Re: Removing expired certificates from CRLs.....

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Hi Sharon,

Glad to see back on the PKIX mailing list for a short while. :-)

> David I do remember some discussion of a new extension but 
> don't recall the reason why it wasn't pursued - do you remember? 
 
> With the 509 meeting coming up in just a couple of weeks, 
> if we reach consensus that it would be useful to add either 
> a new extension or a new component to the IDP extension to indicate 
> that a CRL includes revocation notices for expired certs, 
> we could probably add it to the 509 WD at that meeting. 

At this time it is more an X.509 discussion, rather than a PKIX discussion.
Anyway, I would support in principle the idea for X.509. 

The information could be placed either in the certificate or in the CRL.
Placing it in the CRL has the advantage of not overloading the certificate,
so this solution should be better. So, if the information is placed in the
CRL, then the CRL should say something like: certificates which have the 
keyUsage bits set to XXXX are maintained on the CRL Y weeks after they
expire.

One of the main benefits is the following: you receive an e-mail while on
holidays. The signature was done just before the certificate expired, but
the e-amil was opened after it expired. With this additional feature it
would be possible to know by fetching the current CRL whether the e-mail was
signed legitimately.

> I believe there is value in allowing expired certs to remain 
> on CRLs, but certainly it should be an optional feature as 
> it is not needed in all environments.

True.

Regards,

Denis 
 
> Cheers,
> Sharon


BTW: my Netscape 4.7 browser is unable to display your message correctly.
Next time, please use plaintext.