Re: Current status of CRL validation ?

[Ed Gerck <egerck@xxxxxxx>]

Julien,

Yes, a PKIX cert is either revoked or not. Yes, this is strictly enforceable
in X.509 because: (a) a cert has only one issuer and, (b) only that issuer of
the cert can revoke the cert. However, X.509 is unable to allow a RP to 
measure with any desired confidence (i.e., desired by the RP) whether a cert 
is revoked or not.

This is due to several unsolvable problems in the X.509/PKIX framework [1]. 
For example, there may be a considerable delay (no warranties on the CAs 
CPSs can be found on upper limits for such delays) between the actual need 
to revoke a certificate and the reflection of this need in a certificate 
chain with different CAs. Further, the major X.509 security application 
today, SSL, still does not check revocation lists or any other revocation
mechanisms -- so they are near to useless. Also, the user is not able to 
check server certificates (and certificates in the CA chains) against 
revocation lists. 

Moreover, PKIX/X.509 revocation is a "will" to revoke but not an actual 
revocation. Few recognize, as you have now hit, that cert revocation
in PKIX/X.509 is a solution to a non-existent problem ... while the real 
problem is left utterly unsolved. The non-existent problem solved by 
PKIX/X.509 cert revocation is how to communicate that a certificate is no 
longer valid ... because if a certificate were really no longer valid 
(as it should be) then no one would need to find the cert revocation to 
know about it. 

Cheers,
Ed Gerck

[1] http://nma.com/mcg-mirror/cert.htm