Re: [pkix] revocation of expired certificates
"David A. Cooper" <david.cooper@nist.gov> Fri, 20 May 2022 15:36 UTC
Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABF1CC185B11 for <pkix@ietfa.amsl.com>; Fri, 20 May 2022 08:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.861
X-Spam-Level:
X-Spam-Status: No, score=-4.861 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.329, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.857, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOczMpdmZiT9 for <pkix@ietfa.amsl.com>; Fri, 20 May 2022 08:36:34 -0700 (PDT)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl0gcc02on20706.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d05::706]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB471C185B10 for <pkix@ietf.org>; Fri, 20 May 2022 08:36:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I9grRYnnqdWzSgY63dsUq+XWSF3WwgJ8PUkQucDln4NxMmWg8HtazQcTDscx81CfkECFCt5eLt0efprEz8HXjyyFotfVI9eQUJ4bDlC7UUWEQD3w577xUI2btVqbiuDRpBpO90HoGg/5kH2NGyzk365aZJouJlRfhkq228zQH+Fd+TqJqfDum+w9bxfbVj2mGRziwGfmdj0rOopM2wiwDfUCOWHy9QMlcer3wKPb5Ed0nsXMvYADVayRJB8xr/sssODjDhLRqOZxy5CF22Mt1LGA2AjeiZ3sHtKcAznHsnMgzdHAQJqr0njhJmMnr5ut+LGXROxLc7D44sjcexa9aQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=idoIsAnfurkkJsVrgDLTTVSwaneAGkHJin04NMpp+X8=; b=fsDwINC0+SWBaPO3WAX6y93WIVH7aTbdqzayiSHR8QDrbWEqjZxB6qjkJhE1dU01CorP21VsaiDITvi6vVAATLHkOk9uGLon8mPQuE0wyuEEifwTab14WQT4lWyoQxSdZc3qTgJ1HAPenOrOMfLPiC3NjQrqVOfWwJEoVnllw9Lk27lguwA4ql6ES9ZY9HXG/d7LqFKOovf9tTKuoq8MtwP1RJYuqnU2zOvG1jHSuUJV04DBwu1B5IgvwCYrI84SAkQkHlbKL0gd0D/NEqNZwy0pBW1eyG79YTbC0x/NPQLFJzsxeIiGWytN4IssQvQm0jC6lrYts/E93qlsliEelQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.16.77) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=idoIsAnfurkkJsVrgDLTTVSwaneAGkHJin04NMpp+X8=; b=DS0Kh8cv3n4rf1g8zkX18uhLfGXr4luo6CURVQKe9cjUX4TV5quFmhDEifuT+omHOH5V2LZNH392Y0xnJwaq87FR4Otk901JPq4iKthsnrhAnoOYTcngtJ6GxfLLifBsndAo/sztREmpx3wKk1RY1VCyDbX3eBy0oamkfsmLauA=
Received: from CY4PR09CA0086.namprd09.prod.outlook.com (2603:10b6:903:c7::24) by CO6PR09MB7880.namprd09.prod.outlook.com (2603:10b6:303:d2::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.13; Fri, 20 May 2022 15:36:31 +0000
Received: from DM3GCC02FT034.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d04::207) by CY4PR09CA0086.outlook.office365.com (2603:10b6:903:c7::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.14 via Frontend Transport; Fri, 20 May 2022 15:36:30 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.16.77) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.16.77 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.16.77; helo=smtp2.nist.gov; pr=C
Received: from smtp2.nist.gov (129.6.16.77) by DM3GCC02FT034.mail.protection.outlook.com (10.97.8.200) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.14 via Frontend Transport; Fri, 20 May 2022 15:36:28 +0000
Received: from [132.163.220.24] ([132.163.220.24]) by smtp2.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Fri, 20 May 2022 11:36:28 -0400
Content-Type: multipart/alternative; boundary="------------0OiD9nriUBeCrtrEXEnu2Znv"
Message-ID: <969cf89c-b3fb-d0e5-9e25-379933fdb6cc@nist.gov>
Date: Fri, 20 May 2022 11:36:27 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.9.0
Content-Language: en-US
To: KATA Tanej - Contractor <tanej.kata=40external.thalesgroup.com@dmarc.ietf.org>
References: <PAZP264MB25577CF7FCEC5E261C272A2FBBD39@PAZP264MB2557.FRAP264.PROD.OUTLOOK.COM>
