CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Hi Michael,

On 18.10.2013 03:48, Michael Tänzer wrote:
> On 17.10.2013 19:52, Wytze van der Raay wrote:
>> ...
>> You mean the above scheme? Besides a change of the signer, it also
>> requires a change to the communication process between signer and
>> webdb server, to deal with updating two rather than one CRL after
>> a revocation.
> 
> No I mean a per issuance year scheme. But yes, even that scheme above
> needs changing the CommModule. But that can be done. What bothers me
> more is that the "openssl ca" command we use in the background has no
> option to export a crl without expired entries. So it all comes down to
> rewriting the signer.

The "openssl ca -gencrl" command used to generate a CRL is operating strictly
on the index.txt file. So all that is really needed is a filter for this file
which weeds out the old stuff before running "openssl ca -gencrl". Daniel
Black devised a simple script for that nearly four years ago:

#! /bin/bash
d=$(date --date '6 months ago' +%y%m%d%H%M%S)
while read -r line; do
        if [ ${line:0:1} == 'R' ]; then
                if [[ 10#${line:2:12} -gt 10#${d} ]]; then
                        echo "${line}"
                fi
        fi
done

but it never made it to production :-(. By the way, the "6 months" is to have
some leeway in leaving out expired certs.
Of course then we also need CommModule changes to transfer the additional CRL.

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature