[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02

To: <ietf-ltans@xxxxxxx>
Subject: Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
From: "Larry Masinter" <LMM@xxxxxxx>
Date: Tue, 28 Jun 2005 00:09:35 -0700
List-archive: <http://www.imc.org/ietf-ltans/mail-archive/>
List-id: <ietf-ltans.imc.org>
List-unsubscribe: <mailto:ietf-ltans-request@imc.org?body=unsubscribe>
Sender: owner-ietf-ltans@xxxxxxxxxxxx
Thread-index: AcV7sFbV1fIF0HCXTrWFwYM71w4zzw==

We were sent some comments on the -02 draft, I thought
I should forward the substantive comment for mailing
list discussion:

There was a comment on 
   The problem with CRLs is that they might not be synchronized with
   revocation mechanisms and there is no real information whether a
   signature is valid or not at specific point in time. In theory CRLs
   should be issued immediately after a certificate is revoked.

The comment was:

This is not advisable, because this “on the spot” CRL issuance
paves the way to man in the middle / replay attacks.

An attacker could store a CRL issued before implementing a, say, 
private key compromise attack. After the attack the attacker could 
intercept CRL retrieval requests issued before the CRL nextUpdate
 time and send back the requester the previous CRL, where the revoked 
certificate is not listed. If the nextUpdate time has not yet expired 
the relying parties would trust the CRL they receive, without having 
a means to realise it is the old one. If instead CRLs are issued only 
at nextUpdate time, or just slightly before, RPs would be aware they 
should wait until the so called “grace period” expires. CAs could 
take no responsibility on verifications based on CRLs issued before 
the “grace period”. By grace period it is intended the time necessary 
for a revocation request to be processed by the revocation management 
service to make it available to relying parties. If such request is 
submitted to the revocation service too close to the next CRL issuance 
time to be included in it, then the revocation will be published in 
the subsequent CRL. Please see CWA 14171 section 5.3 for details
 (http://www.uninfo.polito.it/WS_Esign/doc/cwa14171.pdf or 
ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14172-01-2004-Mar.pdf).




(There were a couple of editorial comments, e.g., "When speed is not of essence"
should probably be "When speed is not of the essence"

Follow-Ups:
- RE: Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
  - From: Santosh Chokhani

Prev by Date: I-D ACTION:draft-ietf-ltans-notareqs-02.txt
Next by Date: RE: Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
Previous by thread: I-D ACTION:draft-ietf-ltans-notareqs-02.txt
Next by thread: RE: Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
Index(es):
- Date
- Thread