[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Removing expired certificates from CRLs.....

I was speaking with Peter Williams today about the removal of expired certificates from CRLs; I have always been under the belief that this behavior was optional, I vaguely remembered reading text in 2459 along those lines; additionally I know of several commercial CAs that do not remove the expired certificates from their CRLs. Peter on the other hand was under the impression that it was a mandate to remove CRLs; he too remembered reading text in 2459 to support is position.

 

So we each pulled out the RFC and found that we were both right! Specifically both sections 3.3 and 8.6.2.2 have text on this subject:

 

3.3  Revocation

When a certificate is issued, it is expected to be in use for its entire validity period.  However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period.

 

....

 

An entry is added to the CRL as part of the next update following notification of revocation. An entry may be removed from the CRL after appearing on one regularly scheduled CRL issued beyond the revoked certificate's validity period.

 

 

 

8.6.2.2 Issuing distribution point extension

This CRL extension field identifies the CRL distribution point for this particular CRL, and indicates if the CRL is limited to revocations for end-entity certificates only, for authority certificates only, or for a limited set of reasons only. The CRL is signed by the CRL issuer's key- CRL distribution points do not have their own key pairs. However, for a CRL distributed via the Directory, the CRL is stored in the entry of the CRL distribution point, which may not be the directory entry of the CRL issuer. If this field is absent, the CRL shall contain entries for all revoked unexpired certificates issued by the CRL issuer.

 

....

 

The distributionPoint component contains the name of the distribution point in one or more name forms. If this field is absent, the CRL shall contain entries for all revoked certificates issued by the CRL issuer. After a certificate appears on a CRL, it is deleted from a subsequent CRL after the certificate's expiry.

 

 

Although section 8.6.2.2 is specifically in regards to CRLdps, any difference between full CRLs and CRLdps in this case I feel would be an arbitrary one.

 

Now logically it makes sense to remove certificates that are expired from CRLs to control size, yes this has a negative point specifically it prevents CRLs from being used as a non-repudiation source; but this is mute due to many other issues.

 

That being the case I think; and I believe Peter would agree the correct thing to do is to remove these expired/revoked entries from the CRL.

 

The question now is what is the PKIX stance on this matter?

 

Ryan M. Hurst

ValiCert, Inc.

 

"It may roundly be asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve."

-Edgar Allan Poe