Re: [openssl-users] Should I / How to remove expired certificates from CRL
On 09-02-17 10:58, PM Extra wrote: Should I remove expired certificates from CRL? No. The date of the revocation, which can be found in the CRL, is still relevant for checking when older certificates were revoked, in case you ever need to check signatures on older messages. -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I / How to remove expired certificates from CRL
If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid. This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates. I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread: https://www.ietf.org/mail-archive/web/pkix/current/msg03776.html It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common. I'm sure there are other people on the list who know more about current practices in this area than I do. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Should I / How to remove expired certificates from CRL
On 09/02/2017 10:58, PM Extra wrote: Should I remove expired certificates from CRL? If so, how to do this? Depends if any relying parties are checking old signatures "as of" some securely recorded date of receiving the signature. In that case, they will still need to be able to see, in the latest CRL, if and when a (now expired) certificate was revoked before it expired. This is also the reason it can be important to add a "backdated" revocation to a CRL, e.g. if a breach of a private key has been detected as happening around a specific time. As always there is the fundamental issue of deciding if the party reporting loss of a private key is lying to deny responsibility for something that was recently signed by that party. So I would not remove actual revocations from CRL lists, but would instead rotate issuing intermediary certificates such that a new intermediary (with its own CRL) is introduced a few times/year. Some time after all certificates issued by an old intermediary expire, but before the intermediary itself expires, it should sign a "final" CRL that doesn't expire. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Should I / How to remove expired certificates from CRL
Should I remove expired certificates from CRL?? If so, how to do this?-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users