Re: Removing expired certificates from CRLs.....

[Tim Polk <tim.polk@xxxxxxxx>]

Denis, Tom, et al.

As one of several independent originators of the idea, (Ambarish Malpani is 
another), I thought I ought to weigh in as well.  I had something 
*considerably* simpler in mind.  If a CRL includes revocation information 
for certificates that have expired, a relying party should be able to 
determine that automatically.

I would suggest a noncritical CRL extension with a single value of type 
GeneralizedTime.   The ASN.1 syntax would be

	ExpiredCertsOnCRL ::= GeneralizedTime

As usual with PKIX times, we would require time Zulu with seconds (even if 
zero).

The semantics for the extension would be as follows:

	The scope of a CRL containing this extension is extended to include 
certificates that expired  at the exact time specified in the extension or 
after that time.  If limitations in the CRL's scope are specified (by 
either reason codes or by distribution points), that applies to expired 
certificates as well.

IMHO, we shouldn't make the scope of a CRL different for expired and 
unexpired certificates.  This is a simple idea - let's keep it that way!

BTW, folks were wondering why this hasn't been pursued in PKIX.  This idea 
has been floated a couple of times, but no one was really ready to 
implement it.  We needed to concentrate on the core functionality.  I 
floated the idea again at one of the meetings (in San Diego?) and Ambarish 
said he'd had the same idea and wanted to pursue it.  I asked him to delay 
any new work in this area until the son-of-2459 is approved by the 
IESG.  (Neither of us realized what a long delay we'd agreed to...)

Thanks,

Tim Polk