View Issue Details

IDProjectCategoryView StatusLast Update
0001306Main CAcert Websitecertificate issuingpublic2018-06-13 21:04
ReporterwytzeAssigned ToGuKKDevel 
PrioritynormalSeveritymajorReproducibilityalways
Status fix availableResolutionopen 
Product Version2014 Q3 
Target VersionFixed in Version 
Summary0001306: expired certificates should not be listed in the CAcert CRLs
DescriptionThe size of the current CAcert Class1 CRL (http://crl.cacert.org/revoke.crl) is 6.5 megabyte. Even the CAcert Class3 CRL (http://crl.cacert.org/class3-revoke.crl) is already 0.75 megabyte. This is causing an unacceptable huge amount of CRL download traffic (currently over 130 GB *per day*). In addition, it is causing verification failures for certain clients, e.g. the Microsoft Crypto API, due to the long time required for downloading the CRL.

The main cause for the large size of the CRLs is the inclusion of *all* certificates revoked since the start of CAcert (in 2003) in there. As a result, most of the certs listed as revoked have expired a long time ago already, and are thus invalid anyway. There is no RFC requirement to include such expired certs in the CRL; omitting them will result in CRLs of a much more manageable size.
Steps To ReproduceThe attached logfile shows an example of failure on the Microsoft platform for the command:
    certutil -f -verify -urlfetch -t 30 server.crt
Additional InformationSee also http://social.technet.microsoft.com/Forums/windowsserver/en-US/7e69d0d1-1df2-4830-8d22-f887b6261062/cacert-revocation-server-offline?forum=w7itprosecurity
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

wytze

2014-09-15 14:25

developer  

crl-size-issue.log (5,228 bytes)

GuKKDevel

2018-06-06 10:34

updater   ~0005594

At test.cacert.org is a first workaround available und /home/GuKKDevel/bug-1306/EliminateExpired.pl.

Since the CRL is built from the Database-file index.txt in the directory named in the configfile, above module reads this file and writes them either to the file for eliminated records or to the next index.txt-file, depending on date of revokation and expiration. both are to be younger than 62 days (2 months) in the past.

At this stage after that the files index.txt and index.temp.new have to be renamed manually.

dastrath

2018-06-06 10:40

administrator   ~0005595

There is a retention time of three months after the last certificate expired/was revoked before an account can be closed for support. I suggest the same duration for CRL.

GuKKDevel

2018-06-06 10:57

updater   ~0005597

aggreed so lets make it 100 days

Issue History

Date Modified Username Field Change
2014-09-15 14:25 wytze New Issue
2014-09-15 14:25 wytze File Added: crl-size-issue.log
2018-05-01 12:42 dastrath Assigned To => GuKKDevel
2018-06-06 10:34 GuKKDevel Status new => fix available
2018-06-06 10:34 GuKKDevel Note Added: 0005594
2018-06-06 10:40 dastrath Note Added: 0005595
2018-06-06 10:57 GuKKDevel Note Added: 0005597
2018-06-06 10:58 GuKKDevel Note View State: 0005594: public
2018-06-06 10:58 GuKKDevel Note View State: 0005597: public