[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing expired certificates from CRLs.....

To: "David A. Cooper" <david.cooper@xxxxxxxx>
Subject: Re: Removing expired certificates from CRLs.....
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 06 Sep 2001 17:21:16 +0200
Cc: IETF-PKIX <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Integris. A Bull Company
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

David,

> > > With the 509 meeting coming up in just a couple of weeks,
> > > if we reach consensus that it would be useful to add either
> > > a new extension or a new component to the IDP extension to indicate
> > > that a CRL includes revocation notices for expired certs,
> > > we could probably add it to the 509 WD at that meeting.

> >At this time it is more an X.509 discussion, rather than a PKIX discussion.
> >Anyway, I would support in principle the idea for X.509.

> >The information could be placed either in the certificate or in the CRL.
> >Placing it in the CRL has the advantage of not overloading the certificate,
> >so this solution should be better. So, if the information is placed in the
> >CRL, then the CRL should say something like: certificates which have the
> >keyUsage bits set to XXXX are maintained on the CRL Y weeks after they
> >expire.
 
> I agree that the information should be placed in the CRL. This provides 
> the CRL issuer with flexibility.

> The idea of specifying keyUsage bits sounds interesting. This could be used 
> to specify that only certificates used to verify signatures 
> (i.e., keyUsage of digitalSignature and/or nonRepudiation) are listed after 
> expiration. I can't think of any compelling reason to include key management 
> certificates after they have expired. 

OK.

> However, I'm not sure if the benefit is worth the increased complexity.

Every time an new extension is added, an additional piece of software is
needed to handle it. Yes, this is debatable, but the problem we currently
have, is that the only current way to know that certificates are still
maintained in the CRL after they expire is by using the PDS, which is not
machine processable. When PDS are used, the time certificates are maintained
in the CRL after they expire cannot be changed very often.
 
> I would also suggest a slight re-wording of the meaning of the extension 
> to "this CRL lists all revoked certificates that have expired within the 
> last Y weeks (in addition to all unexpired revoked certificates)."
> The extension should only specify what is included in that particular CRL, 
> it should not make any promises about what is included in other CRLs. 
> The CRL issuer should always be free to expand or shrink the set of 
> expired certificates covered by its CRLs.

I agree. The time may vary from one CRL to the next, so it allows to change
the policy over time.

Denis

> Dave

References:
- RE: Removing expired certificates from CRLs.....
  - From: Sharon Boeyen
- Re: Removing expired certificates from CRLs.....
  - From: David A. Cooper

Prev by Date: Re: Removing expired certificates from CRLs.....
Next by Date: RE: Logos: objection to charter revisions
Previous by thread: Re: Removing expired certificates from CRLs.....
Next by thread: RE: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread