[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: clarification proposal -- Re: Current status of CRL validation?

To: "'Ed Gerck'" <egerck@xxxxxxx>
Subject: RE: clarification proposal -- Re: Current status of CRL validation?
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Wed, 7 Apr 2004 15:36:40 -0400
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Ed:

I see no benefit of having this dialog.  Our understanding of security, PKI,
X.509, 3280, and ASN.1 are so far apart, I better go and back to
kindergarten and learn some stuff.

Rest of the PKIXers:

My lack of response to Ed on this thread from now on should not be viewed as
concurrence.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Ed Gerck
Sent: Wednesday, April 07, 2004 1:17 PM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: clarification proposal -- Re: Current status of CRL validation?

Santosh Chokhani wrote:
> Please read X.509 and 3280 carefully.  There is no mechanism to limit 
> the time of delegation.

I find this interpretation interesting. I wonder how many people would agree
with that. We now have eternal certs, that don't expire and cannot be
revoked. This would certainly solve the revocation problem ;-)

As an alternative reading to eternal delegation, X.509 should be 
interpreted in its entirety. Since there is nothing that mandates 
eternal delegation, the CA is  free to use its CPS to control delegation as
the CA so chooses --including expiration dates and 
revocation mechanisms-- both off-line and on-line.

>  See the syntax and semantics of CRL DP extension.

I see the semantics of the CPS. There is nothing stated there that would bar
a CA from limiting the time and scope of delegation.

> Also, there is no requirement for the certificate issuing CA to issue 
> a CRL

My point exactly -- the CA can control all aspects of its revocation 
management policy.

> and if the Indirect CRL is checked by the relying party, there is no 
> requirement to check any CRL issued by the issuing CA.

Yes, but that check was not done absolutely. It was done in reference to
what the issuer CA defines in its CPS, including its revocation 
management policy. For example, look for words such as "...MAKES NO 
REPRESENTATION ..." and "...MAKES NO ASSURANCES ...". The issuer CA 
can also change its CPS at any time, possibly excluding any delegation from
some time on.

> Actually, if the CRL DP extension is marked critical and it points to 
> an indirect CRL issuer, you MUST check that CRL.

My point exactly -- the issuer CA can control all aspects of its revocation 
management policy. Let's ask, who signed that critical CRL DP extension? 
Who controls whether the RP MUST check that CRL at that indirect CRL issuer
or not? Further, who can revoke such critical CRL DP extension?

Cheers,
Ed Gerck

Follow-Ups:
- Re: clarification proposal -- Re: Current status of CRL validation?
  - From: Ed Gerck

References:
- Re: clarification proposal -- Re: Current status of CRL validation?
  - From: Ed Gerck

Prev by Date: RE: Signing Untrusted SCVP?
Next by Date: RE: Current status of CRL validation ?
Previous by thread: Re: clarification proposal -- Re: Current status of CRL validation?
Next by thread: Re: clarification proposal -- Re: Current status of CRL validation?
Index(es):
- Date
- Thread