pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: CRL updates

1993-10-01 10:14:00
from [Anish Bhimani] [Permanent Link] 
Anish,

Your message clearly indicates the need to nail down the 
semantics of the CRLs more specifically.


As I understand it, a CRL is issued, and the "lastUpdate" field is 
set to that issue date. This CRL will be valid until the time noted 
in the "nextUpdate" field, at which point a new CRL will be issed to 
replace the expired one. During the time in between, it is possible 
that one or more certificates may be revoked. Hoewever, that revocation 
will not be reflected until the nextUpdate of the CRL.


I certainly hope that the last sentence isn't true. I don't have the RFCs
in front of me, but it was always my assumption that if an emergency
CRL were issued by a CA, the PCA would post it (i.e., make it
available for at least a "pull" type of access) IMMEDIATELY. If there
is any ambiguity in the RFC on this issue, we should fix it post haste.


I just checked the RFCs, and must stand corrected, at least in part. 
You are correct in stating that the CA would have the updated CRL 
available for a "pull" type of access. Assuming that the CA sends an 
updated CRL to the PCA, the PCA would also have it available for a 
pull access. But that still doesn't solve the problem. If I (as a user) 
have a valid CRL for a CA, I have no way of knowing whether or not an 
emergency CRL was issued. I think the "certificate confirmation" method 
is a good idea. I also stand behind the idea that the "nextUpdate" field 
should be used only to place an upper bound on the time that a new CRL 
will be issued, and shouldn't be construed as an "expiration" date for 
the CRL. In theory, the CRL could be invalid immediately after it were 
issued, if a certificate were revoked shortly thereafter.

As for your recommendations, I agree with every one of them - especially 
the one about the user agent deciding how "stale" a CRL can be. This 
is an issue which we have come across in trying to apply PEM in practice. 
I would recommend, however, that this be a system-tailorable 
(or, even, user-tailorable) setting, since different messages may have 
different priorities. 

- Anish

----------------------------------------------------------------------------
Anish Bhimani                           | "LAPD - We treat you like a King."
Enterprise Network Integrity, Bellcore  | -- T-shirt seen on Venice Beach
anish(_at_)ctt(_dot_)bellcore(_dot_)com 
(908) 699-5571 (phone) (908) 336-2969 (fax)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How close to X.509 is PEM?, Stephen D Crocker
Next by Date:  Re: CRL updates, jueneman%wotan
Previous by Thread:  CRL updates, jueneman%wotan
Next by Thread:  Re: CRL updates, jueneman%wotan
Indexes:  [Date] [Thread] [Top] [All Lists]