0

My situation looks like this:

I have to verify signature on document. For this I will wait when next CRL will be published to check that involved certificate was not revoked. But what if certificate ends (notAfter from Validity of certificate) before next update of CRL?

Schematically:

  1. CRL publishing
  2. Signature creation
  3. Certificate expiration (notAfter time of certificate)
  4. CRL publishing

Suppose certificate was revoked between (1) and (4). I think it won´t be in CRL (4) because it is not valid any more. But in this type of scenario I can not validate signature, or can I?

Mumbar
  • 5
  • 3

2 Answers2

1

You are not the first to think of this. See the last sentence in PKIX rfc5280 3.3

X.509 defines one method of certificate revocation. This method involves each CA periodically issuing a signed data structure called a certificate revocation list (CRL). A CRL is a time-stamped list ... A new CRL is issued on a regular periodic basis (e.g., hourly, daily, or weekly). An entry is added to the CRL as part of the next update following notification of revocation. An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate's validity period.

PS: The noun is "revocation" but the verb is "revoke" and past tense "revoked".

Community
  • 1
dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28
0

You should see the problem differently. If the certificate was revocated between (1) and (4), you will still be able to verify the signature in any case. The real issue is : is the certificate of the signer valid at the time of signature ? From date of expiration, the certificate is no more valid because no more "certified" by its CA because of certificate lifetime (this does not imply that private key is compromised).

I hope this help.

crypto-learner
  • 697
  • 1
  • 7
  • 17
  • "The real issue is: is the certificate of the signer valid at the time of signature?" - Yes, exactly. But I don´t see how can I answer this question. – Mumbar Jan 14 '15 at 10:49
  • Have a look at the signature date ! – crypto-learner Jan 14 '15 at 12:38
  • How it will help me to determine whether certificate was valid at time of signature? – Mumbar Jan 14 '15 at 13:56
  • Compare the expiration date of certificate, if it was valid at signature time, you got your answer ! You don't have to "wait" until next CRL. – crypto-learner Jan 14 '15 at 14:33
  • First signature was created and then certificate expired. That is clear from my question. But that is not enough to be sure that signature is valid. You have to be sure that certificate was not revocated in time of signature creation (and for that you can use CRL list or OCSP - in my case only CRL is possible). Suppose that certificate was revocated just before signature creation. In this case signature is not valid! But how can I find out that certificate was revocated when it expires before next CRL is released? – Mumbar Jan 14 '15 at 15:07