Mind you, revocations seem rather rare.
Look at the size of any CA's CRL. Even cacert's CRL seems to have a lot of entries, and seems to have expanded at a significant rate.
Oh, ok! Now, how many of those are actual
results of compromise? As opposed to routine
replacements or expiries or other benign
effects.
I doubt that any of them are due to mere expiration. A CRL is never required to list expired certs. A cert's date of expiration is the end of the issuer's obligation to carry it in the CRL. One reason to issue certs with short expiration times (e.g. only a year, even for keys that are thought to require 50+ years to break) is to mitigate the amount of information that must be carried in the issuer's CRL.
I think it is considered good practice to carry a cert on a CRL for some small time after it expires, but not continually thereafter.
Are we saying that CACert has a lot of compromises> already? That would be a surprise.
Let's ask Duane. Duane: why the revocations?
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
