> So, if that's the case, what would be the downside of making the > default_crl_days equal to the validity of the CA itself, for example? > [e.g. If the CA cert is valid for 100 years, why not set the > default_crl_days to 36500+/- days too?]
Because some clients won't check back for 100 years... Plus, these things are cached, so the client may check more frequently but the caching software may check every 100 years. Gutmman does a good job with CRLs and OCSP in his book Engineering Security (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). See Chapter 8, PKI. From page 638: When a CA issues a CRL, it bundles up a blacklist of revoked certificates along with an issue date and a second date indicating when the next blacklist will become available. A relying party that doesn’t have a current CRL is expected to fetch the current one and use that to check the validity of the certificate... Jeff On Tue, May 6, 2014 at 7:36 PM, Gregory Sloop <gr...@sloop.net> wrote: > So, I'm working with an EAP-TLS system running under freeradius. > > I've setup things to use a CRL [not OSCP] to revoke certificates and > all works well. > > However, the parameter default_crl_days=XXX puzzles me. > > Through trial and error [mostly error] I know that if I don't > regenerate the CTL every default_crl_days, the CRL expires and then > freeradius won't auth anything at all. > > So, I thought - why should I set the default_crl_days to some low > number. I assume that it [the CRL] can be replaced with a "new" CRL, > should we need one, long before the default_crl_days limit is reached. > Is that correct? > > So, if that's the case, what would be the downside of making the > default_crl_days equal to the validity of the CA itself, for example? > [e.g. If the CA cert is valid for 100 years, why not set the > default_crl_days to 36500+/- days too?] > > I assume there's some other use, other than EAP-TLS, where doing this > might be a bad plan, but I'm afraid I can't think of one in the > EAP-TLS context with FreeRadius. Am I missing something? > > [And I'd be glad to be pointed to another context, if there is one, > where setting a very long-ish default_crl_days would be bad - even if > it's fine in the setting I'm discussing. Knowing would be good > education.] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
