Dear Mr. Nesset:
I don't know whether you are making the mistake or not, but
since (a) CRLs are not quite worked out in PEM RFCs, and (b)
we also didn't pay such a serious attention to CRL
management, may be there are some mutual MISUNDERSTANDINGS
about the issue, so let me explain the essence of our
certificate system:
1. All verifications of certificates are performed LOCALLY
at the user station, since all valid certificates (your own,
plus all up to the top of PEM hierarchy - IPRA, plus all of
your partners and all those from them up to the top) are
earlier retrieved, verified and stored in your local
database.
2. When you initialy register, generate your certificate
and send it to your CA for signature, you will receive back
from your local CA: (1) your own signed certificate, (2)
your CA's certificate, and (3) all certificates at your
branch, up to the top of the hierarchy. In the moment when
you receive them, your user PEM agent will automatically
verify them and if OK, store them in your local database.
3. When you receive the PEM letter from someone, it will
contain two certificates: partner's and his/her CA's. If
that is not enough for verification (since these may belong,
completely or partially, to a certificate path outside of
yours), PEM user agent will automatically send special
Ceritificate request letter to the first CA in your
partner's path whose certificate is missing. The reply will
contain the required, plus all certificates up to the top of
the partner's path. When received, all these certificates
will be again verified and stored in your database.
4. Similar to 3. is the case when you want to send to
someone the ENCRYPTED PEM letter and you don't have his/her
certificate in local database.
5. Now to situations with EXPIRED Certificates:
5.1. If you want to use any of your locally stored
certificates, WHOSE DATE HAS EXPIRED, then you must retrieve
again the fresh certificate, which is done as step 4., but
only ONCE.
5.2. If some CA in the path of your partner has changed its
certificate, then your verification of certificates when
verifying the received letter, will fail because you have
the old certificate of that CA in your database. In that
moment you must get the new certificate as in step 3.
6. The only remaining situation not covered with 5.1. and
5.2. is the case when you receive some long delayed PEM
letter, so that it just happens that its creation date is
older than the current certificate of the sender which you
have in your database. In that case you must get the
certificate of your partner valid at the time of the
creation of the letter (an thats really the case of usage of
the EXPIRED certificates).
---------------------------------------------
Currently, we have no automatic and optimized version of the
story above. We have the following functions operational:
(1) storing the old certificates at the CA when the new
request for signature arrives,
(2) all certificate functions described above 1. to 4.
(3) we have no functions 5. and 6., since after all, we
have "extended" enough RFC 1424 with all described
certificate management functions.
As the conclusion, we believe that you don't need CRLs each
time, since the situations when you really need them are
very rare. We have no practical experience, but we have the
feeling that its much "cheaper" to ask for the CRL which you
need (occasionally) than to receive all of them every time,
even if you don't need them at all. We also believe that
PEM designers (or all of us) should put a little additional
efforts into certificate management functions within PEM in
RFC 1424. As I said, we have already some of our own
extentions to that system.
Regards,
Sead Muftic
COST Computer Security Technologies AB
Stockholm, Sweden
!