Nelson B wrote:
Ian Grigg wrote:
Mind you, revocations seem rather rare.
Look at the size of any CA's CRL.
Even cacert's CRL seems to have a lot of entries, and seems to
have expanded at a significant rate.
Oh, ok! Now, how many of those are actual
results of compromise? As opposed to routine
replacements or expiries or other benign
effects.
I doubt that any of them are due to mere expiration.
A CRL is never required to list expired certs.
A cert's date of expiration is the end of the issuer's
obligation to carry it in the CRL.
One reason to issue certs with short expiration times (e.g. only
a year, even for keys that are thought to require 50+ years to
break) is to mitigate the amount of information that must be carried
in the issuer's CRL.
Aha! I always wondered about that. It occurred
to me that selling 1 year certs was simply and
solely a revenue stream, when the cost of production
was the same for any length. Now we have a reason,
which is to keep the CRLs short. Makes sense.
(It's not a particularly good reason, but at least
it's a fair reason. Revocation is probably costly.)
I think it is considered good practice to carry a cert on
a CRL for some small time after it expires, but not continually
thereafter.
It makes some sort of sense, from an over-cautious
approach. So, one way to know is to check all the
certs that stay in the list from year to year. Those
might be revocations.
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
