Second, a certificate may be retroactively revoked, such as in the case where a private key was compromised, but the fact wasn't noticed until a week later.
There are also potential delays between the time it is noticed and the time it is reported to the CA, and between the time the CA gets the report and the time it publishes a CRL with the revocation.
The point is, to do a truly accurate check according to RFCs, you can only verify a signature or certificate at the current date, with the latest currently available CRL. Anything else is "best effort" with unspecified behavior.
For reasons you mention, even checking against the latest currently available CRL is at most "best effort".
So nextUpdate is really a minimum for the amount of time one should use cached CRLs. The maximum is a matter of local policy, based on a risk assessment.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
