Can revoked certificates be "lost" if the base CRL is updated before expiration?

Question

Assumption

Suppose I have a CA that issues a base and a Freshest CRL. I also understand the Freshest CRL to be a Delta of revoked certs in the base. I also understand that clients should pull the delta/freshest CRL on a more frequent (how frequent) basis than the base CRL..If this is incorrect, then this question is invalid.

Scenario

When I look at a delta CRL, there doesn't seem to be any information that links it to the Freshest CRL to a specific base.

Given that information, if a base CRL is reissued (and new revoked certs are added) and the freshest CRL is 'reset', from the perspective of a validating client, there doesn't appear to be a way to know that the base CRL has been updated.

This would, in my mind, cause clients to miss revoked certs.

Question

If I reissue the base CRL early (in Microsoft CA lingo certutil -crl) any client still using the old CRL will miss out on revocations it expects in the delta. This error would occur until next update, when the base CRL is-redownloaded.

Is that a valid scenario? Am I missing something? Is there a mitigation?

Answer 1

Base and delta CRL are linked together through the CRL Number. The "CRL number" is a monotonically increasing integer that, roughly speaking, characterizes the age of the information contained in the CRL.

From the point of view of the validator (the "client"), a delta CRL can never be used alone, but only in combination with a base CRL, subject to the conditions listed in section 5.2.4. Basically:

• A non-delta CRL contains a number b in its CRL Number extension.
• A delta CRL contains a number d in its CRL Number extension and a "base CRL number" e in its Delta CRL Indicator extension.
• The delta and non-delta CRL can be combined only if d > b ≥ e.

In simple terms, the delta CRL contains all the information about revocations that occurred before instant d and after instant e. Thus, the delta can be combined with the non-delta CRL only if the non-delta contains information that dates from some moment within that range; otherwise, some revocation may be missed.

(The combination is deemed equivalent to a complete CRL from instant d, and it can be used as "base CRL" for further delta CRL merging, recursively.)

An important point to realize is that revocation is, nominally, a one-way trip: certificates cannot be "unrevoked". Hence, if a CRL specifies that a given certificate is revoked, then further CRL from the same source will also list that certificate as revoked (until the certificate expires). (There is a special revocation reason code that is called "remove from CRL" and tries to work as some form of unrevocation, but it does not work well in practice.)

The Freshest CRL extension, if present, notifies the client of the existence and location of delta CRL that may be used to "freshen" a CRL at (supposedly) low cost (since delta CRL are meant to be short). That extension may appear in a certificate or in a base CRL. When that extension is present, some implementation will insist on obtaining a delta CRL that can be combined with a base CRL (subject to the rules explained above) and will reject the certificate if they just obtain a complete CRL.

Microsoft's PKI (Active Directory Certificate Services), when configured to produce delta CRL, will systematically issue a new, empty delta CRL when it issues a non-delta CRL, thus maintaining the property than whenever a non-delta CRL exists, a formally newer (higher "CRL number") delta CRL is available as well. Clients who get an "updated base CRL" will refuse to combine it with an older delta CRL, but will download the new delta CRL.

Answer 2

Actually the Base CRL will have the next update time for each issuance. So the client who is verifying the CRL will first validate the signature and then the next update CRL time. In your case, if the client is using the old CRL , it will miss the new CRL entries. but for this scenario, the client needs to verify the server who issuing the base CRL regularly with the next update time of the particular time to get the latest CRL always.