I haven't seen CRL's with expiration or hold dates in the future.
I don't even know if that's legal. I'd expect the "more standard-like"
way to do this is to originally issue the cert with the right
notAfter date. (If that requires going back in time, however, I can
see why future-revocation is a useful idea. :)
Delta CRL's are not uncommon. The primary use is to put it in a
crlDistributionPoint, so that the client can fetch a smaller update
online, coupled with the larger off-line/background fetch of the full CRL.
Gee, almost as good as OCSP. :) I assume you've read RFC 3280.
The real "king of the CRL world" is Entrust. They did lots of work
creating all sorts of CRL concepts -- Delta, mostRecentCRL, etc. You can
probably find some information around on their web pages.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
