To make sure one has the latest revocation information for a particular expired cert, one needs to acquire the latest CRL issued before or at the expiration date of that cert.
No. The first CRL *after* the expiration date.
The reference is at the end of the second paragraph of "3.3. Revocation" in RFC 3280 :
[... ...] An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate's validity period.
That means the client has to keep one full CRL for each expired cert he is interested in checking - and clearly it's not affordable, as the cert database will grow without bounds.
In that respect, OCSP gets a distinctive advantage.
And an even stronger advantage if the Archive Cutoff extension is implemented, so that you can request the status after the expiration date and know what the answer you get really means, know that the 'good' status does not just mean the adequate revocation information has already disappeared from the responder database.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
