0

I understand that each public key certificate includes an expiration time, and a CRL is issued periodically, listing all currently revoked certificates. However, in class we were told to think about whether or not we still needed expiration time in each certificate assuming a revocation check is always performed. I feel like we would still need an expiration time in each certificate because then, how would we know when a certificate is revoked?

If anyone could help broaden my mindset, it would be much appreciated

ashley
  • 1

2 Answers2

3

Delivering the existing CRLs is a significant cost for the CAs! Here you can see some information about costs.

[...] CRL grow to approximately 4.7MB in size from approximately 22KB [...] around 40Gbps of net new traffic across the Internet [...] the traffic to deliver the CRL would have added $400,000USD to Globalsign's monthly bandwidth bill

If certificates would not expire, CRLs would grow forever and never shrink!

Josef
  • 5,933
  • 26
  • 34
0

The expiration date in certs can be consulted when either the client or the CA is offline. This can be useful for example when CA is upgrading their software infrustructure.

CRL or OCSP are by their nature, online checks, that trade reliability for timeliness.

DannyNiu
  • 350
  • 2
  • 14