[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing expired certificates from CRLs.....

To: IETF-PKIX <ietf-pkix@xxxxxxx>
Subject: Re: Removing expired certificates from CRLs.....
From: Antonio Lioy <a.lioy@xxxxxxxxx>
Date: Wed, 05 Sep 2001 13:48:09 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Politecnico di Torino
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Nada Kapidzic Cicovic wrote:
>
> Ryan,
>
> Some years ago we at Entegrity also had similar discussion. We were
> positive CRLs were not to contain the information about the expired
> certificates, until we came across some industry CA CRLs containing
> information about all revoked certificates. We then looked into 2459
> (draft in those days) and X.509 text and came to the conclusion that
> deleting info about expired certificates from a CRL is only an option.
>
> I am not sure what was the intention of the original authors of X.509
> (perhaps Sharon and Hoyt know more about it), but the current industry
> practice seems to be a mixture of both approaches.
>
> My personal opinion is that keeping all revoked certificates info in
> CRLs brings more problems than benefits. However, it is questionable
> whether PKIX needs to take a vote for one approach or the other.
>
> In any case I would suggest that the text of 2459 be modified so that
> it has a MAY (or a MUST) consistently in all places where deleting
> expired certificates revocation info from CRLs is mentioned. The
> current text only brings confusion, as you have already pointed out.

I vote for MAY (rather than MUST) because it is largely a matter of the
CA: if there are few revoked certificates, there is no benefit in
deleting them from the CRL once they expire, but - on the countrary - if
they are deleted, this can cause problems to applications.
For example, let us suppose that I receive today a document signed two
years ago with a cert currently expired, and I want to check the
revokation status of the related certificates at the signature time.
If I retrieve the current CRL, it might not contain the cert (if it was
revoked) due to the CA policy of deleting from the CRL the expired
certificates.
So, how can I retrieve the first CRL issued after signature time? it
seems to me that there is no provision for such a request in neither
OCSP nor CMP, so many CAs do not delete expired certs from CRLs to avoid
this problem. Therefore, I think that PKIX should permit this kind of
behaviour and not force CA into a mode of operation that can cause
application problems.

Just my 2c.

Antonio Lioy

Prev by Date: Re: charter revisions
Next by Date: Re: Removing expired certificates from CRLs.....
Previous by thread: Re: Removing expired certificates from CRLs.....
Next by thread: RE: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread