Details

    • Type: Epic
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: CA GUI, PKI core, Public Web UI
    • Labels:
      None
    • Epic Name:
      Partitioned CRLs

      Description

      Large CRLs present a challenge both to issue and to validate.

      RFC 3280 allows the partitioning of CRLs by "scope" (§5 - CRL and CRL Extensions Profile):

      «[...]
      Each CRL has a particular scope. The CRL scope is the set of
      certificates that could appear on a given CRL. For example, the
      scope could be "all certificates issued by CA X", "all CA
      certificates issued by CA X", "all certificates issued by CA X that
      have been revoked for reasons of key compromise and CA compromise",
      or could be a set of certificates based on arbitrary local
      information, such as "all certificates issued to the NIST employees
      located in Boulder".
      [...]»

      A very nice and useful feature to deal with large CRLs would be to allow the definition of a such a scope by which certificate profile the certificate was issued under.
      A matching between the Issuing CA and CDP, based on certificate profile must be done.

      It is important to notice that a certificate can not move around partitions during its lifetime.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tomas Tomas Gustavsson
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: