On 01/09/2009 12:15 AM, Nelson B Bolyard:
It requires that CAs NEVER "forget" about any certs they previously issued, not even after they expire. It means that a CA's list of revoked certs will grow boundlessly. It makes CRLs become impractically big.
Well...StartCom NEVER removes a certificate from the CRL once revoked. That's because people tend to view expired certificates as an annoyance, not critical. However a revoked certificate should never be accessible anymore. (Just think about the mozilla.com certificate. I bet that the majority would click through that certificate in case of "expiration", whereas they can't because of revocation. There is an inherent difference between the two).
CACert tried that once. They had a multi-megabyte CRL (maybe they still do).
We manage however intermediate CA issuers per class and purpose, hence the CRLs stay relatively small. The intermediate CAs are valid for five years, whereas after the fourth year a new issuer takes over (leaving the fifth year for revocations only). That's perhaps another good practice...besides that, OCSP hasn't the draw-back of large downloads anyway - and Firefox doesn't use CRLs really.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
