CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Op 11-4-2013 0:38, 
ulrich AT cacert.org
 schreef:
> ...
> probably there exist applications that don't support OCSP
> so we have to take care for crl distribution\

Well maybe, although RFC 5280 says:
 "Conforming CAs are not required to issue CRLs if other revocation or
  certificate status mechanisms are provided."
So in principle we can conform by only supporting OCSP.

> but is there a chance to install an incremental update?
> fix current crl as master, and the new update revision
> as an incremental crl on top of the base crl file ?!?

As far as I know, there is no support for generating such delta crls
in openssl, the software package that we currently use for certificate
management. So this would require a huge change ...

> from http://tools.ietf.org/html/rfc5280
> describes at least the
> 4.2.1.15. Freshest CRL (a.k.a. Delta CRL Distribution Point)
> mechanism ...

Note that RFC 5280 also says:
  "Conforming applications are not required to support processing of
   delta CRLs, ..."
so delta CRLS would not be a panacea for all client applications.

> ...
> from my understanding, if we can move forward this such
> an idea, we probably have to update the cps first, can we ?!?

I have no idea. What I did find quite revealing and interesting to
note is that RFC 5280 also says loud and clear:
  "A full and complete CRL lists all unexpired certificates issued
   by a CA that have been revoked for any reason."
Note the *unexpired* in this sentence ... I'd say this is a very
strong argument for dropping all expired certificates from our
CRLs. While not directly supported by openssl, the software changes
to do that would be fairly simple (drop all expired certificates
from the index file which is used to generate the CRL with openssl).

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening