[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Removing expired certificates from CRLs.....

To: Tom Gindin <tgindin@xxxxxxxxxx>
Subject: Re: Removing expired certificates from CRLs.....
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Fri, 07 Sep 2001 13:34:12 +0200
Cc: IETF-PKIX <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Integris. A Bull Company
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hello Tom !


>      Because of unscheduled CRL publication, would it not make sense to
> recommend a minimum period of time after expiration before revoked NR
> certificates get removed from CRL's?  In practice, specifying that they
> should be kept for a week or so beyond expiration would not cause CRL
> bloat, which can admittedly become a serious problem if all CRL entries are
> kept forever.

Such recommendation would be nice, but only usable in "closed environments"
where it can be known that this policy is enforced. In "open environments"
in order to allow the use of CRLs which include certificates even after they
expire, some indication SHALL be present in the CRL to know whether or not
it includes such certificates.

Denis 
 
>           Tom Gindin
> 
> "Flynn, Michael" <MFlynn@xxxxxxxxxxxx>@mail.imc.org on 09/05/2001 01:02:33
> PM
> 
> Sent by:  owner-ietf-pkix@xxxxxxxxxxxx
> 
> To:   "'Ryan Hurst'" <ryanh@xxxxxxxxxxxx>, IETF-PKIX <ietf-pkix@xxxxxxx>
> cc:
> Subject:  RE: Removing expired certificates from CRLs.....
> 
> Ryan,
> 
> Ryan wrote::
> 
> Now logically it makes sense to remove certificates that are expired from
> CRLs to control size, yes this has a negative point specifically it
> prevents CRLs from being used as a non-repudiation source; but this is mute
> due to many other issues.
> 
> At least regarding removing expired certs from CRLs, I would think that
> non-repudiation can be satisfied by keeping the old CRLs in back up storage
> for some length of time.  That time being how far back in time a contract
> dispute might go; ten years, twenty?   So long as you could get them off
> tape for the lawyers to look at the legal process would be satisfied, they
> don't need to be online forever.
> 
> Michael
> 
>  -----Original Message-----
>  From: Ryan Hurst [mailto:ryanh@xxxxxxxxxxxx]
>  Sent: Tuesday, September 04, 2001 8:50 PM
>  To: IETF-PKIX
>  Subject: Removing expired certificates from CRLs.....
> 
>  I was speaking with Peter Williams today about the removal of expired
>  certificates from CRLs; I have always been under the belief that this
>  behavior was optional, I vaguely remembered reading text in 2459 along
>  those lines; additionally I know of several commercial CAs that do not
>  remove the expired certificates from their CRLs. Peter on the other hand
>  was under the impression that it was a mandate to remove CRLs; he too
>  remembered reading text in 2459 to support is position.
> 
>  So we each pulled out the RFC and found that we were both right!
>  Specifically both sections 3.3 and 8.6.2.2 have text on this subject:
> 
>  3.3  Revocation
> 
>  When a certificate is issued, it is expected to be in use for its entire
>  validity period.  However, various circumstances may cause a certificate
>  to become invalid prior to the expiration of the validity period.
> 
>  ....
> 
>  An entry is added to the CRL as part of the next update following
>  notification of revocation. An entry may be removed from the CRL after
>  appearing on one regularly scheduled CRL issued beyond the revoked
>  certificate's validity period.
> 
>  8.6.2.2 Issuing distribution point extension
> 
>  This CRL extension field identifies the CRL distribution point for this
>  particular CRL, and indicates if the CRL is limited to revocations for
>  end-entity certificates only, for authority certificates only, or for a
>  limited set of reasons only. The CRL is signed by the CRL issuer's key-
>  CRL distribution points do not have their own key pairs. However, for a
>  CRL distributed via the Directory, the CRL is stored in the entry of the
>  CRL distribution point, which may not be the directory entry of the CRL
>  issuer. If this field is absent, the CRL shall contain entries for all
>  revoked unexpired certificates issued by the CRL issuer.
> 
>  ....
> 
>  The distributionPoint component contains the name of the distribution
>  point in one or more name forms. If this field is absent, the CRL shall
>  contain entries for all revoked certificates issued by the CRL issuer.
>  After a certificate appears on a CRL, it is deleted from a subsequent CRL
>  after the certificate's expiry.
> 
>  Although section 8.6.2.2 is specifically in regards to CRLdps, any
>  difference between full CRLs and CRLdps in this case I feel would be an
>  arbitrary one.
> 
>  Now logically it makes sense to remove certificates that are expired from
>  CRLs to control size, yes this has a negative point specifically it
>  prevents CRLs from being used as a non-repudiation source; but this is
>  mute due to many other issues.
> 
>  That being the case I think; and I believe Peter would agree the correct
>  thing to do is to remove these expired/revoked entries from the CRL.
> 
>  The question now is what is the PKIX stance on this matter?
> 
>  Ryan M. Hurst
> 
>  ValiCert, Inc.
> 
>       "It may roundly be asserted that human ingenuity cannot concoct a
>       cipher which human ingenuity cannot resolve."
>       -Edgar Allan Poe

References:
- RE: Removing expired certificates from CRLs.....
  - From: Tom Gindin

Prev by Date: Re: Removing expired certificates from CRLs.....
Next by Date: Re: Removing expired certificates from CRLs.....
Previous by thread: RE: Removing expired certificates from CRLs.....
Next by thread: Re: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread