[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing expired certificates from CRLs.....

To: "Flynn, Michael" <MFlynn@xxxxxxxxxxxx>
Subject: Re: Removing expired certificates from CRLs.....
From: Sam Schaen <schaen@xxxxxxxxx>
Date: Wed, 05 Sep 2001 13:59:37 -0400
Cc: "'Ryan Hurst'" <ryanh@xxxxxxxxxxxx>, IETF-PKIX <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: The MITRE Corporation
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

For what it's worth, the US DOD PKI is relying on the archival strategy
described below.  We're currently looking at 10.5 years for our Class 3
and 20.5 years for our class 4.  I have no idea why someone considered
the extra half year important but that's what's in our CP.  Certificates
will be removed from the CRL after they expire.

Sam Schaen
MITRE Corporation

"Flynn, Michael" wrote:

> Ryan,Ryan wrote::
> Now logically it makes sense to remove certificates that are expired
> from CRLs to control size, yes this has a negative point specifically
> it prevents CRLs from being used as a non-repudiation source; but this
> is mute due to many other issues.
>
> At least regarding removing expired certs from CRLs, I would think
> that non-repudiation can be satisfied by keeping the old CRLs in back
> up storage for some length of time.  That time being how far back in
> time a contract dispute might go; ten years, twenty?   So long as you
> could get them off  tape for the lawyers to look at the legal process
> would be satisfied, they don't need to be online forever.
>
> Michael
>
>
>      -----Original Message-----
>      From: Ryan Hurst [mailto:ryanh@xxxxxxxxxxxx]
>      Sent: Tuesday, September 04, 2001 8:50 PM
>      To: IETF-PKIX
>      Subject: Removing expired certificates from CRLs.....
>
>      I was speaking with Peter Williams today about the removal
>      of expired certificates from CRLs; I have always been under
>      the belief that this behavior was optional, I vaguely
>      remembered reading text in 2459 along those lines;
>      additionally I know of several commercial CAs that do not
>      remove the expired certificates from their CRLs. Peter on
>      the other hand was under the impression that it was a
>      mandate to remove CRLs; he too remembered reading text in
>      2459 to support is position.
>
>      So we each pulled out the RFC and found that we were both
>      right! Specifically both sections 3.3 and 8.6.2.2 have text
>      on this subject:
>
>      3.3Revocation
>
>      When a certificate is issued, it is expected to be in use
>      for its entire validity period.However, various
>      circumstances may cause a certificate to become invalid
>      prior to the expiration of the validity period.
>
>      ....
>
>      An entry is added to the CRL as part of the next update
>      following notification of revocation. An entry may be
>      removed from the CRL after appearing on one regularly
>      scheduled CRL issued beyond the revoked certificate's
>      validity period.
>
>      8.6.2.2 Issuing distribution point extension
>
>      This CRL extension field identifies the CRL distribution
>      point for this particular CRL, and indicates if the CRL is
>      limited to revocations for end-entity certificates only, for
>      authority certificates only, or for a limited set of reasons
>      only. The CRL is signed by the CRL issuer's key- CRL
>      distribution points do not have their own key pairs.
>      However, for a CRL distributed via the Directory, the CRL is
>      stored in the entry of the CRL distribution point, which may
>      not be the directory entry of the CRL issuer.If this field
>      is absent, the CRL shall contain entries for all
>      revoked unexpired certificates issued by the CRL issuer.
>
>      ....
>
>      The distributionPointcomponent contains the name of the
>      distribution point in one or more name forms. If this field
>      is absent, the CRL shall contain entries for all revoked
>      certificates issued by the CRL issuer. After a certificate
>      appears on a CRL, it is deleted from a subsequent CRL after
>      the certificate's expiry.
>
>      Although section 8.6.2.2 is specifically in regards
>      to CRLdps, any difference between full CRLs and CRLdps in
>      this case I feel would be an arbitrary one.
>
>      Now logically it makes sense to remove certificates that are
>      expired from CRLs to control size, yes this has a negative
>      point specifically it prevents CRLs from being used as a
>      non-repudiation source; but this is mute due to many other
>      issues.
>
>      That being the case I think; and I believe Peter would agree
>      the correct thing to do is to remove these expired/revoked
>      entries from the CRL.
>
>      The question now is what is the PKIX stance on this matter?
>
>      Ryan M. Hurst
>
>      ValiCert, Inc.
>
>           "It may roundly be asserted that human ingenuity
>           cannot concoct a cipher which human ingenuity
>           cannot resolve."
>
>           -Edgar Allan Poe
>

References:
- RE: Removing expired certificates from CRLs.....
  - From: Flynn, Michael

Prev by Date: RE: Removing expired certificates from CRLs.....
Next by Date: Re: charter revisions
Previous by thread: RE: Removing expired certificates from CRLs.....
Next by thread: RE: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread