[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft delta crl text (contradiction)
Santosh,
> Denis:
>
> I fail to see the contradiction between the two sentences.
You are quite right ! I was reading, what was *not* written:
The CRL number is a non-critical CRL extension which conveys a
*stricly* increasing sequence number for a given CRL scope and
CRL issuer.
If we kept the proposed definition which is:
The CRL number is a non-critical CRL extension which conveys a
monotonically increasing sequence number for a given CRL scope and
CRL issuer.
then it would allowed to have a fully conformant implementation by issuing
all CRLs with the same number, e.g. one. I do not believe that this was the
intent. The intent is to be able to identify unambiguously CRLs from the
same CRL Issuer using the CRL number. So two CRLs cannot have the same
number.
See additional arguments in my (coming) reply to Dave.
Denis
>
> Please note that critical deltaCRLIndicator extension is different from
> what the two sentences refer to.
>
> -----Original Message-----
> From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
> Sent: Friday, June 01, 2001 12:33 PM
> To: Tim Polk
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: draft delta crl text
>
> Tim,
>
> > Folks,
>
> > Russ Housley, David Cooper, and I have tried to draft what we hope *will
>
> > become* consensus text for the delta CRL and CRL number text. We
> believe
> > that the attached text clarifies (1) the requirements for "conforming
> > applications that support CRLs", (2) the CRL issuer's responsibilities
> when
> > including the delta CRL indicator and CRL number extensions, (3) the
> > algorithm followed by a CRL issuer when determining what certificates
> > should be listed on a delta CRL, and (4) the algorithm followed by an
> > application when determining whether a complete CRL and a delta CRL may
> be
> > combined.
>
> > To do this we have introduced a number of changes, beginning in section
> > 3. In section 3, we introduce the "CRL issuer" in an enhanced version
> of
> > the ASCII art model of a pKI (figure 1.) In section 5, we define
> several
> > more terms including CRL scope, base CRL, delta CRL and complete CRL.
> All
> > this was necessary to set the stage for the CRL number extension and
> delta
> > CRL indicator extension text.
>
> > Please read these excerpts carefully. We believe that the text is
> flexible
> > enough to support reasonable implementations of delta CRLs, does not
> unduly
> > burden clients that wish to support deltas, and is consistent with
> > X.509. When you read this please ask yourself if you can *live* with
> it.
>
> I browse through it and I still have a MAJOR problem with the CRL
> numbering.
>
> The two following sentences are contradictory:
>
> The CRL number is a non-critical CRL extension which conveys a
> monotonically increasing sequence number for a given CRL scope and
> CRL issuer.
>
> I agree with the above sentence.
>
> If a delta CRL and a complete CRL that cover the
> same scope are issued at the same time, they MUST have the same CRL
> number.
>
> This contradicts the first sentence.
>
> ======================================================================
>
> I do have problems with MANY other sentences, like:
>
> If a CRL issuer generates delta CRLs in addition to complete CRLs for
> a given scope, the complete CRLs and delta CRLs MUST share one
> numbering sequence.
>
> What does "the same numbering sequence" mean ? This sentence is useless
> and
> should be deleted.
>
> This extension allows users to easily determine when a
> particular CRL supersedes another CRL.
>
> This is not true. Since complete CRLs and delta CRLs share the same
> numbering space, they cannot be compared. This sentence should be
> deleted.
>
> ======================================================================
>
> The combination of a CRL containing the delta CRL indicator
> extension plus the CRL referenced in the BaseCRLNumber component
> of this extension is equivalent to a complete CRL, for the
> applicable scope, at the time of publication of the delta CRL.
>
> The right wording should be:
>
> The combination of a delat CRL (containing the delta CRL indicator
> extension) plus the CRL referenced in the BaseCRLNumber component
> of this extension is equivalent to a complete CRL, for the
> applicable scope, that is valid between this Update and nextUpdate
> from the delta CRL.
>
> ======================================================================
>
> An application that supports delta CRLs can construct a CRL that is
> complete for a given scope, at the current time, in either of the
> following ways:
>
> (a) by retrieving the current delta CRL for that scope, and
> combining it with an issued CRL that is complete for that scope
> and that has a cRLNumber greater than or equal to the base CRL
> number referenced in the current delta CRL; or
>
> (b) by retrieving the current delta CRL for that scope and
> combining it with a locally constructed CRL whose cRLNumber is
> greater than or equal to the base CRL number referenced in the
> current delta CRL.
>
> The right wording should be:
>
> An application that supports delta CRLs can construct a CRL that is
> complete for a given scope, at a given time T, in either of the
> following ways:
>
> (a) by retrieving a delta CRL for that scope where the time T
> is between thisUpdate and nextUpdate, and combining it with a CRL
> that is complete for that scope and that has a cRLNumber equal or
> greater than to the base CRL number referenced in the current
> delta CRL; or
>
> (b) by retrieving a delta CRL for that scope where the time T
> is between thisUpdate and nextUpdate and combining it with a
> locally constructed CRL that has a content equivalent to a
> full CRL that would have a cRLNumber equal or greater than
> to the base CRL number referenced in the current delta CRL.
>
> ======================================================================
>
> When a delta CRL is combined with a complete CRL or a locally
> constructed CRL, the resulting locally constructed CRL has the CRL
> number specified in the CRL number extension found in the delta CRL
> used in its construction.
>
> The right wording should be:
>
> When a delta CRL is combined with a complete CRL or a locally
> constructed CRL, "The resulting locally constructed CRL is equivalent
> to a complete CRL that would have thisUpdate and nextupdate
> respectively
> equal to thisUpdate and nextUpdate from the delta CRL."
>
> ======================================================================
>
> In this way, all the issues about CRL numbering vanish.
>
> Since a conference call is now scheduled on Tuesday, with Tim, David and
> myself, I hope that we will be able to agree on the text changes
> proposed above.
>
> Note 1: I am lacking time to check the text about the onHold issue, but
> this
> is far less critical.
>
> Note 2: Next Monday is holiday in my country. :-)
>
> Regards,
>
> Denis
>
> > The attachment contains the following excerpts: Figure 1 from section
> 3,
> > section 5 (the intro to CRLs), section 5.2.3 (CRL number extension) and
> > 5.2.4 (delta CRL indicator extension). Please ignore the blank spaces;
> I
> > was trying to remove anything irrelevant to this discussion.
> >
> > Thanks,
> >
> > Tim Polk