[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Doubt about Revocation Message from CMP

To: <ietf-pkix@xxxxxxx>
Subject: Doubt about Revocation Message from CMP
From: "Luciano da Silva Coelho" <coelho@xxxxxxxxxxx>
Date: Mon, 4 Nov 2002 14:59:32 -0300
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: "Luciano da Silva Coelho" <coelho@xxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hi Guys,

    Could you help me with a doubt about the message "Revocation Response"
from CMP (RFC 2010).
    Suppose the following scenario:

    - The CA has five certificates issued for two entities (X and Y).
        - Entity X has two certificates (serialNumber=1 and serialNumber=2)
        - Entiry Y has three certificates (serialNumber=3, serialNumber=4
and serialNumber=5)
    - A RA wants to revoke one certificate from X and all the certificates
from Y

    To do that the RA sends the Revocation Request Message:

    RevReqContent {
        RevDetails {
            CertTemplate {
                issuer = CA
                serialNumber = 1
            }
        },
        RevDetails {
            CertTemplate {
                issuer = CA
                subject = Y
            }
        }
    }

    Suppose that all the requests were attempts with status "granted".

    Now, what Revocation Response Message must I expect? I need receive all
the Revoked Certificates' CertIds.

    My doubt is how the CertIds are returned. The RFC 3280's text

"
The response to the above message. If produced, this is sent to the
   requester of the revocation. (A separate revocation announcement
   message MAY be sent to the subject of the certificate for which
   revocation was requested.)

  RevRepContent ::= SEQUENCE {
      status        SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
      -- in same order as was sent in RevReqContent
      revCerts  [0] SEQUENCE SIZE (1..MAX) OF CertId OPTIONAL,
      -- IDs for which revocation was requested (same order as status)
      crls      [1] SEQUENCE SIZE (1..MAX) OF CertificateList  OPTIONAL
      -- the resulting CRLs (there may be more than one)
  }
"
    It isn't sufficient clear for me when it says "...IDs for which
revocation was requested (same order as status)...".
    IMHO, the revCerts should be :
        revCerts [0] SEQUENCE SIZE (1..MAX) OF SEQUENCE OF CertId OPTIONAL.
    In this case, there will be one element in the first SEQUENCE for each
element at the status SEQUENCE. And, It could have more than one CertId for
the same status (for the case the CA has revoked more than one certificate
from one request).


    Thanks in advance.

    Luciano Coelho
    coelho@xxxxxxxxxxx
    e-Sec Data Security Technology
    http://www.esec.com.br

Prev by Date: RE: Criticality and SCVP Extensions
Next by Date: Re: Criticality and SCVP Extensions
Previous by thread: I-D ACTION:draft-ietf-pkix-sim-00.txt
Next by thread: What about SPKI
Index(es):
- Date
- Thread