Re: Should I / How to remove expired certificates from CRL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid.

This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates.

I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread:
https://www.ietf.org/mail-archive/web/pkix/current/msg03776.html

It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common.

I'm sure there are other people on the list who know more about current practices in this area than I do.

Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux