David -
Although
my confusion on this issue has been cleared up (note to self; always verify
your sources) now; this brings up a very interesting point. I and others I have
spoken with believe that the addition of such an extension (one that states
that the CRL contains ALL revocation entries both current and expired) would be
very valuable.
Consider this problem, today I receive a digitally
signed and time stamped document (a contract possibly), this document was
signed by a certificate issued off of any number of commercial CA's that
exist today. 10 years later the document is in question and I need to establish
that the certificate associated with the signature on the document was valid at
the time it was signed; there are several significant possibilities here:
- CA in question has CRLNumber extension in
all of their CRLs and they are all available
- CA in question does not have the CRLNumber
in all CRLS or just a subset
Now in #1 the problem is relatively easy,
I find all CRLs that were valid during my window and
of those I pick the one that has the highest CRLnumber.
An extension like this would be "use-full" in this case but not
necessary.
In #2 the problem gets, well unsolvable;
Since there are no ways to determine if I have all of the CRLs
that are within my window (remember validity windows on CRLs
can overlap so the ones within the overlapped window that state the certificate
is revoked could be "lost") I will never now if the certificate was
valid at the time in question. Now if the CRLs that
were generated contained all entries and were marked as such with an extension
I would have a mechanism to solve this problem; simply get the most recent CRL.
Ryan
-----Original Message-----
From: David A. Cooper
[mailto:david.cooper@xxxxxxxx]
Sent: Wednesday, September 05, 2001 7:39 AM
To: IETF-PKIX
Subject: Re: Removing expired
certificates from CRLs.....
At 03:53
PM 9/5/01 +0200,
Nada Kapidzic Cicovic wrote:
Denis,
I was making comments on the text which Ryan extracted in his mail, assuming
that they were from the son-of-RFC2459.
In particular the last sentence in this paragraph:
The distributionPoint component contains the name of the
distribution point in one or more name forms. If this field is absent, the CRL
shall contain entries for all revoked certificates issued by the CRL issuer. After a certificate appears on a
CRL, it is deleted from a subsequent CRL after the certificate's expiry.
However, after getting your comment I realized that this
sentence and the referred section 8.6.2.2 comes from the X.509 (the latest
version that I have on my disk is X_509_4thEditionDraftV6, and it contains the
above text).
I have X_509_4thEditionDraftV8 on my computer and it appears that this has been
fixed. I now says "After a certificate appears on a CRL, it may be deleted from a subsequent CRL after
the certificate's expiry." I didn't bother to look at son-of-2459.
In any case, both X.509 and son-of-2459 should say that a certificate may be
deleted from a CRL after it has expired. In general, though, I don't
think there is much benefit to leaving expired certificates on CRLs. The
problem is that, at the moment, if an expired certificate is not listed on a
CRL, there is no way to determine whether it is not listed because it was never
revoked or if it was revoked but is not listed because it was removed after
expiration.
Some time ago, there was a suggestion to create a new, non-critical CRL
extension that would specify whether an expired certificate was covered by a
CRL (e.g., the extension could state: "This CRL includes all revoked
certificates that expire(d) after Jan. 1, 2001 (i.e., notAfter >= 010101000000Z).").
There didn't seem to be much support for this idea, so the extension was never
created.
The current text of the son-of-RFC2459 does not seem
to contain it or any other misleading sentences regarding this issue.
Sorry for the confusion.
Nada