[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Removing expired certificates from CRLs.....

To: "Flynn, Michael" <MFlynn@xxxxxxxxxxxx>
Subject: RE: Removing expired certificates from CRLs.....
From: "Tom Gindin" <tgindin@xxxxxxxxxx>
Date: Thu, 6 Sep 2001 15:18:57 -0400
Cc: "'Ryan Hurst'" <ryanh@xxxxxxxxxxxx>, IETF-PKIX <ietf-pkix@xxxxxxx>
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


     Because of unscheduled CRL publication, would it not make sense to
recommend a minimum period of time after expiration before revoked NR
certificates get removed from CRL's?  In practice, specifying that they
should be kept for a week or so beyond expiration would not cause CRL
bloat, which can admittedly become a serious problem if all CRL entries are
kept forever.

          Tom Gindin



"Flynn, Michael" <MFlynn@xxxxxxxxxxxx>@mail.imc.org on 09/05/2001 01:02:33
PM

Sent by:  owner-ietf-pkix@xxxxxxxxxxxx


To:   "'Ryan Hurst'" <ryanh@xxxxxxxxxxxx>, IETF-PKIX <ietf-pkix@xxxxxxx>
cc:
Subject:  RE: Removing expired certificates from CRLs.....


Ryan,

Ryan wrote::


Now logically it makes sense to remove certificates that are expired from
CRLs to control size, yes this has a negative point specifically it
prevents CRLs from being used as a non-repudiation source; but this is mute
due to many other issues.





At least regarding removing expired certs from CRLs, I would think that
non-repudiation can be satisfied by keeping the old CRLs in back up storage
for some length of time.  That time being how far back in time a contract
dispute might go; ten years, twenty?   So long as you could get them off
tape for the lawyers to look at the legal process would be satisfied, they
don't need to be online forever.





Michael





 -----Original Message-----
 From: Ryan Hurst [mailto:ryanh@xxxxxxxxxxxx]
 Sent: Tuesday, September 04, 2001 8:50 PM
 To: IETF-PKIX
 Subject: Removing expired certificates from CRLs.....



 I was speaking with Peter Williams today about the removal of expired
 certificates from CRLs; I have always been under the belief that this
 behavior was optional, I vaguely remembered reading text in 2459 along
 those lines; additionally I know of several commercial CAs that do not
 remove the expired certificates from their CRLs. Peter on the other hand
 was under the impression that it was a mandate to remove CRLs; he too
 remembered reading text in 2459 to support is position.





 So we each pulled out the RFC and found that we were both right!
 Specifically both sections 3.3 and 8.6.2.2 have text on this subject:





 3.3  Revocation


 When a certificate is issued, it is expected to be in use for its entire
 validity period.  However, various circumstances may cause a certificate
 to become invalid prior to the expiration of the validity period.





 ....





 An entry is added to the CRL as part of the next update following
 notification of revocation. An entry may be removed from the CRL after
 appearing on one regularly scheduled CRL issued beyond the revoked
 certificate's validity period.











 8.6.2.2 Issuing distribution point extension


 This CRL extension field identifies the CRL distribution point for this
 particular CRL, and indicates if the CRL is limited to revocations for
 end-entity certificates only, for authority certificates only, or for a
 limited set of reasons only. The CRL is signed by the CRL issuer's key-
 CRL distribution points do not have their own key pairs. However, for a
 CRL distributed via the Directory, the CRL is stored in the entry of the
 CRL distribution point, which may not be the directory entry of the CRL
 issuer. If this field is absent, the CRL shall contain entries for all
 revoked unexpired certificates issued by the CRL issuer.





 ....





 The distributionPoint component contains the name of the distribution
 point in one or more name forms. If this field is absent, the CRL shall
 contain entries for all revoked certificates issued by the CRL issuer.
 After a certificate appears on a CRL, it is deleted from a subsequent CRL
 after the certificate's expiry.








 Although section 8.6.2.2 is specifically in regards to CRLdps, any
 difference between full CRLs and CRLdps in this case I feel would be an
 arbitrary one.





 Now logically it makes sense to remove certificates that are expired from
 CRLs to control size, yes this has a negative point specifically it
 prevents CRLs from being used as a non-repudiation source; but this is
 mute due to many other issues.





 That being the case I think; and I believe Peter would agree the correct
 thing to do is to remove these expired/revoked entries from the CRL.





 The question now is what is the PKIX stance on this matter?





 Ryan M. Hurst


 ValiCert, Inc.



      "It may roundly be asserted that human ingenuity cannot concoct a
      cipher which human ingenuity cannot resolve."
      -Edgar Allan Poe

Follow-Ups:
- Re: Removing expired certificates from CRLs.....
  - From: Denis Pinkas

Prev by Date: RE: Logos: objection to charter revisions
Next by Date: Version 15 of the Implementor's Guide for X.500
Previous by thread: Re: Removing expired certificates from CRLs.....
Next by thread: Re: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread