> You can still publish a CRL for an off-line CA. You will need to
establish
> a fairly long expiry time for the CRL if you do not plan to bring the CA
> on-line often. In many cases the Root CA is off-line and only used to
issue
> new intermediary CAs or revoke intermediary CAs. You will need to
establish
> a very good procedure for startup and shutdown of the root CA (two person
> control, locked in a safe, two person combination on the safe, documenting
> each time the CA is removed, etc. ) The reason for documenting the
process
> is for audit purposes.
>
> You will also need to document in your CP that the CA is off-line and that
> the onus is on the relying party to verify that an intermediary CA is
still
> valid.
I agree that you still publish a valid CRL for an offline Root CA. The
problem is the following,
example: I issue an CRL with the Root CA with a validity of for example a
month, and after
issuing the CRL I take it offline. During that month, for example after two
weeks, one of the
intermediate CA's is compromised and I have to revoke that CA.
According to the specs I can only issue a CRL which has a validity time that
starts after
current one. This means in practise that I have a valid intermediate CA for
over two weeks,
but in reality that intermediate CA is revoked. How can I let everybody know
during that
two week period that the intermediate CA is compromised, taking in
account:"Conforming
applications are NOT REQUIRED to support processing of delta CRLs, indirect
CRLs, or CRLs
with a scope other than all certificates issued by one CA"?
Best regards,
Haaino