3.4.1.3 CRL Management

Mechanisms for managing a UA certificate cache are, in typical standards parlance, a local matter. However, proper maintenance of such a cache is critical to the correct, secure operation of a PEM UA and provides a basis for improved performance. Moreover, use of a cache permits a PEM UA to operate in the absence of directories (and in circumstances where directories are inaccessible). The following discussion provides a paradigm for one aspect of cache management, namely the processing of CRLs, the functional equivalent of which must be embodied in any PEM UA implementation compliant with this document. The specifications for CRLs used with PEM are provided in Section 3.5.

X.500 makes provision for the storage of CRLs as directory attributes associated with CA entries. Thus, when X.500 directories become widely available, UAs can retrieve CRLs from directories as required. In the interim, the IPRA will coordinate with PCAs to provide a robust database facility which will contain CRLs issued by the IPRA, by PCAs, and by all CAs. Access to this database will be provided through mailboxes maintained by each PCA. Every PEM UA must provide a facility for requesting CRLs from this database using the mechanisms defined in RFC 1424. Thus the UA must include a configuration parameter which specifies one or more mailbox addresses from which CRLs may be retrieved. Access to the CRL database may be automated, e.g., as part of the certificate validation process (see Section 3.6) or may be user directed. Responses to CRL requests will employ the PEM header format specified in RFC 1421 for CRL propagation. As noted in RFC 1421, every PEM UA must be capable of processing CRLs distributed via such messages. This message format also may be employed to support a "push" (versus a "pull") model of CRL distribution, i.e., to support unsolicited distribution of CRLs.

CRLs received by a PEM UA must be validated (A CRL is validated in much the same manner as a certificate, i.e., the CIC (see RFC 1113) is calculated and compared against the decrypted signature value obtained from the CRL. See Section 3.6 for additional details related to validation of certificates.) prior to being processed against any cached certificate information. Any cache entries which match CRL entries should be marked as revoked, but it is not necessary to delete cache entries marked as revoked nor to delete subordinate entries. In processing a CRL against the cache it is important to recall that certificate serial numbers are unique only for each issuer and that multiple, distinct CRLs may be issued under the same CA DN (signed using different private components), so care must be exercised in effecting this cache search. (This situation may arise either because an organizational CA is certified by multiple PCAs, or because multiple residential CAs are certified under different PCAs.)

This procedure applies to cache entries associated with PCAs and CAs, as well as user entries. The UA also must retain each CRL to screen incoming messages to detect use of revoked certificates carried in PEM message headers. Thus a UA must be capable of processing and retaining CRLs issued by the IPRA (which will list revoked PCA certificates), by any PCA (which will list revoked CA certificate issued by that PCA), and by any CA (which will list revoked user or subordinate CA certificates issued by that CA).