View Issue Details

IDProjectCategoryView StatusLast Update
0001306Main CAcert Websitecertificate issuingpublic2018-05-01 12:42
ReporterwytzeAssigned ToGuKKDevel 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version2014 Q3 
Target VersionFixed in Version 
Summary0001306: expired certificates should not be listed in the CAcert CRLs
DescriptionThe size of the current CAcert Class1 CRL (http://crl.cacert.org/revoke.crl) is 6.5 megabyte. Even the CAcert Class3 CRL (http://crl.cacert.org/class3-revoke.crl) is already 0.75 megabyte. This is causing an unacceptable huge amount of CRL download traffic (currently over 130 GB *per day*). In addition, it is causing verification failures for certain clients, e.g. the Microsoft Crypto API, due to the long time required for downloading the CRL.

The main cause for the large size of the CRLs is the inclusion of *all* certificates revoked since the start of CAcert (in 2003) in there. As a result, most of the certs listed as revoked have expired a long time ago already, and are thus invalid anyway. There is no RFC requirement to include such expired certs in the CRL; omitting them will result in CRLs of a much more manageable size.
Steps To ReproduceThe attached logfile shows an example of failure on the Microsoft platform for the command:
    certutil -f -verify -urlfetch -t 30 server.crt
Additional InformationSee also http://social.technet.microsoft.com/Forums/windowsserver/en-US/7e69d0d1-1df2-4830-8d22-f887b6261062/cacert-revocation-server-offline?forum=w7itprosecurity
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

wytze

2014-09-15 14:25

developer  

crl-size-issue.log (5,228 bytes)

Issue History

Date Modified Username Field Change
2014-09-15 14:25 wytze New Issue
2014-09-15 14:25 wytze File Added: crl-size-issue.log
2018-05-01 12:42 dastrath Assigned To => GuKKDevel