Re: [TLS] [pkix] Possible revocation delay issue with TLS stapling

"Kemp, David P." <> Fri, 26 March 2010 13:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 673823A681A; Fri, 26 Mar 2010 06:39:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.215
X-Spam-Status: No, score=-4.215 tagged_above=-999 required=5 tests=[AWL=1.254, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ojm-9ikDY0rX; Fri, 26 Mar 2010 06:39:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 418C53A6B0F; Fri, 26 Mar 2010 06:38:51 -0700 (PDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 26 Mar 2010 09:38:06 -0400
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [pkix] Possible revocation delay issue with TLS stapling
Thread-Index: AcrMyHqeKDRxzsoGSJO7c3zXF/Y8WgAHGlDA
References: <op.u95kjftmkvaitl@lessa-ii> <> <>
From: "Kemp, David P." <>
To: <>, <>
X-OriginalArrivalTime: 26 Mar 2010 13:39:57.0828 (UTC) FILETIME=[D351CC40:01CACCE9]
Subject: Re: [TLS] [pkix] Possible revocation delay issue with TLS stapling
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Mar 2010 13:39:03 -0000

Another proof that the law of unintended consequences is operating in
full force.  Some time ago, guidance for how CRL nextUpdate should be
populated was discussed here.  One camp suggested that nextUpdate should
actually say when the next CRL would be issued; the other camp suggested
that because some applications treat nextUpdate as an expiration, CRL
issuers should, for example, put nextUpdate 7 days in the future for
CRLs that are actually issued every 24 hours, thereby treating scheduled
CRLs as unscheduled.

Rather than defining a new "suggested expiration" CRL extension for
applications to use as a default, the WG by inaction ratified the
treatment of nextUpdate as a de-facto expiration date.  The resulting
confusing consequences were predictable.


-----Original Message-----
From: Jean-Marc Desperrier

One thing I can confirm is that, as often the next CRL is generated 
earlier that the next update in the CRL, I've seen one actual CA case 
where the policy is such that getting the latest CRL *could* get you a 
fresher info than getting an OCSP token.