Should I / How to remove expired certificates from CRL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Should I / How to remove expired certificates from CRL

PM Extra

Should I remove expired certificates from CRL?

If so, how to do this?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Should I / How to remove expired certificates from CRL

Jakob Bohm-7
On 09/02/2017 10:58, PM Extra wrote:
> Should I remove expired certificates from CRL?
> If so, how to do this?
>
Depends if any relying parties are checking old signatures "as of"
some securely recorded date of receiving the signature.

In that case, they will still need to be able to see, in the latest
CRL, if and when a (now expired) certificate was revoked before it
expired.  This is also the reason it can be important to add a
"backdated" revocation to a CRL, e.g. if a breach of a private key
has been detected as happening around a specific time.  As always
there is the fundamental issue of deciding if the party reporting
loss of a private key is lying to deny responsibility for something
that was recently signed by that party.

So I would not remove actual revocations from CRL lists, but would
instead rotate issuing intermediary certificates such that a new
intermediary (with its own CRL) is introduced a few times/year.
   Some time after all certificates issued by an old intermediary
expire, but before the intermediary itself expires, it should sign
a "final" CRL that doesn't expire.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Should I / How to remove expired certificates from CRL

Michael Wojcik
In reply to this post by PM Extra
If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid.

This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates.

I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread:
https://www.ietf.org/mail-archive/web/pkix/current/msg03776.html

It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common.

I'm sure there are other people on the list who know more about current practices in this area than I do.

Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Should I / How to remove expired certificates from CRL

Verhelst Wouter (Consultant)
In reply to this post by PM Extra

On 09-02-17 10:58, PM Extra wrote:
> Should I remove expired certificates from CRL?

No. The date of the revocation, which can be found in the CRL, is still
relevant for checking when older certificates were revoked, in case you
ever need to check signatures on older messages.

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users