[cabfcert_policy] CRLs for Offline CAs
Ben Wilson
ben.wilson at digicert.com
Thu Nov 6 15:16:59 MST 2014
As mentioned this morning, this is an idea of what section 4.9.8 of a CP
could say about pre-generating CRLs for an offline CA:
CRLs shall be published within 4 hours of generation. An off-line Entity
Principal CA allowed to issue routine CRLs with 31-day intervals under
Section 4.9.7 may generate one more CRLs with a thisUpdate time of up to one
year in the future, provided that such CRL is stored offline in a manner
commensurate with the security afforded the CA and is published only after
and within four hours of the thisUpdate time of the CRL. Such CRL(s) shall
be destroyed and replaced with new CRL(s) in the event that a certificate
issued by that CA needs to be revoked or that CA has been compromised.
Furthermore, each CRL shall be published no later than the time specified in
the nextUpdate field of the previously issued CRL for same scope.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20141106/0f4dafd5/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20141106/0f4dafd5/attachment.bin
More information about the Policyreview
mailing list