Re: Removing expired certificates from CRLs.....

["David A. Cooper" <david.cooper@xxxxxxxx>]

At 04:11 PM 9/6/01 +0200, Denis Pinkas wrote:

>At 09:41 AM 9/6/01 -0400, Sharon Boeyen wrote:
> > With the 509 meeting coming up in just a couple of weeks, 
> > if we reach consensus that it would be useful to add either 
> > a new extension or a new component to the IDP extension to indicate 
> > that a CRL includes revocation notices for expired certs, 
> > we could probably add it to the 509 WD at that meeting. 
>
>At this time it is more an X.509 discussion, rather than a PKIX discussion.
>Anyway, I would support in principle the idea for X.509. 
>
>The information could be placed either in the certificate or in the CRL.
>Placing it in the CRL has the advantage of not overloading the certificate,
>so this solution should be better. So, if the information is placed in the
>CRL, then the CRL should say something like: certificates which have the 
>keyUsage bits set to XXXX are maintained on the CRL Y weeks after they
>expire.

I agree that the information should be placed in the CRL. This provides the CRL issuer with flexibility.

The idea of specifying keyUsage bits sounds interesting. This could be used to specify that only certificates used to verify signatures (i.e., keyUsage of digitalSignature and/or nonRepudiation) are listed after expiration. I can't think of any compelling reason to include key management certificates after they have expired. However, I'm not sure if the benefit is worth the increased complexity.

I would also suggest a slight re-wording of the meaning of the extension to "this CRL lists all revoked certificates that have expired within the last Y weeks (in addition to all unexpired revoked certificates).". The extension should only specify what is included in that particular CRL, it should not make any promises about what is included in other CRLs. The CRL issuer should always be free to expand or shrink the set of expired certificates covered by its CRLs.

Dave