DCDT Test D17: CRLs are always a few minutes stale

19 views
Skip to first unread message

Luis Maas

unread,
Aug 28, 2016, 3:25:44 PM8/28/16
to Direct Certificate Discovery Tool
Hi all,

For the new test D17, the SUT relies upon a CRL published by the DCDT root CA "CN=dcdt31prod.sitenv.org_ca_root".

It looks like this CA is publishing a new CRL every second (or possibly "on demand"), but the CRL is always stale, listing a nextUpdate time a few minutes in the past.

From RFC5280:

5.1.2.5.  Next Update

   This field indicates the date by which the next CRL will be issued.
   The next CRL could be issued before the indicated date, but it will
   not be issued any later than the indicated date.

So, the nextUpdate time should be a time in the future. Presented with a stale CRL, a SUT would conclude that the revocation status is indeterminate for any cert issued by that CA.

I would suggest that, since these are essentially static CRLs, you could use a CRL nextUpdate time 24 hours in the future (or at least far enough in the future that a SUT can reliably retrieve it before it becomes stale).

For reference, here are some nextUpdate times from today:

CRL retrieved at / nextUpdate time
8/28/16 11:06:42 PDT / 8/28/16 11:04:27 PDT
8/28/16 11:06:58 PDT / 8/28/16 11:04:43 PDT
8/28/16 11:07:15 PDT / 8/28/16 11:04:59 PDT

Thank you,
Luis


srini

unread,
Aug 30, 2016, 11:39:42 AM8/30/16
to directt...@googlegroups.com

Hi Luis,

Thanks for your valuable input. We have used your recommendation and have a test version here:


Please let us know if this addresses the issue satisfactorily, and we can make it available in the production as well.

Thanks,
Srini

DCDT Team.


--
You received this message because you are subscribed to the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this group and stop receiving emails from it, send an email to directtesttool+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/directtesttool.
To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/705783dc-72d2-4a4a-afc8-9b9c52cfe8b1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Srinivasan Adhinarayanan

unread,
Nov 29, 2016, 10:11:53 PM11/29/16
to Direct Certificate Discovery Tool

DCDT  upgraded with version 3.1.3 which implements the CRL update. The release is available


Thanks
Srini
Reply all
Reply to author
Forward
0 new messages