Re: Certificate revokation
From: Lars Olaussen (Isolauss_at_hotmail.com)
Date: Sun, 12 Sep 2004 11:53:15 +0200
> Is there a way to revoke a certificate and that the revokation
> will be immediately?
The revocation will be in effect when you issue the first CRL after
revocating the certificate.
But, as Miha pointed out, the old CRL will probably have a lifetime
that extends past the newly issued CRL, and for all users, client
computers and servers who have cached the old CRL, the publication
of the new revocation will not be noticed untill the old CRL has
So, if you by "revocation will be immediately" mean that the
certificate will be rejected immediately, you will have to use a
OCSP (Online Certificate Status Protocol) service (not provided by
As Miha pointed out, and I have pointed out in previous discussions
regarding the use of CRLs, you will have to use other means to
prevent the revoked user access. Certificates are used for
authentication. For authorization, you probably have Active
If you still feel that revocation is the only way to achieve your
goal, the you could reduce the CRL lifetime and publication
interval. Just remember to take network propagation (domain
replication) in account, so a live CRL would always be available.
For an issuing CA, I would recommend a lifetime of two hours, with
one hour publication interval. Even with three domain replication
intervals (45mins) you would have more than one hour lifetime left
of the CRL. But it also means that you would still have up to two
hours in which your revoked certificate still can be used.