On 01/09/2009 07:11 PM, Paul Hoffman:
At 12:42 AM +0200 1/9/09, Eddy Nigg wrote:
On 01/09/2009 12:15 AM, Nelson B Bolyard:
It requires that CAs NEVER "forget" about any certs they previously
issued, not even after they expire. It means that a CA's list of revoked
certs will grow boundlessly. It makes CRLs become impractically big.
Well...StartCom NEVER removes a certificate from the CRL once revoked. That's because
people tend to view expired certificates as an annoyance, not critical. However a revoked
certificate should never be accessible anymore. (Just think about the mozilla.com
certificate. I bet that the majority would click through that certificate in case of
"expiration", whereas they can't because of revocation. There is an inherent
difference between the two).
Eddy, do your postings *always* have to sound like blatant advertising for
StartCom, even when you are saying that you make one of the many valid choices?
Some CAs which participate here refer to what they are doing - in this
specific case I think it was relevant to show the experience in not
removing the entries in the CRL/OCSP. Or how else should I have told you
that there were no negative effects if done correctly? But I agree with
you that it shouldn't look like an advertisement for the organization I
work. I'll try to refrain from mentioning whenever possible.
RFC 5280 explicitly allows CAs to only list unexpired certs in its CRLs. In
fact, that is the only scenario that is listed; the one that you have chosen is
allowed but not emphasized as much as the one that Nelson described.
Correct, still I believe in the point I made before, based on
experience. Apparently others thought the same independently of me.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
