Julien Pierre <[EMAIL PROTECTED]> writes: >CRLs don't grow without bounds, because the CAs can drop the revoked >certs from the CRLs as soon as the cert expires, ie. when the CRL >thisUpdate is after than the cert's notAfter field.
>CAs are allowed to keep the certs on CRLs longer, even indefinitely if >they wish, but they are under no obligation to do so according to the >standards. Actually a number of CAs do do this (thus making the CRLs grow without bounds) because when their legal people looked at it they found there was some legal requirement to keep a public record of invalid items. I can't remember the exact details (the discussion was some time ago), but their legal advice was that if you wanted things to stand up in court, you had to maintain explicitly invalidated certs on the CRL forever (or at least for 20 years or something similar). It's a PKI version of the difference between an honourable and a dishonourable discharge from the military. Peter. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security