[stunnel-users] crl next update field functionality seems incorrect

Christophe Nanteuil christophe.nanteuil at gmail.com
Wed Feb 4 10:41:06 CET 2009


2009/2/4 Jason Haar <Jason.Haar at trimble.co.nz>:
> Steve Hoffman wrote:
>>
>> I don't believe this is correct functionality.  The "next update" field is not an expiration of the CRL, but more of an indicator that you, as the holder of the CRL, should obtain a new one.
>> ...
>>
>> I'd like to suggest removing this check.
>>
>>
> Hi there
>
> I think you're right Steve - but I'd not like to see that check
> disappear :-)
>

Hello,

I do not concur to your conclusion. The next update field is a
protection against the following scenario :
- CRL #1 on Monday, next update "some day" : empty
- Tuesday : I loose my certificate -> new CRL #2 , next update
"another day" and indicating my certificate as revoked.

If the server does not verify the field "next update", it can run with
CRL #1 forever, ignoring the revocation of my certificate.

In fact, the field "next update" is a compromise between good
confidence in the veracity of the CRL and the cost of updating a CRL
on all servers which use the CRL. This compromise has to be decided by
the CA itself, according to (defined by in fact)  the Certification
Policy.
The server, using certificates and CRL which mention the Certification
Policy has to apply the policy, which means refusing connection when
CRL is expired.

Next to this topic, I posted a "strange CRL verification behaviour"
mail  on "Mon Nov 3 15:44:43 CET 2008" because I was baffled by the
LOG "CRL passed" when in fact no CRL was found to verify a
certificate.

Ref : RFC 2527  - Internet X.509 Public Key Infrastructure Certificate
Policy and Certification Practices Framework
(http://tools.ietf.org/html/rfc2527)
See §4.4.4 Certificate Suspension and Revocation

--
Christophe Nanteuil



More information about the stunnel-users mailing list