Re: Proposed Changes to RFC 3280

[Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>]

At 4:32 AM +0100 12/11/04, Massimiliano Pala wrote:
> This could lead to some problems because all clients will query the
> CRL repository upon CRL expiration.

"Could", yes, but so far, we have not heard that this is a problem in 
current deployments.

> So my idea is very simple, indeed. I would suggest to leave the field
> OPTIONAL (as in ASN.1).

Maybe I'm misunderstanding the proposal, but it seems like this would 
cause *massive* problems for currently-deployed systems that expect 
and rely on the nextUpdate field.

> Indeed the default behaviour for today CAs is to issue new CRLs as
> soon as a certificate is revoked

That may be true for some systems, but it certainly isn't true for others.

>  - why being forced to issue a new
> CRL if no new data is indeed available ?

Because it is cheap for the CA to do.

> Let me know your comments, if there are no major objection I will
> post a possible patch for the document to the list.

Please consider my worry above about currently-deployed software. If 
I'm wrong, no problem, but if I'm right, then I can't imagine that 
the benefits of this kind of change would outweigh the difficulties 
for current systems.

--Paul Hoffman, Director
--VPN Consortium