RFC 9608

No Revocation Available for X.509 Public Key Certificates, June 2024

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML
Also available: XML file for editing
RFC 5280
R. Housley
T. Okubo
J. Mandel
lamps (sec)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC9608

Discuss this RFC: Send questions or comments to the mailing list spasm@ietf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9608


X.509v3 public key certificates are profiled in RFC 5280. Short-lived certificates are seeing greater use in the Internet. The Certification Authority (CA) that issues these short-lived certificates do not publish revocation information because the certificate lifespan that is shorter than the time needed to detect, report, and distribute revocation information. Some long-lived X.509v3 public key certificates never expire, and they are never revoked. This specification defines the noRevAvail certificate extension so that a relying party can readily determine that the CA does not publish revocation information for the certificate, and it updates the certification path validation algorithm defined in RFC 5280 so that revocation checking is skipped when the noRevAvail certificate extension is present.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search