Re: Should I / How to remove expired certificates from CRL
On 09/02/2017 10:58, PM Extra wrote:
> Should I remove expired certificates from CRL？
> If so, how to do this?
Depends if any relying parties are checking old signatures "as of"
some securely recorded date of receiving the signature.
In that case, they will still need to be able to see, in the latest
CRL, if and when a (now expired) certificate was revoked before it
expired. This is also the reason it can be important to add a
"backdated" revocation to a CRL, e.g. if a breach of a private key
has been detected as happening around a specific time. As always
there is the fundamental issue of deciding if the party reporting
loss of a private key is lying to deny responsibility for something
that was recently signed by that party.
So I would not remove actual revocations from CRL lists, but would
instead rotate issuing intermediary certificates such that a new
intermediary (with its own CRL) is introduced a few times/year.
Some time after all certificates issued by an old intermediary
expire, but before the intermediary itself expires, it should sign
a "final" CRL that doesn't expire.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid.
This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates.