. 

There is at least one reason for doing this. It allows a locally
constructed CRL to be cleared of expired entries. Otherwise if a client
uses delta CRLs for an extended period of time (several certificate
lifetimes) its size may become excessive.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: shenson@xxxxxxxxxxxxxxxxxxxxxxxxxxx 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: drh@xxxxxxxxxxx PGP key: via homepage.