According to the CSBRs
- Section 7.2: "The serial number of a revoked Certificate MUST remain on the CRL for at least 10 years after the expiration of the Certificate"
- Section 5.4.3 "The CA, Delegated Third Parties, and Timestamp Authority MUST retain, for at least two (2) years"...
- Section 5.4.3 (2): "Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1.2)(2) after the revocation or expiration of the Subscriber Certificate;"
- Similarly for 5.5.2.
Based on section 7.2 a CA must keep a revoked Subscriber Certificate's serial number on the CRL for at least 10 years after the expiration of the Certificate, and of course it must be able to justify why a serial number exists in a CRL.
Effectively, this means that logs for revoked Code Signing Certificates must be retained for 10 years + the validity of the certificate (the maximum validity is currently 39 months).
IMO, we need to make this clear in sections 5.4 and 5.5.
According to the CSBRs
Based on section 7.2 a CA must keep a revoked Subscriber Certificate's serial number on the CRL for at least 10 years after the expiration of the Certificate, and of course it must be able to justify why a serial number exists in a CRL.
Effectively, this means that logs for revoked Code Signing Certificates must be retained for 10 years + the validity of the certificate (the maximum validity is currently 39 months).
IMO, we need to make this clear in sections 5.4 and 5.5.