70 likes | 93 Views
This study examines the impact of different CRL update frequencies on the certificate authorities, proposing a harmonized approach to ensure timely and efficient updates.
E N D
CRL Facts 1.0 - d1737728 /C=SG/O=Netrust Certificate Authority 1/OU=Netrust CA1 2.0 - 1d879c6c /DC=ch/DC=cern/CN=CERN Trusted Certification Authority 7.0 - 9b59ecad /DC=cz/DC=cesnet-ca/CN=CESNET CA 8.0 - cc800af0 /C=HU/O=NIIF/OU=Certificate Authorities/CN=NIIF Root CA 10.0 - eebc7717 /C=CH/O=Switch - .../CN=SWITCH Server CA 10.0 - 47d3d1a0 /C=CH/O=Switch - .../CN=SWITCH Personal CA 14.0 - 9b95bbf2 /C=US/O=National Center for S.A./OU=Certificate Authorities/CN=CACL 30.0 - 1691b9ba /C=TR/O=TRGrid/CN=TR-Grid CA ... 30.0 - 2418a3f3 /DC=bg/DC=acad/CN=BG.ACAD CA 31.0 - 55994d72 /C=RU/O=RDIG/CN=Russian Data-Intensive Grid CA 35.0 - 03aa0ecb /C=BE/O=BELNET/OU=BEGrid/CN=BEGridCA/emailAddress=gridca@belnet.be 180.0 - 28a58577 /C=GR/O=HellasGrid/OU=Certification A.../CN=HellasGrid Root CA 2006 180.5 - d254cc30 /DC=ch/DC=cern/CN=CERN Root CA ... 365.0 - 566bf40f /C=EE/O=Grid/CN=Estonian Grid Certification Authority 366.0 - cf4ba8c8 /C=FR/O=CNRS/CN=CNRS ... 548.0 - d0b701c0 /C=CH/O=Switch - .../CN=SWITCHgrid Root CA 731.0 - 98ef0ee5 /C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root
Classic Profile • Validity between 7 and 30 days • 7 day CRLs implies continuous issuance
SLCS Profile • Validity between 3 days and ∞
Issues seen • Netrust CRL of 1 day triggers many warnings • PMA warnings of actual invalidity are common • Unavailability fo CRL is on average 20% at any time • The CERN TCA CRL of 2 days hardly causes any actual problems • A warning once every few months • The CESNET CRL of 7 days causes no problems • Manual 30 day CRLs give incidental problems
Proposal • Harmonize period between SLCS and Classic AP • at least 3 days before expiration • Only for on-line auto-generated CRLs • Manually generated CRLs and CRLs for off-line CAs stay at 7 days • Max life time for Classis AP stays at 30 days for issuing CAs