Assumption
Suppose I have a CA that issues a base and a Freshest CRL. I also understand the Freshest CRL to be a Delta of revoked certs in the base. I also understand that clients should pull the delta/freshest CRL on a more frequent (how frequent) basis than the base CRL..If this is incorrect, then this question is invalid.
Scenario
When I look at a delta CRL, there doesn't seem to be any information that links it to the Freshest CRL to a specific base.
Given that information, if a base CRL is reissued (and new revoked certs are added) and the freshest CRL is 'reset', from the perspective of a validating client, there doesn't appear to be a way to know that the base CRL has been updated.
This would, in my mind, cause clients to miss revoked certs.
Question
If I reissue the base CRL early (in Microsoft CA lingo certutil -crl) any client still using the old CRL will miss out on revocations it expects in the delta. This error would occur until next update, when the base CRL is-redownloaded.
Is that a valid scenario? Am I missing something? Is there a mitigation?
Aucun commentaire:
Enregistrer un commentaire