[openssl-users] Should I / How to remove expired certificates from CRL
Michael Wojcik
Michael.Wojcik at microfocus.com
Thu Feb 9 13:18:29 UTC 2017
If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid.
This is a complex issue, because CRL bloat is a real problem. (That's why we have delta CRLs in the first place.) There's a CRL extension (expiredCertsOnCRL) that should be used if the CRL includes expired certificates.
I've seen a number of discussions on this topic, in such places as the IETF PKIX list. See for example this thread:
https://www.ietf.org/mail-archive/web/pkix/current/msg03776.html
It seems to be difficult to find relevant material with simple web searches, though. The search terms are too common.
I'm sure there are other people on the list who know more about current practices in this area than I do.
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list