2009/2/4 Jason Haar Jason.Haar@trimble.co.nz:
Steve Hoffman wrote:
I don't believe this is correct functionality. The "next update" field is not an expiration of the CRL, but more of an indicator that you, as the holder of the CRL, should obtain a new one. ...
I'd like to suggest removing this check.
Hi there
I think you're right Steve - but I'd not like to see that check disappear :-)
Hello,
I do not concur to your conclusion. The next update field is a protection against the following scenario : - CRL #1 on Monday, next update "some day" : empty - Tuesday : I loose my certificate -> new CRL #2 , next update "another day" and indicating my certificate as revoked.
If the server does not verify the field "next update", it can run with CRL #1 forever, ignoring the revocation of my certificate.
In fact, the field "next update" is a compromise between good confidence in the veracity of the CRL and the cost of updating a CRL on all servers which use the CRL. This compromise has to be decided by the CA itself, according to (defined by in fact) the Certification Policy. The server, using certificates and CRL which mention the Certification Policy has to apply the policy, which means refusing connection when CRL is expired.
Next to this topic, I posted a "strange CRL verification behaviour" mail on "Mon Nov 3 15:44:43 CET 2008" because I was baffled by the LOG "CRL passed" when in fact no CRL was found to verify a certificate.
Ref : RFC 2527 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (http://tools.ietf.org/html/rfc2527) See ยง4.4.4 Certificate Suspension and Revocation
-- Christophe Nanteuil