[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: Need verification of Issuing DP against CRL DP in son-of-2459

To: Himanshu Soni <HimanshuS@xxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: re: Need verification of Issuing DP against CRL DP in son-of-2459
From: Tim Polk <tim.polk@xxxxxxxx>
Date: Tue, 05 Jun 2001 10:39:28 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Himanshu,

X.509 is actually silent regarding procedures for matching the distributionPointName when it is specified as relativeToIssuer. (It is much more explicit regarding fullNames.) However, note that the issuing distribution point does not support relative names.

I believe the following procedure was intended:

1.a If the cRLIssuer field is present in the CDP extension, create a distinguished name by appending the name fragment in relativeToIssuer to the distinguished name in the cRLIssuer. 1.b If the cRLIssuer field is not present in the CDP extension, create a distinguished name by appending the name fragment in relativeToIssuer to the distinguished name in the certificate issuer field. 2. The constructed name should then be compared to the name(s) found in the IDP.

I *believe* this is what was intended by X.509. At any rate, this is a reasonable statement to make in the PKIX profile. I have added drafting a paragraph to state this to my to-do list, and will forward it to the list once I have done so.

Thanks,

Tim Polk

At 04:06 PM 6/4/01 -0700, Himanshu Soni wrote:

Hi All

If this was already addressed in another email, please let me know.

In this email thread, it was said that CRLDP DistributionPointName must
match the CRL IDP DistributionPoint if both are present.
If the CRLDP distributionPointName is a nameRelativeToCRLIssuer, then when
the CRL is fetched and the IDP in the CRL contains a URI as the
DistributionPoint, then how would we match the 2 DistributionPointNames?

Thanx

Himanshu Soni
ValiCert, Inc.

 -----Original Message-----
 From: Santosh Chokhani [mailto:chokhani@xxxxxxxxxxxx]
 Sent: Monday, March 27, 2000 4:38 AM
 To: 'Russ Housley'; tgindin@xxxxxxxxxx
 Cc: ietf-pkix@xxxxxxx
 Subject: RE: Need verification of Issuing DP against CRL DP in
 son-of-2459


 May be in stead of these band aid type solutions, son-of-2459
 authors should
 adopt or synopsize the cogent material from Annex B of the
 current X.509
 draft.  By the way, that Annex is normative.

> -----Original Message-----
> From: Russ Housley [mailto:housley@xxxxxxxxxx]
> Sent: Sunday, March 26, 2000 11:57 PM
> To: tgindin@xxxxxxxxxx
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Need verification of Issuing DP against CRL DP in
> son-of-2459
>
>
> Tom:
>
> You are correct.  Thanks for catching this omission.

> We need to say that the Certificate CRLDP
> DistributionPointName must match
> the CRL IDP DistributionPointName, if both are preaent.

> Russ
>
>
> At 04:29 PM 03/23/2000 -0500, tgindin@xxxxxxxxxx wrote:
> >      There does not appear to be any specification in the
> CRL Processing
> >section that the IssuingDistributionPoint extension be
> verified against the
> >CRL Distribution Point extension.  This leaves the possibility that a
> >malicious systems administrator could switch the contents of two
> >distribution points with different names signed by the same
> CA, causing all
> >revocations within those CRL's not to be found.
> >      To close this hole, I would recommend rewording step
> (1) of section
> >6.3.3 as follows: "Locate those CRL's whose IssuingDistributionPoint
> >extension contain a distributionPoint matching that in the
> CRL Distribution
> >Point and an onlySomeReasons flag value which is a subset of
> the reasons
> >field in the CRL Distribution Point, and perform the following
> >verifications:".  Furthermore, we might want to add notes
> that an LDAP URI
> >in RFC 2255 format may be considered to match a DN if and
> only if the URI's
> >DN field matches the DN, that missing distributionPoint
> names match other
> >missing names, and that a missing reasons field is interpreted as
> >all-reasons for the purposes of the subset calculation above.
> >      There is also no statement in the current version
> about how the CRL
> >cache is to be populated.  In my suggested version above, I
> have removed
> >references to it.  In practice, the verifier is probably
> supposed to locate
> >the CRL either in the CRL cache, by resolving the URI of a
> URI distribution
> >point, by LDAP or X.500 access to the directory entry of the
> DN of a DN
> >distribution point, or by LDAP or X.500 access to the
> issuer's directory
> >entry for a missing distribution point or one with no name
> component; while
> >a CRL located by any of the other methods may be added to
> the CRL cache.
> >
> >           Tom Gindin
>

References:
- re: Need verification of Issuing DP against CRL DP in son-of-2459
  - From: Himanshu Soni

Prev by Date: Re: draft delta crl text (contradiction)
Next by Date: Re: draft delta crl text
Previous by thread: re: Need verification of Issuing DP against CRL DP in son-of-2459
Next by thread: re: Need verification of Issuing DP against CRL DP in son-of-2459
Index(es):
- Date
- Thread