Technically, the revocation information from CRLs does not expire. nextUpdate only means the CA should have more recent information available, not that the CRL is expired. So I don't see it as wrong to still do the OCSP check.
There is no in-band mechanism other than nextUpdate to rely on to decide that a CRL is expired .
Moreover, RFC 3280 says : [The client]... acquires a suitably-recent CRL and checks that the certificate serial number is not on that CRL. The meaning of "suitably-recent" may vary with local policy, but it usually means the most recently-issued CRL.
As a general rule, it's a bad idea to something that was only reluctantly inserted as a may in a RFC.
In a risk analyzis, the revocation information from CRLs really expires as soon as it is emitted. It just happens that there might be no way to get fresher information than that. After nextUpdate, you *know* if the CA is RFC 3280 compliant that there is fresher information available.
If you really, really want to be sure something is valid, the best way is to timestamp it, and wait until there is a CRL available with a thisUpdate later than the timestamp to check it.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