Cc: "pkix@ietf.org" <pkix@ietf.org>
From: "David A. Cooper" <david.cooper@nist.gov>
In-Reply-To: <PAZP264MB25577CF7FCEC5E261C272A2FBBD39@PAZP264MB2557.FRAP264.PROD.OUTLOOK.COM>
X-OriginalArrivalTime: 20 May 2022 15:36:28.0426 (UTC) FILETIME=[5F50E6A0:01D86C5F]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 34958398-08f8-4b50-ab98-08da3a76820e
X-MS-TrafficTypeDiagnostic: CO6PR09MB7880:EE_
X-Microsoft-Antispam-PRVS: <CO6PR09MB78802319BB3BE5969C2A8065FED39@CO6PR09MB7880.namprd09.prod.outlook.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: g8fg8bTMVsmP0F5lMN5x1OQm8vzs332pmKs/esMvClGl8KiWfXXLyedt9OTJyun/20WtcqOJMkPxbQdrf+Mm0JBs6FVcOuagauPV02pFiGE7GcccuHhmpAqdKfCdaj8JuN23Q7+0BqeW6jDuz53sxGJhY+5HF3TBaZDaQ4U4hp2QRxNHkJtg+lv/nIojHjE8u12XWVy71o8k3u2gW/gzLOcOgZbu0JaS0hc5J+KnFNNQhYYF54WgXbcMt09DmXU8CMxI3UGvskQEakmtqKBbejEAcSiAyyiYJisplsMtBdeou+OL/Qm9uILl0sEKYF15BpvdzSRvTtnzzYU454ftHzOsds+XcgpMems6qW/Pfgtd9F8txVZje5GCvEdWymM1ZQ12DXxt5CIG7Zqzd6TXlQ6+WSgMXQwVLmHQlGEwtcPnpaCyZPmYkAYXon8+xFbdvMcfSR89s0Y1i+FEfF2lm2ZzmvqNvDvOPhiah2Nl82QaTn5bak5aePGPTeREubc9a246Eu7JFE95JycFNBKMfSY+u928WVy6aElqvEBH9z8iQm8D+qaEqeufdNwkBflpQnzCtB89M3XgjwkKLR1uGxqBobB6mBvSP/jlURQbSr08n8UWWUucjdL+fUdaMA3heajKqw4BKZX/KoGjomMhz/+7N+CR9uEIZah7wVOeg2WCrk+wCgJYuNrSaof2sbW7jusFj/E6ICgKJp6o8qJiH+eL2fn3f/XSGGVvIF4wrCWzbOi7pSJ6hUbsWqNvKL/QA2KJS5dqeCNkAbQELtKuwB1oLtW4uwgYVuWjjZPdriQ=
X-Forefront-Antispam-Report: CIP:129.6.16.77; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp2.nist.gov; PTR:smtp2.nist.gov; CAT:NONE; SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(83380400001)(508600001)(2616005)(47076005)(6862004)(7596003)(7636003)(53546011)(33964004)(82960400001)(26005)(8936002)(166002)(31686004)(70206006)(8676002)(5660300002)(956004)(4326008)(36756003)(186003)(336012)(426003)(36860700001)(40460700003)(6706004)(316002)(2906002)(966005)(82310400005)(356005)(31696002)(86362001)(43740500002); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2022 15:36:28.8116 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 34958398-08f8-4b50-ab98-08da3a76820e
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.16.77]; Helo=[smtp2.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-DM3GCC02FT034.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR09MB7880
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/lHLp80-yReEHb-TI_9jvg5MbL40>
Subject: Re: [pkix] revocation of expired certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2022 15:36:38 -0000
This earlier discussion thread on the PKIX mail list may be of interest to you: https://mailarchive.ietf.org/arch/msg/pkix/yWPB8EpMSpBXDlopjg1Z_-HgT2o/ Revoking certificates that have already expired is not something that is commonly done. In fact, Section 4.1.2.5 of RFC 5280 notes: The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. However, as noted in the thread that I referenced, it is possible to included expired certificates in a CRL, and it is possible to inform relying parties that an expired certificate would be included in the CRL if it were revoked. On 5/20/22 12:05 AM, KATA Tanej - Contractor wrote: > > Hi Sir/Madam, > > Myself Tanej, from India. I was referring to RFC 5280 but there is no > mention of *revocation of expired certificates. *Can you please refer > to this rfc or any standard where it is mentioned > > Regards Tanej > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] revocation of expired certificates KATA Tanej - Contractor
- Re: [pkix] revocation of expired certificates David A. Cooper