On 09/02/2017 10:58, PM Extra wrote:
Should I remove expired certificates from CRL? If so, how to do this?
Depends if any relying parties are checking old signatures "as of" some securely recorded date of receiving the signature. In that case, they will still need to be able to see, in the latest CRL, if and when a (now expired) certificate was revoked before it expired. This is also the reason it can be important to add a "backdated" revocation to a CRL, e.g. if a breach of a private key has been detected as happening around a specific time. As always there is the fundamental issue of deciding if the party reporting loss of a private key is lying to deny responsibility for something that was recently signed by that party. So I would not remove actual revocations from CRL lists, but would instead rotate issuing intermediary certificates such that a new intermediary (with its own CRL) is introduced a few times/year. Some time after all certificates issued by an old intermediary expire, but before the intermediary itself expires, it should sign a "final" CRL that doesn't expire. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
