On 01/12/2009 11:56 AM, Jean-Marc Desperrier:
Eddy Nigg wrote:
[...] No exception can be added for revoked certificates, but for
expired ones it's possible - hence it suggests that revocation is more
severe than expired (if one can think in those terms). Or how would you
explain that?
As I have already found myself in the situation of really needing to
override an expired certificate, I beg to differ and find an explanation.
In the case of revoked certificates, you have positive proof that the CA
wants that cert to be revoked.
Indeed! That was the point I was trying to make (and why i believe that
expired but revoked certificates should never be removed from the CRL).
Considering that intermediate CAs are more and more common and the
encouraged practice anyway (and required by EV), those CRLs shouldn't
grow that badly until the issuing CA certificate expires. As Julien also
mentioned, some CAs keep the revoked certs for a period of N years in
the CRL - with intermediates assumed limited life-time, we aren't really
far from that.
In the case of expired certificates, you just don't know. So it leave
the possibility that you have out of band information that the key is
not compromised and that you should be able to access the site.
Yes, I view an expired certificate differently than a revoked one. There
are indeed situations which require to access a site with an expired cert.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
