Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Partitioned CRLs

108 views
Skip to first unread message

Nuno Ponte

unread,
Oct 15, 2008, 7:17:31 AM10/15/08
to
Hi,


We have a CA that has thousands of revoked certificates which
leads to CRLs os several MBytes.

On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have different CRL Distribution Points (CDP) according to the
partitions they are assigned.

For example, for X=100, from certificate 1 to certificate 100, the
CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.

My question: Are Internet Explorer and IIS prepared to support
partitioned CRLs like the way described? In particular, if CRLs are
cached, they must be able to merge several different partitions
according to the CDP to create a unified view over the revocation
universe of a CA.


Regards,

Nuno Ponte

Brian Komar

unread,
Oct 16, 2008, 4:51:27 AM10/16/08
to
No. (but kind of)
the only supported way to partition CRLs in the MS PKI is to re-key (renew
with a new key pair) the CA certificate more frequently
Separate CRLs are maintained for each CRL.
If the default name of %3%8%9.crl is used, the %9 option will apply a
versioning number to the CRL.
So the successive CRL names would be:

MYCA.crl
MYCA(1).crl
MYCA(2).crl

You could choose to renew at regular intervals, or in your case, renew for
each X certificates issued.
This will add management overhead though, as all *active* CRLs (still time
valid) must be published to the CDP locations.

Brian

"Nuno Ponte" <nuno....@gmail.com> wrote in message
news:c786e7cf-1267-4f91...@s20g2000prd.googlegroups.com...

Nuno Ponte

unread,
Oct 17, 2008, 8:02:34 AM10/17/08
to
Brian,

Thanks for your reply.

The CA is not a Microsoft CA. It's an open source CA, so we can
develop new funcionalities.
My question is about the ability for IIS and IE to support such a
partitioning scheme at validation time of a certificate. I am trying
to figure out if there is support from the applications before
starting to implement it.

Regards,

Nuno

Paul Adare - MVP

unread,
Oct 17, 2008, 8:18:59 AM10/17/08
to
On Fri, 17 Oct 2008 05:02:34 -0700 (PDT), Nuno Ponte wrote:

> The CA is not a Microsoft CA. It's an open source CA, so we can
> develop new funcionalities.
> My question is about the ability for IIS and IE to support such a
> partitioning scheme at validation time of a certificate. I am trying
> to figure out if there is support from the applications before
> starting to implement it.

Both of those applications use the crypto functions built into the OS, and
the crypto functions built into the OS are RFC compliant. As long as what
you're trying to do is also RFC compliant then there shouldn't be a
problem.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca

Nuno Ponte

unread,
Oct 20, 2008, 10:54:10 AM10/20/08
to

The problem is that sometimes standards are not clear enough, leading
to ad-hoc interpretations (and implementations). :-(

For example, in RFC 3280, the definition for the CRL "nextUpate" field
does not clearly state it is an expiricy date (such as the notAfter
field on certificates), but most of the people interpret (and
implement) it in fact as an expiricy date (http://www.imc.org/ietf-
pkix/mail-archive/msg03166.html).

Paul Adare

unread,
Oct 21, 2008, 11:10:45 AM10/21/08
to
On Mon, 20 Oct 2008 07:54:10 -0700 (PDT), Nuno Ponte wrote:

> The problem is that sometimes standards are not clear enough, leading
> to ad-hoc interpretations (and implementations). :-(

Then I think at this point you're either going to have to open a support
case with Microsoft or simply test this yourself.

pritham ym

unread,
Mar 1, 2022, 7:35:11 AM3/1/22
to
HI this is pritham, I need to created CRL partition, please provide me step by step document to implement in my set up, please do it ASAP
0 new messages