[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Archive cutoff & Retention period

To: IETF-PXIX <ietf-pkix@xxxxxxx>
Subject: Archive cutoff & Retention period
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Wed, 23 Sep 1998 10:03:55 -0700
Sender: owner-ietf-pkix@xxxxxxx

Archive cutoff & Retention period

This item has been separated from my list of other comments since it
might start a new thread.

On page 12 there is section 5.4.4. named Ť Archive Cutoff ť.

In part PKIX-1 on page 12, we have the following sentence: 

   An entry may be removed from
   the CRL after appearing on one regularly scheduled CRL issued
beyond
   the revoked certificate's validity period.

This means that a revoked entry has to stay at least "little bit"
after the expiration date of the certificate. In practice this is a
few days, but not necessarily years because the size of the
information to keep would be pretty big. So we need to make a
difference between a "retention period" of a few days and a possible
archiving of the status information during years (see later).

The "retention period" should be supported by all OCSP responders
and thus should be part of the standard response. Adding a
"retentionPeriod" after the "produceAt" from the ResponseData would
be simpler than defining an extension.

Then, let us address the Ť Archive Cutoff ť issue.

If we were to support the archiving capability, with e.g. a 7 year
retention, we would need an additional time parameter in the request
to point to the equivalent of the right CRL issued at that time e.g.
7 years ago. This parameter is currently not present. Unless it is
added, the function cannot work. We thus have two options : add the
missing parameter or delete this capability. Opinions ? 


Denis

Prev by Date: Minor comments on OCSP-06
Next by Date: Re: PKIX Roadmap
Previous by thread: Minor comments on OCSP-06
Next by thread: Re: Archive cutoff & Retention period
Index(es):
- Date
- Thread