11

If a certificate is revoked before its expiry time and added to a CRL, is it removed from the CRL after the certificate validity period expires? RFC 5280 seems to imply this:

A complete CRL lists all unexpired certificates, within its scope, that have been revoked for one of the revocation reasons covered by the CRL scope. A full and complete CRL lists all unexpired certificates issued by a CA that have been revoked for any reason. (Note that since CAs and CRL issuers are identified by name, the scope of a CRL is not affected by the key used to sign the CRL or the key(s) used to sign certificates.)

(Page 54)

The removeFromCRL (8) reasonCode value may only appear in delta CRLs and indicates that a certificate is to be removed from a CRL because either the certificate expired or was removed from hold.

(page 69)

However, if this is the case, how would this situation be resolved securely?

  1. A certificate is issued
  2. The cert is compromised and revoked, added to the CRL
  3. The Attacker signs something with the revoked certificate
  4. The certificate expires
  5. The cert is removed from the CRL, clients update their local copies of the CRL
  6. A client receives the data and signature from the attacker and verifies it.

From my understanding, a signature that was created during the validity period (i.e. before expiration) of the certificate will stay valid even after the cert expires, as the cert was valid at that time. So, how would the client determine that the cert was revoked when the signature was created, if the information is no longer part of the CRL?

This question was marked as a potential duplicate of this one. The replies to that question seem to indicate that expired certs are not removed from CRLs. If someone can clear up the discrepancy, I would be grateful.

Community
  • 1
malexmave
  • 213
  • 1
  • 9
  • 4
    Possible duplicate of [Check signature when next CRL will be published after end of validity of certificate](https://security.stackexchange.com/questions/78794/check-signature-when-next-crl-will-be-published-after-end-of-validity-of-certifi) – Tobi Nary Nov 06 '17 at 09:54
  • 1
    @SmokeDispenser Thanks for the pointer. One answer states "An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate's validity period." which seems to contradict the quotes from the RFC above. Can you clear up the appearent contradiction? – malexmave Nov 06 '17 at 09:58
  • @SmokeDispenser is correct. Certificates remain until one update from expiry. This is so that if a certificate is revoked just before expiry clients are still notified that it was revoked. This means that anyone with a full CRL history for every certificate they trust can correctly verify all documents signed with that certificate. – Hector Nov 06 '17 at 10:20

1 Answers1

8

This is default behavior for most CRLs. And yes it leads to the issue you have mentioned. In practice many systems have workarounds. Its a delicate situation because CRL bloat is a big issue in of its own.

For SSL this isn't an issue - the expired certificate would be rejected because you expect the server to sign on request.

ADCS (Active Directory Certificate Services) has a flag to indicate whether a certificate revocation should remain in the list permanently.

*As per my comment default behaviour differs slightly from your posted explanation. As pointed out by @SmokeDispenser certificates remain until one update from expiry.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • I guess there is also the subtlety here that really, you shouldn't trust any digital signature you are reading after the period of expiry of the signing certificate, unless you have separate certification of the time at which the digital signature was actually made. Since someone evil who stole your certificate could of course fraudulently sign claiming a time before the theft actually occurred. – Keeley Hoek Jan 01 '22 at 07:00