Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4204

Partitioned CRLS

    Details

    • Type: Epic
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: CA GUI, PKI core, Public Web UI
    • Labels:
      None
    • Epic Name:
      Partitioned CRLs

      Description

      Large CRLs present a challenge both to issue and to validate.

      RFC 3280 allows the partitioning of CRLs by "scope" (§5 - CRL and CRL Extensions Profile):

      «[...]
      Each CRL has a particular scope. The CRL scope is the set of
      certificates that could appear on a given CRL. For example, the
      scope could be "all certificates issued by CA X", "all CA
      certificates issued by CA X", "all certificates issued by CA X that
      have been revoked for reasons of key compromise and CA compromise",
      or could be a set of certificates based on arbitrary local
      information, such as "all certificates issued to the NIST employees
      located in Boulder".
      [...]»

      A very nice and useful feature to deal with large CRLs would be to allow the definition of a such a scope by which certificate profile the certificate was issued under.
      A matching between the Issuing CA and CDP, based on certificate profile must be done.

      It is important to notice that a certificate can not move around partitions during its lifetime.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              tomas Tomas Gustavsson
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: