Re: [Cdsa-discuss] Certificate Revocation List-Doubt
Status: Abandoned
Brought to you by:
mdwood-intel
From: Mike M. <mar...@in...> - 2003-02-17 18:14:09
|
At 03:20 AM 2/17/2003 -0800, akila m wrote: >Is our understanding regarding CRL publishing is >right. Yes, that's the pretty much the way CRLs work. If you need more like "real-time" performance, you might want to consider issuing delta CRLs after every revocation and polling for them on every validation, but then something like OCSP is probably more appropriate in that situation. >2. Once we have CRL signed and published, how a >new revocation record can be added to it. Our doubt is >should we create a new CRL template and then add the >revocation record to it, or should we manipulate the >published CRL and is there any means to do it in CDSA. Either way can be made to work... as long as you can easily determine certificate expiration dates. (To keep the revocation list manageable, one typically discards entries for expired certificates that have already appeared on at least one regularly scheduled CRL; see RFC3280 section 3.3.) If you have the original list of revoked certificates, you can easily parse them for expiration dates, but if you just have the revocation entries from the previous CRL, you'll have to be able to look up expiration dates based on serial number. Your choice. In any case, RFC3280 is required reading! Hope this helps. -mjm ========== Michael J. Markowitz, Ph.D. Email: mar...@in... Vice President R&D Voice: 708-445-1704 (Oak Park) Information Security Corporation 847-405-0500 (Deerfield) 1011 Lake Street, Suite 212 Fax: 708-445-9705 Oak Park, IL 60301 WWW: http://www.infoseccorp.com |