Stream: implementers
Topic: Best practice for CRL validity
Michael Donnelly (May 08 2019 at 18:35):
Does anyone have a good reference for a best practice for the validity period for Certificate Revocation Lists?
Michael Donnelly (May 08 2019 at 18:35):
I believe the default for Microsoft's CA implementation for Windows Server is one week.
David Pyke (May 08 2019 at 19:36):
It's typically one week. best practice depends on your use case
Michael Donnelly (May 09 2019 at 00:27):
Not urgent any more, because we ended up not using it, so I'm just asking because I'm curious: do you know anywhere that's formally documented? That's exactly what I thought, but I can't find anywhere that says it. It's what we use at Epic for the Care Everywhere CA (one week validity, publishes every day), and I remember we referred to something when we wrote the CP/CPS, but I can't for the life of me find anything on the Internet.
David Pyke (May 09 2019 at 13:00):
I've asked people smarter than me and because that's a policy decision, we don't know of a specific publication that lists best practices. But, the shortest I've seen is 24 hours with the normal being 7 days. Again, this is very specific to your use case.
Last updated: Apr 12 2022 at 19:14 UTC
