[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft delta crl text

To: Dr S N Henson <drh@xxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: Re: draft delta crl text
From: "David A. Cooper" <david.cooper@xxxxxxxx>
Date: Mon, 04 Jun 2001 08:32:29 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <><>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Dr. Henson,

I agree with you. The draft text specifies circumstances in which one is required to list a certificate on a delta-CRL. Tim Polk and I believe that one should be allowed to list a certificate with reason code removeFromCRL when it expires, but one should not be required to list it. On the other hand, while I haven't done the math, I would suspect that it would be more efficient to simply have relying parties download a new complete CRL whenever their local caches of revoked CRLs become too large rather than list each expired certificate on one or more delta-CRLs.

The reason that I quoted the text from X.509 below was because it states that one can only list a certificate with reason code removeFromCRL if it has expired or has been released from hold. If one follows this text literally, it is not clear what to do if a revoked certificate becomes "out-of-scope" for the delta-CRL as a result of a change in reason code. Should one list it as removeFromCRL, with the old but in scope reason, or with the new but out of scope reason?

Dave 

At 01:39 AM 6/2/01 +0100, Dr S N Henson wrote:
>"David A. Cooper" wrote:
> > 
> > 
> > First, we did not intend to include events such as the creation or expiration of a certificate as a "status change". 
> > 
>[snip]
> > 
> > I noticed, however, that X.509 states:
> > 
> >          The removeFromCRL reason code is for use with delta-CRLs (see 8.6) only
> >          and indicates that an existing CRL entry should now be removed owing to
> >          certificate expiration or hold release. An entry with this reason code shall be
> >          used in delta-CRLs for which the corresponding base CRL or any subsequent
> >          (delta or complete for scope) CRL contains an entry for the same certificate
> >          with reason code certificateHold.
> > 
>
>Just a quick comment here wrt removeFromCRL and expiry of previous CRL
>entries. 
>
>There is at least one reason for doing this. It allows a locally
>constructed CRL to be cleared of expired entries. Otherwise if a client
>uses delta CRLs for an extended period of time (several certificate
>lifetimes) its size may become excessive.

References:
- draft delta crl text
  - From: Tim Polk
- RE: draft delta crl text
  - From: David A. Cooper
- Re: draft delta crl text
  - From: Dr S N Henson

Prev by Date: I-D ACTION:draft-ietf-pkix-ac509prof-07.txt
Next by Date: Chaining of Key Identifiers
Previous by thread: Re: draft delta crl text
Next by thread: Re: draft delta crl text
Index(es):
- Date
- Thread