[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call: AIA CRL extension

To: wpolk@xxxxxxxx
Subject: Re: WG Last Call: AIA CRL extension
From: Tom Gindin <tgindin@xxxxxxxxxx>
Date: Mon, 23 May 2005 22:46:48 -0400
Cc: housley@xxxxxxxxxxxx, ietf-pkix@xxxxxxx, kent@xxxxxxx, stefans@xxxxxxxxxxxxx
In-reply-to: <5.1.0.14.2.20050510170022.02cc5b08@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

        Tim:

        I should probably have brought this up earlier, but are we certain 
that "same trust anchor" is a strong enough check that the CRL signer is 
the one expected by the issuing CA?  While I was not in San Diego when 
this wording was included in the 3280 series, I do not really think that 
that check is strong enough.  I would suggest instead that the CRL 
signer's certificate needs to be directly issued by one of the CA's in the 
certification path back to the trust anchor used for the certificate's 
verification, or by that anchor itself, unless people have practical 
experience with CA structures which that rule would prohibit.  Forcing the 
CRL to be issued by the CA itself (as I understand Denis to have 
suggested) prohibits the reasonable case where the CRL is issued by a 
hierarchical superior, so it is IMHO too strict.
        I am personally not sure, FWIW, that a CRL should be permitted to 
be signed by a second-cousin certificate of the issuer's certificate.  By 
analogy to the use of the terms in families, "sibling" certificates would 
have the same issuer, "first-cousin" certificates would be issued by 
siblings, and "second-cousin" certificates would be issued by first 
cousins - so they are both three levels down from the same trust anchor, 
or from the last common CA in their paths.  This issue is not newly caused 
by CRL AIA, since the same issue can arise with CRL's containing only 
AKID.  AIA only allows RP's to build a path (whether right or wrong) more 
quickly.
        In any case, nothing more than a note in Security Considerations 
is appropriate in any of our RFC's other than 3280 and its successor.

        Tom Gindin
P.S. -  The above views are mine, and not necessarily those of my employer





Tim Polk <tim.polk@xxxxxxxx>
Sent by: owner-ietf-pkix@xxxxxxxxxxxx
05/10/2005 05:27 PM
 
        To:     ietf-pkix@xxxxxxx
        cc:     kent@xxxxxxx, stefans@xxxxxxxxxxxxx, housley@xxxxxxxxxxxx
        Subject:        WG Last Call: AIA CRL extension




This message initiates working group Last Call for the specification 
"Internet X.509 Public Key Infrastructure: Authority Information Access 
CRL 
Extension".  While some issues raised in the working group are unresolved, 

the editors believe that rough consensus supports the current 
specification.

The URL for this Internet-Draft is:
                 
http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt

Last Call will run for (at least) two weeks. That is, Last Call will not 
close before May 24.

Thanks,

Tim Polk

References:
- WG Last Call: AIA CRL extension
  - From: Tim Polk

Prev by Date: RFC 4043 on Internet X.509 Public Key Infrastructure PermanentIdentifier
Next by Date: RE: Request for new work item - Defining an SRV RR otherName
Previous by thread: WG Last Call: AIA CRL extension
Next by thread: Re: WG Last Call: AIA CRL extension
Index(es):
- Date
- Thread