Re: Offline Root CA with valid CRL hierachie

[Steve Hanna <steve.hanna@xxxxxxx>]

Mitchell Arnone wrote:
> I am struggling to see how publishing 30 one-day CRLs and
> storing them on some off-line media is more secure than
> publishing a single 30 day CRL.

The difference arises if an attacker can interfere with
the distribution of new CRLs (replacing the new ones with
old ones, etc.). It's generally much easier to compromise
an online web or directory server than it is to compromise
an offline CA, so this is a very real concern.

In this case, publishing a 30 day CRL allows revoked certs
to continue to work for up to 30 days. Publishing 30 one-day
CRLs (one at a time, ensuring that later ones are not published
prematurely) means that the worst an attacker can do is block
all CRLs (Denial Of Service). They can't make a revoked cert
work for more than 1 day.

As you say, pre-issuing CRLs adds some complexity and is
not supported by most CA software. I suggest two alternative
solutions:

1) Have the offline CA use a separate CRL issuer that can be
   easily activated. The CRL issuer can issue CRLs every day.

2) Use OCSP. Update the OCSP responder promptly when a cert
   is revoked.

Both of these solutions are well supported by the standards
and don't require any special mechanisms.

Steve Hanna