On 5/9/05, Julien Pierre <[EMAIL PROTECTED]> wrote: > Jean-Marc, > > Jean-Marc Desperrier wrote: > > > >> What do you do with a piece of code signed by a certificate that > >> you have as revoked once the certificate has expired? > > > > > > And how do you solve that with OCSP ? You keep certs indefinitly in the > > OCSP responder ? Anyway the current signature implementation in Mozilla > > has no way of verifying signatures after the cert has expired. > That means the client has to keep one full CRL for each expired cert he > is interested in checking - and clearly it's not affordable, as the cert > database will grow without bounds. This requirement could be relaxed if > the client had a way to know how long the CA keeps certs on its CRL > after the certs expire. The default according to specs is that they get > dropped off the CRL immediately at expiration.
For codesigning CRLs VeriSign is currently taking the hit and keep advising revoked certificates are revoked long after they expire because of limitations in software clients which will hopefully someday be upgraded with respect to revocation checking. This is very expensive for us but we do it anyway even for platforms and CAs where we have no obligation to do so of any kind in terms of our policies and practices, nor contractually with any of the platform providers etc. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
