http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspxThe validity time of a certificate revocation list (CRL) is critical for every public key infrastructure. By default, most applications verify the validity of certificates against a CRL. Two CRL types exist: base CRLs and delta CRLs. In case whereen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx#3522388Tue, 25 Sep 2012 16:26:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3522388MatthiasLeckel<p>Great article! Base CRL seems totally clear now. But Delta CRLs are stilly confusing. Where is the </p> <p>CRLDeltaOverlapUnits Value actually used?</p> <p>First you say:</p> <p>&quot;If the registry values are set and valid, the overlap period for a base or delta CRL is initially calculated by the CA as: </p> <p>OverlapPeriod = CRLOverlapUnits * CRLPeriod&quot;</p> <p>So I assume it would be:</p> <p>OverlapPeriod = CRLDeltaOverlapUnits * CRLDeltaOverlapPeriod</p> <p>For Example if CRLDeltaOverlapUnits = 3 and CRLDeltaOverlapPeriod is hours then OverlapPeriod would be 3hours</p> <p>But two steps further you say:&quot;If the OverlapPeriod for a Delta CRL is calculated, the entire period of time specified as CRLDeltaPeriod and CRLDeltaPeriodUnits of the delta CRL is used: </p> <p>OverlapPeriod = (CRLDeltaPeriodUnits * CRLDeltaPeriod)&quot;</p> <p>Thats confusing - here is no CRLDeltaOverlapUnits at all? Or does this line only come into play when no CRLDeltaOverlapUnits is initially set? </p> <p>It would be awesome if you can underline how the OverlapPeriod in &nbsp;</p> <p>OverlapPeriod = min(OverlapPeriod, 12 hours) - is actually calculated for DeltaCRLs</p> <p>Thank You</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3522388" width="1" height="1">http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx#3248102Sat, 30 May 2009 17:18:18 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3248102Adrian Dimcev's Blog<p>VPN Reconnect in Windows 7 RC- redux</p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3248102" width="1" height="1">http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx#3194272Thu, 29 Jan 2009 14:16:26 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3194272MS2065 [MSFT]<p>[comment] I am trying to understand how these values affect the behavior of the Crypto API CRL fetching and caching. Do you have a link or pointer you could share?</p> <p>[response] The &quot;Certificate Revocation and Status Checking&quot; whitepaper (<a rel="nofollow" target="_new" href="http://technet.microsoft.com/en-us/library/bb457027.aspx#EFAA">http://technet.microsoft.com/en-us/library/bb457027.aspx#EFAA</a>) contains information about the Crypto API CRL fetching and caching.</p> <p>[comment] Can you explain why the base CRL cannot be longer than CRLPeriodUnits * CRLPeriod?</p> <p>[response] You are asking why the OverlapPeriod of a base CRL cannot be longer than CRLPeriodUnits * CRLPeriod?</p> <p>The OverlapPeriod is defined as &quot;The period by when the CRL should be renewed before it is expired.&quot; You cannot renew a CRL before it is created.</p> <p>[comment] Also, a few editing comments. Can the units for the Period registry keys (CRLOverlapPeriod, CRLDeltaOverlapPeriod, CRLPeriod) also be &quot;Days&quot; or &quot;Months&quot;?</p> <p>[response] No because the OverlapPeriod is limited to a max value of 12 hours.</p> <p>[comment] In your first calculation of OverlapPeriod, I believe that the formula should be OverlapPeriod = CRLOverlapPeriod * CRLOverlapUnits. </p> <p>[response] I have corrected this. Thanks!</p> <p>[comment] Finally, threading together base CRL and delta CRL calculations makes this note harder to understand. Have I correctly understood the base CRL calculation to be as follows?</p> <p>min( ( CRLOverlapUnits isvalid ? CRLOverlapUnits * CRLOverlapPeriod : CRLPeriodUnits * CRLPeriod / 10 ), CRLPeriodUnits * CRLPeriod)</p> <p>[response] I assume that you are talking about the NextUpdate for a base CRL. The NextUpdate for a base CRL is calculated as stated in the blog post.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3194272" width="1" height="1">http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx#3192487Wed, 28 Jan 2009 02:34:27 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3192487dan2761<p>Thanks for the info. I am trying to understand how these values affect the behavior of the Crypto API CRL fetching and caching. Do you have a link or pointer you could share?</p> <p>Can you explain why the base CRL cannot be longer than CRLPeriodUnits * CRLPeriod?</p> <p>Also, a few editing comments. Can the units for the Period registry keys (CRLOverlapPeriod, CRLDeltaOverlapPeriod, CRLPeriod) also be &quot;Days&quot; or &quot;Months&quot;? In your first calculation of OverlapPeriod, I believe that the formula should be OverlapPeriod = CRLOverlapPeriod * CRLOverlapUnits. Finally, threading together base CRL and delta CRL calculations makes this note harder to understand. Have I correctly understood the base CRL calculation to be as follows?</p> <p>min( ( CRLOverlapUnits isvalid ? CRLOverlapUnits * CRLOverlapPeriod : CRLPeriodUnits * CRLPeriod / 10 ), CRLPeriodUnits * CRLPeriod)</p> <p>Thanks again,</p> <p>Dan</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3192487" width="1" height="1">