[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Removing expired certificates from CRLs.....
Ryan:
I now are developing PKIX software, and encouted the
same question as yours, Because befor one can check
the CRL, one may first check the certificate's
validate period. So I think remove the expired
certificate from the CRL will be benefit to keep the
CRL small.
forward li
--- Nada Kapidzic Cicovic <nada@xxxxxxxxxxxxx>
的正文:
<HR>
<html>
Ryan,<br><br>
Some years ago we at Entegrity also had similar
discussion. We were
positive CRLs were not to contain the information
about the expired
certificates, until we came across some industry CA
CRLs containing
information about all revoked certificates. We then
looked into 2459
(draft in those days) and X.509 text and came to the
conclusion that
deleting info about expired certificates from a CRL is
only an
option.<br><br>
I am not sure what was the intention of the original
authors of X.509
(perhaps Sharon and Hoyt know more about it), but the
current industry
practice seems to be a mixture of both
approaches.<br><br>
My personal opinion is that keeping all revoked
certificates info in CRLs
brings more problems than benefits. However, it is
questionable whether
PKIX needs to take a vote for one approach or the
other. <br><br>
In any case I would suggest that the text of 2459 be
modified so that it
has a MAY (or a MUST) c<font face="Arial,
Helvetica">onsistently</font>
in all places where deleting expired certificates
revocation info from
CRLs is mentioned. The current text only brings
confusion, as you have
already pointed out.<br><br>
Nada<br><br>
At 08:49 PM 9/4/01 -0700, Ryan Hurst wrote:<br><br>
<blockquote type=cite class=cite cite><font
face="arial" size=2>I was
speaking with Peter Williams today about the removal
of expired
certificates from CRLs; I have always been under the
belief that this
behavior was optional, I vaguely remembered reading
text in 2459 along
those lines; additionally I know of several commercial
CAs that do not
remove the expired certificates from their CRLs. Peter
on the other hand
was under the impression that it was a mandate to
remove CRLs; he too
remembered reading text in 2459 to support is
position.<br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>So we each pulled out the
RFC and found that we
were both right! Specifically both sections 3.3 and
8.6.2.2 have text on
this subject:<br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2><b>3.3 Revocation<br>
</b></font><br>
<font face="arial" size=2>When a certificate is
issued, it is expected to
be in use for its entire validity period.
However, various
circumstances may cause a certificate to become
invalid prior to the
expiration of the validity period.<br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>....<br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>An entry is added to the CRL
as part of the
next update following notification of revocation.
<b><i>An entry may be
removed from the CRL after appearing on one regularly
scheduled CRL
issued beyond the revoked certificate's validity
period.<br>
</i></b></font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2><b>8.6.2.2 Issuing
distribution point
extension<br>
</b></font><br>
<font face="arial" size=2>This CRL extension field
identifies the CRL
distribution point for this particular CRL, and
indicates if the CRL is
limited to revocations for end-entity certificates
only, for authority
certificates only, or for a limited set of reasons
only. The CRL is
signed by the CRL issuer's key- CRL distribution
points do not have their
own key pairs. However, for a CRL distributed via the
Directory, the CRL
is stored in the entry of the CRL distribution point,
which may not be
the directory entry of the CRL issuer.<i> <b>If this
field is absent, the
CRL shall contain entries for all revoked unexpired
certificates issued
by the CRL issuer.<br>
</i></b></font><br>
<font face="arial" size=2><i> <br>
</i></font><br>
<font face="arial" size=2>....<br>
</font><br>
<font face="arial" size=2 color="#0000FF"> <br>
</font><br>
<font face="arial" size=2>The
</font><font face="arial" size=1><b>distributionPoint
</b></font><font face="arial" size=2>component
contains the name of the
distribution point in one or more name forms. If this
field is absent,
the CRL shall contain entries for all revoked
certificates issued by the
CRL issuer. <b><i>After a certificate appears on a
CRL, it is deleted
from a subsequent CRL after the certificate's
expiry.<br>
</i></b></font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>Although section 8.6.2.2 is
specifically in
regards to CRLdps, any difference between full CRLs
and CRLdps in this
case I feel would be an arbitrary one. <br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>Now logically it makes sense
to remove
certificates that are expired from CRLs to control
size, yes this has a
negative point specifically it prevents CRLs from
being used as a
non-repudiation source; but this is mute due to many
other issues.<br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>That being the case I think;
and I believe
Peter would agree the correct thing to do is to remove
these
expired/revoked entries from the CRL. <br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>The question now is what is
the PKIX stance on
this matter?<br>
</font><br>
<font face="arial" size=2> <br>
</font><br>
<font face="arial" size=2>Ryan M. Hurst<br>
</font><br>
<font face="arial" size=2>ValiCert, Inc.<br>
</font><br>
<font face="arial" size=2> </font>
<dl><font face="Times New Roman, Times">
<dd>"It may roundly be asserted that human
ingenuity cannot concoct
a cipher which human ingenuity cannot
resolve."</i></font><font face="Times New Roman,
Times">
<dd>-Edgar Allan Poe</font>
</dl><font face="Times New Roman,
Times"> </font></blockquote></html>
_________________________________________________________
Do You Yahoo!? 登录免费雅虎电邮! http://mail.yahoo.com.cn
<font color=#6666FF>无聊?郁闷?高兴?没理由?都来聊天吧!</font>——
雅虎全新聊天室! http://cn.chat.yahoo.com/c/roomlist.html