At 12:42 AM +0200 1/9/09, Eddy Nigg wrote: >On 01/09/2009 12:15 AM, Nelson B Bolyard: >>It requires that CAs NEVER "forget" about any certs they previously >>issued, not even after they expire. It means that a CA's list of revoked >>certs will grow boundlessly. It makes CRLs become impractically big. > >Well...StartCom NEVER removes a certificate from the CRL once revoked. That's >because people tend to view expired certificates as an annoyance, not >critical. However a revoked certificate should never be accessible anymore. >(Just think about the mozilla.com certificate. I bet that the majority would >click through that certificate in case of "expiration", whereas they can't >because of revocation. There is an inherent difference between the two).
Eddy, do your postings *always* have to sound like blatant advertising for StartCom, even when you are saying that you make one of the many valid choices? RFC 5280 explicitly allows CAs to only list unexpired certs in its CRLs. In fact, that is the only scenario that is listed; the one that you have chosen is allowed but not emphasized as much as the one that Nelson described. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
