Disabling DeltaCRL - transition issues?
When disabling DeltaCRL on a CA, will clients with already cached BaseCRL have issues (since there will be no more deltas published) until the BaseCRL expires and the client downloads the new BaseCRL without the FreshestCRL extension?
Are there any built-in solutions to handle this by clients/CA?
Example:
BaseCRL 7 Days, DeltaCRL 1 Day
- Client caches BaseCRL and downloads new DeltaCRL every day.
- After say 3 days, the DeltaCRL is disabled (set to 0)
-Day 4 the client will have a valid BaseCRL for another 3 days, but no more DeltaCRLs are published by the CA.
Will this trigger download of new BaseCRL or give an error?
I hope/assume this will not cause errors, but doesn't clients locate DeltasCRLs purely by information found in BaseCRL?
Tom Aafloen, IT-security Consultant Onevinn AB