We are running a CA that has thousands of revoked certificates
which leads to CRLs of several MBytes.

    On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have different CRL Distribution Points (CDP) according to the
partitions they are assigned.

    For example, for X=100, from certificate 1 to certificate 100, the
CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.

    My question: Is Mozilla/NSS/PSM prepared to support partitioned
CRLs like the way described? In particular, if CRLs are cached, they
must be able to merge several different partitions according to the
CDP to create a unified view over the revocation universe of a CA.


         Nuno Ponte
dev-tech-crypto mailing list

Reply via email to