[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: delta CRLs - NR assumptions
Denis Pinkas wrote:
> Tom Gindin wrote :
> > In NR, you can expect to have consistent results for time T from any
> > CRL with thisUpdate >= T (exclusive of the effects of hold),
>
> 1) it may take time for a signer to discover that his key has been
> compromised.
This is the signer's problem if he did not report the compromise in time.
Just as it is today if your credit card is stolen.
>From the time, the information is published, it becomes the verifier's problem if he did not
take it into account.
I think Tom's assertion makes lot of sense.
> 2) in addition, if the certificate is close to expire, in case it is
> revoked, it will not appear in the CRL any more.
This simply means that for NR, a certificate will be unusable not from the expiration date,
but from the thisUpdate of the last CRL issued before the expiration date.
In real life, the user will have a new certificate issued at least a few days before the
revocation date, there will be a short time overlap between the two certificates, and he
will switch to the new certificate before the actual revocation.
It's not convenient for him to wait the very last second or even very last day to renew his
certificate.
Therefore this is not a real problem.