-
Type:
Epic
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: CA GUI, PKI core, Public Web UI
-
Labels:None
-
Epic Name:Partitioned CRLs
Large CRLs present a challenge both to issue and to validate.
RFC 3280 allows the partitioning of CRLs by "scope" (§5 - CRL and CRL Extensions Profile):
«[...]
Each CRL has a particular scope. The CRL scope is the set of
certificates that could appear on a given CRL. For example, the
scope could be "all certificates issued by CA X", "all CA
certificates issued by CA X", "all certificates issued by CA X that
have been revoked for reasons of key compromise and CA compromise",
or could be a set of certificates based on arbitrary local
information, such as "all certificates issued to the NIST employees
located in Boulder".
[...]»
A very nice and useful feature to deal with large CRLs would be to allow the definition of a such a scope by which certificate profile the certificate was issued under.
A matching between the Issuing CA and CDP, based on certificate profile must be done.
It is important to notice that a certificate can not move around partitions during its lifetime.