[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing expired certificates from CRLs.....

Ryan:
I now  are developing PKIX software, and encouted the
same question as yours, Because befor one can check
the CRL, one may first check  the certificate's
validate period. So I think remove the expired
certificate from the CRL will be benefit to keep the
CRL small at least 

forward li

 --- Ryan Hurst <ryanh@xxxxxxxxxxxx> 的正文:> I was
speaking with Peter Williams today about the
> removal of expired
> certificates from CRLs; I have always been under the
> belief that this
> behavior was optional, I vaguely remembered reading
> text in 2459 along those
> lines; additionally I know of several commercial CAs
> that do not remove the
> expired certificates from their CRLs. Peter on the
> other hand was under the
> impression that it was a mandate to remove CRLs; he
> too remembered reading
> text in 2459 to support is position.
>  
> So we each pulled out the RFC and found that we were
> both right!
> Specifically both sections 3.3 and 8.6.2.2 have text
> on this subject:
>  
> 3.3  Revocation
> When a certificate is issued, it is expected to be
> in use for its entire
> validity period.  However, various circumstances may
> cause a certificate to
> become invalid prior to the expiration of the
> validity period.
>  
> ....
>  
> An entry is added to the CRL as part of the next
> update following
> notification of revocation. An entry may be removed
> from the CRL after
> appearing on one regularly scheduled CRL issued
> beyond the revoked
> certificate's validity period.
>  
>  
>  
> 8.6.2.2 Issuing distribution point extension
> This CRL extension field identifies the CRL
> distribution point for this
> particular CRL, and indicates if the CRL is limited
> to revocations for
> end-entity certificates only, for authority
> certificates only, or for a
> limited set of reasons only. The CRL is signed by
> the CRL issuer's key- CRL
> distribution points do not have their own key pairs.
> However, for a CRL
> distributed via the Directory, the CRL is stored in
> the entry of the CRL
> distribution point, which may not be the directory
> entry of the CRL issuer.
> If this field is absent, the CRL shall contain
> entries for all revoked
> unexpired certificates issued by the CRL issuer.
>  
> ....
>  
> The distributionPoint component contains the name of
> the distribution point
> in one or more name forms. If this field is absent,
> the CRL shall contain
> entries for all revoked certificates issued by the
> CRL issuer. After a
> certificate appears on a CRL, it is deleted from a
> subsequent CRL after the
> certificate's expiry.
>  
>  
> Although section 8.6.2.2 is specifically in regards
> to CRLdps, any
> difference between full CRLs and CRLdps in this case
> I feel would be an
> arbitrary one. 
>  
> Now logically it makes sense to remove certificates
> that are expired from
> CRLs to control size, yes this has a negative point
> specifically it prevents
> CRLs from being used as a non-repudiation source;
> but this is mute due to
> many other issues.
>  
> That being the case I think; and I believe Peter
> would agree the correct
> thing to do is to remove these expired/revoked
> entries from the CRL. 
>  
> The question now is what is the PKIX stance on this
> matter?
>  
> Ryan M. Hurst
> ValiCert, Inc.
>  
> "It may roundly be asserted that human ingenuity
> cannot concoct a cipher
> which human ingenuity cannot resolve."
> -Edgar Allan Poe
>  
>  

_________________________________________________________
Do You Yahoo!? 登录免费雅虎电邮! http://mail.yahoo.com.cn

<font color=#6666FF>无聊?郁闷?高兴?没理由?都来聊天吧!</font>—— 
雅虎全新聊天室! http://cn.chat.yahoo.com/c/roomlist.html