[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Removing expired certificates from CRLs.....

To: "'Tim Polk'" <tim.polk@xxxxxxxx>, Denis Pinkas <Denis.Pinkas@xxxxxxxx>, Tom Gindin <tgindin@xxxxxxxxxx>
Subject: RE: Removing expired certificates from CRLs.....
From: Ryan Hurst <ryanh@xxxxxxxxxxxx>
Date: Fri, 07 Sep 2001 17:42:50 -0700
Cc: IETF-PKIX <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Yes --
	Sorry I have not been in this conversation the past couple of days;
Ambarish keeps me busy ;)

	I have seen several ideas in regards to this extension; but I was
thinking of something much simpler (more like what Tim has recommended) An
extension that would be just like the ArchiveCutOff extension in OCSP.

	ArchiveCutOff ::= GeneralizedTime

My 2c,

Ryan

-----Original Message-----
From: Tim Polk [mailto:tim.polk@xxxxxxxx] 
Sent: Friday, September 07, 2001 2:20 PM
To: Denis Pinkas; Tom Gindin
Cc: IETF-PKIX
Subject: Re: Removing expired certificates from CRLs.....


Denis, Tom, et al.

As one of several independent originators of the idea, (Ambarish Malpani is 
another), I thought I ought to weigh in as well.  I had something 
*considerably* simpler in mind.  If a CRL includes revocation information 
for certificates that have expired, a relying party should be able to 
determine that automatically.

I would suggest a noncritical CRL extension with a single value of type 
GeneralizedTime.   The ASN.1 syntax would be

	ExpiredCertsOnCRL ::= GeneralizedTime

As usual with PKIX times, we would require time Zulu with seconds (even if 
zero).

The semantics for the extension would be as follows:

	The scope of a CRL containing this extension is extended to include 
certificates that expired  at the exact time specified in the extension or 
after that time.  If limitations in the CRL's scope are specified (by 
either reason codes or by distribution points), that applies to expired 
certificates as well.

IMHO, we shouldn't make the scope of a CRL different for expired and 
unexpired certificates.  This is a simple idea - let's keep it that way!

BTW, folks were wondering why this hasn't been pursued in PKIX.  This idea 
has been floated a couple of times, but no one was really ready to 
implement it.  We needed to concentrate on the core functionality.  I 
floated the idea again at one of the meetings (in San Diego?) and Ambarish 
said he'd had the same idea and wanted to pursue it.  I asked him to delay 
any new work in this area until the son-of-2459 is approved by the 
IESG.  (Neither of us realized what a long delay we'd agreed to...)

Thanks,

Tim Polk

Prev by Date: Re: charter revisions
Next by Date: Re: charter revisions
Previous by thread: RE: Removing expired certificates from CRLs.....
Next by thread: Re: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread