Keeping expired certificates in CRLs

"Paul Adare" <padare.RemoveThis@newsguy.com> wrote...

> What's the goal here? A revoked certificate will be
> removed from the CRL one CRL publishing period
> beyond the validity period of the certificate. Once
> the certificate has expired, what's the point of leaving
> it in the CRL? All you're doing is unnecessarily
> bloating the size of the CRL.

Paul,

For manually checking if a certificate was revoked or not at the time of
use, I would like the CRL to also include expired certificates.

I understand that this will cause the CRL to always increase in size,
but this is not an issue, due to the small number of certificates issued
and high network capacity.


Regards,
Lars Olaussen
Isolauss.RemoveThis@hotmail.com
 >> Stay informed about: Keeping expired certificates in CRLs 

In article <ewe9SdFrEHA.2636.DeleteThis@TK2MSFTNGP09.phx.gbl>, in the
microsoft.public.windows.server.security news group, Lars Olaussen
<Isolauss.DeleteThis@hotmail.com> says...

> For manually checking if a certificate was revoked or not at the time of
> use, I would like the CRL to also include expired certificates.
>

I'm still not understanding what the point is here. Can you provide some
more details? What is the purpose of the certificates you're referring
to? What is the application involved?
If the application does CRL checking, then the certificate can't be
used. If the application doesn't do CRL checking, then what's the point?

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
 >> Stay informed about: Keeping expired certificates in CRLs 

"Paul Adare" <padare.RemoveThis@newsguy.com> wrote...

> I'm still not understanding what the point is here. Can you provide
> some
> more details? What is the purpose of the certificates you're referring
> to? What is the application involved?
> If the application does CRL checking, then the certificate can't be
> used. If the application doesn't do CRL checking, then what's the
> point?

Paul,

I hope this additional information can clarify my question:

- Applications can easily check if a certificate is within validity
period. If it is not, it will not be used.
- If it is within validity period, revocation status will be performed.
If it was revoked, it will not be used.

But due to network propagation delay, use of cached CRLs, etc, a
certificate may have been used, even though the certificate has been
revoked (since the application/service using would not have received
this revocation information).

Because of this, I would like to check (manually) when (if) the
certificate was revoked and compare this with the time the certificate
was used.


Regards,
Lars Olaussen
Isolauss.RemoveThis@hotmail.com
 >> Stay informed about: Keeping expired certificates in CRLs 

In article <uNrpjtFrEHA.2724.TakeThisOut@TK2MSFTNGP14.phx.gbl>, in the
microsoft.public.windows.server.security news group, Lars Olaussen
<Isolauss.TakeThisOut@hotmail.com> says...

> Because of this, I would like to check (manually) when (if) the
> certificate was revoked and compare this with the time the certificate
> was used.
>

Ok, I'm pretty sure that you can't change this behaviour, however, there
are other ways you can accomplish the same thing:

1. All of the information used to build the CRL is stored in the CA
database, even for certificates that have expired. You could query the
database using the Crypto API.
2. Archive your CRLs.

I'm checking to see if you can change the default behaviour of removing
expired certificates from the CRL.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
 >> Stay informed about: Keeping expired certificates in CRLs 

Paul Adare - MVP - Microsoft Virtual PC <padare.TakeThisOut@newsguy.com> said


> Ok, so if I'd had a bit more coffee this morning, this thread could have
> been a lot shorter.
>

ROFL. I'm still looking for a store that sells intravenous coffee.
Just wake up, plug in the drip and away you go!!

--
Andy.
 >> Stay informed about: Keeping expired certificates in CRLs 

Paul Adare - MVP - Microsoft Virtual PC wrote:
>
> What's the goal here? A revoked certificate will be removed from the CRL
> one CRL publishing period beyond the validity period of the certificate.
> Once the certificate has expired, what's the point of leaving it in the
> CRL? All you're doing is unnecessarily bloating the size of the CRL.

If you'd like to validate archived digital signatures you have to keep track
of the exact revocation time of all certificates ever revoked.

Ciao, Michael.
 >> Stay informed about: Keeping expired certificates in CRLs 

"Paul Adare" <padare RemoveThis @newsguy.com> wrote...
> Ok, so if I'd had a bit more coffee this morning, this thread could
> have
> been a lot shorter.
>
> certutil -setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CRLS

Cheers, mate!

I'll try to improve my search capabilities before posting next time, to
keep from flooding the group


Best regards,
Lars Olaussen
Isolauss RemoveThis @hotmail.com
 >> Stay informed about: Keeping expired certificates in CRLs