Michael Sierchio wrote:
>
> Tridib Saha wrote:
> >
> > Hi everybody,
> >
> > Could you please help me?
> > My problem is following:
> >
> > 1. I am using OpesSSL to generate certificate and CRL.
> > All revoked certificates will appear in CRL.
> > 2. After the validity period of the revoked certificates, I don't
> > want my CRL to get crowded with expired(and revoked) certificate.
> > 3. How can I exclude the revoked certificate (which have now expired)
> > form CRL?
> > Due to this my CRL will keep growing.
>
> Certs which are merely expired should not be in the CRL. Certs which
> have been revoked must always be in the CRL -- in order to perform
> signature validation for a datum which was signed in the past by
> an expired cert, but for which a timestamp exists during the validity
> period of the cert -- if the cert had been revoked before the sig,
> the sig may be invalidated.
This is not correct, the certificate MUST be present only in the next
DUE crl, afterwards it can be left off the list - according to the rfc.
I suggest the revoked certificates to be present in the CRL till its
validity period expiration.
If you want to remove the certificate from the crl, simply modify
the index.txt file changing the 'R' into 'E' - setting it to expired
instead of revoked.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
