[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Removing expired certificates from CRLs.....

To: <ietf-pkix@xxxxxxx>, <ryanh@xxxxxxxxxxxx>, <MFlynn@xxxxxxxxxxxx>
Subject: RE: Removing expired certificates from CRLs.....
From: "Bob Jueneman" <bjueneman@xxxxxxxxxx>
Date: Wed, 05 Sep 2001 11:38:28 -0600
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Ryan,

If you (the relying party) trust that the CA will be around for that long, and that the CRL records will be available if and when you need them, even if for a reasonable fee, then you can trust either the CA or some kind of a trusted repository to provide this function. Or if you are a true paranoid, you can archive them yourself, along with the document in question, together with all of the necessary timestamps and other corroborating evidence.

In either case, the primary reason for having a certificate validity period in the first place was to avoid an ever-increasing CRL list.  The other factors, including a sunset-clause type of renewal requirement in lieu of active status monitoring by the CA, and the concomitant opportunity for an ongoing yearly revenue stream, were nice to have also.

So there is no reason why expired CRLs can't be removed one publication cycle after the certificate has expired, and they should.  But they can't be removed immediately, because they might have been revoked one microsecond prior to expiration, and before the next scheduled CRL has been published.

Bob

Robert R. Jueneman
Security Architect

Novell, Inc -- the leading provider of Net services software



>>> "Flynn, Michael" <MFlynn@xxxxxxxxxxxx> 09/05/01 11:02AM >>>
Ryan,
 
Ryan wrote::
Now logically it makes sense to remove certificates that are expired from
CRLs to control size, yes this has a negative point specifically it prevents
CRLs from being used as a non-repudiation source; but this is mute due to
many other issues.
 
At least regarding removing expired certs from CRLs, I would think that
non-repudiation can be satisfied by keeping the old CRLs in back up storage
for some length of time.  That time being how far back in time a contract
dispute might go; ten years, twenty?   So long as you could get them off
tape for the lawyers to look at the legal process would be satisfied, they
don't need to be online forever.  
 
Michael
 
-----Original Message-----
From: Ryan Hurst [mailto:ryanh@xxxxxxxxxxxx] 
Sent: Tuesday, September 04, 2001 8:50 PM
To: IETF-PKIX
Subject: Removing expired certificates from CRLs.....


I was speaking with Peter Williams today about the removal of expired
certificates from CRLs; I have always been under the belief that this
behavior was optional, I vaguely remembered reading text in 2459 along those
lines; additionally I know of several commercial CAs that do not remove the
expired certificates from their CRLs. Peter on the other hand was under the
impression that it was a mandate to remove CRLs; he too remembered reading
text in 2459 to support is position.
 
So we each pulled out the RFC and found that we were both right!
Specifically both sections 3.3 and 8.6.2.2 have text on this subject:
 
3.3  Revocation
When a certificate is issued, it is expected to be in use for its entire
validity period.  However, various circumstances may cause a certificate to
become invalid prior to the expiration of the validity period.
 
...
 
An entry is added to the CRL as part of the next update following
notification of revocation. An entry may be removed from the CRL after
appearing on one regularly scheduled CRL issued beyond the revoked
certificate's validity period.
 
 
 
8.6.2.2 Issuing distribution point extension
This CRL extension field identifies the CRL distribution point for this
particular CRL, and indicates if the CRL is limited to revocations for
end-entity certificates only, for authority certificates only, or for a
limited set of reasons only. The CRL is signed by the CRL issuer's key- CRL
distribution points do not have their own key pairs. However, for a CRL
distributed via the Directory, the CRL is stored in the entry of the CRL
distribution point, which may not be the directory entry of the CRL issuer.
If this field is absent, the CRL shall contain entries for all revoked
unexpired certificates issued by the CRL issuer.
 
...
 
The distributionPoint component contains the name of the distribution point
in one or more name forms. If this field is absent, the CRL shall contain
entries for all revoked certificates issued by the CRL issuer. After a
certificate appears on a CRL, it is deleted from a subsequent CRL after the
certificate's expiry.
 
 
Although section 8.6.2.2 is specifically in regards to CRLdps, any
difference between full CRLs and CRLdps in this case I feel would be an
arbitrary one. 
 
Now logically it makes sense to remove certificates that are expired from
CRLs to control size, yes this has a negative point specifically it prevents
CRLs from being used as a non-repudiation source; but this is mute due to
many other issues.
 
That being the case I think; and I believe Peter would agree the correct
thing to do is to remove these expired/revoked entries from the CRL. 
 
The question now is what is the PKIX stance on this matter?
 
Ryan M. Hurst
ValiCert, Inc.
 
"It may roundly be asserted that human ingenuity cannot concoct a cipher
which human ingenuity cannot resolve."
-Edgar Allan Poe

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Bob Jueneman
TEL;WORK:01-801/861-7387
ORG:Novell Inc. -- the leading provider of Net services software;DS eBusiness Solutions
TEL;PREF;FAX:01-801/861-2522
EMAIL;WORK;PREF;NGW:BJUENEMAN@xxxxxxxxxx
N:Jueneman;Bob
TITLE:Consultant Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;;Novell, Inc.\n1800 South Novell Place\n;Provo;Utah;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A=
Novell, Inc.=0A=
1800 South Novell Place=0A=
=0A=
Provo, Utah  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A=
Novell, Inc.=0A=
1800 South Novell Place=0A=
=0A=
Provo, Utah  84606
END:VCARD

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:Robert R. Jueneman
TEL;WORK:01-801/861-7387
ORG:Novell, Inc.;DS eBusiness Solutions
TEL;PREF;FAX:01-801/861-2522
EMAIL;WORK;PREF;NGW:BJUENEMAN@xxxxxxxxxx
N:Jueneman;Bob
TITLE:Consultant Engineer
ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F331;122 E. 1700 South;Provo;Utah;84606;USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A=
PRV-F331=0A=
122 E. 1700 South=0A=
Provo, Utah  84606=0A=
USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A=
PRV-F331=0A=
122 E. 1700 South=0A=
Provo, Utah  84606
TEL;HOME:1-801-765-4378
TEL;CELL:1-801-361-1410
TEL;PREF:1-801-861-7387, 1-800-453-1267
END:VCARD

Prev by Date: RE: charter revisions
Next by Date: Re: Removing expired certificates from CRLs.....
Previous by thread: Re: Removing expired certificates from CRLs.....
Next by thread: RE: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread