On 09-02-17 10:58, PM Extra wrote:
Should I remove expired certificates from CRL?
No. The date of the revocation, which can be found in the CRL, is still
relevant for checking when older certificates were revoked, in case you
ever need to check signatures on older messages.
--
Wouter Verhe
If you remove expired certificates from the CRL, then CRL consumers have no way
of knowing whether a certificate was revoked before it expired, and thus no way
of knowing whether a timestamped signature made with the corresponding key is
valid.
This is a complex issue, because CRL bloat is a re
On 09/02/2017 10:58, PM Extra wrote:
Should I remove expired certificates from CRL?
If so, how to do this?
Depends if any relying parties are checking old signatures "as of"
some securely recorded date of receiving the signature.
In that case, they will still need to be able to see, in the lat
Should I remove expired certificates from CRL??
If so, how to do this?--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
