Eddy,
Eddy Nigg wrote:
On 01/09/2009 12:15 AM, Nelson B Bolyard:
It requires that CAs NEVER "forget" about any certs they previously
issued, not even after they expire. It means that a CA's list of revoked
certs will grow boundlessly. It makes CRLs become impractically big.
Well...StartCom NEVER removes a certificate from the CRL once revoked.
That's because people tend to view expired certificates as an annoyance,
not critical. However a revoked certificate should never be accessible
anymore.
FYI, if a certificate is expired, NSS won't even bother performing a
revocation check on it, either CRL or OCSP. It would be a waste of time,
CPU and network resources to do so, and the revocation information would
be irrelevant since NSS already knows the cert is expired.
Ie. the expiration of the cert is more critical information than its
revocation status - NSS can be certain the cert is no longer valid,
because the validity date has been signed, and there is no point in
checking revocation status.
Yet the PSM UI lets you click to override the expiration of a cert, but
not for revocation. I don't think it makes much sense to override either
case.
Note that the the argument about keeping or removing expired certs from
CRLs is mostly about non realtime protocols, eg. S/MIME, where old
messages with old certs may need to be reverified. Of course, since
NSS/PSM doesn't do secure timestamps for S/MIME messages, much of this
is academic, even if the CRL grows forever.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
