Re: [OpenCA-Devel] relevance of CRL serial

[Martin Bartosch]

Hi,

> there is another problem with CRL. We have a state problem. If a CRR is
> approved then it is archived too because we need no CA cert for this
> operation. Should we remove the state archived or approved for CRRs? If
> we set the state of the certificate to the state REVOKED then the job is
> done or should we set the state of the CRR to archived only if the first
> CRL with the revoked cert is available?

IMO the certificate is revoked as soon as the final approval for
the CRR has been given. This operation is final and irreversible, so
it makes perfect sense to archive the CRR.
CRLs are asynchronous by design, but an OSCP responder would operate
on the database information, so the revocation is instantaneous from
the point of view of an OCSP user.
Consequently, the certificate status should be set to REVOKED immediately
after final approval in the RA, I think.

Binding any actions to CRL issuance is not useful, IMO, it's simply
a private key operation that signs a snapshot of local data.

Just my thoughts, of course.

> Perhaps this sounds a little bit pedantic but CRLs are critical for the
> infrastructure.

Not pedantic at all, I think.

cu

Martin



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel