[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA Rekey and CRL Validation

To: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 23 Sep 2004 10:02:52 +0200
Cc: Stefan Santesson <stefans@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

To the list,

It is time to work on a correction to correct the defective text of RFC 3280.

I took the opportunity to have a meeting where I met Stefan to work with him on a fix. Hereafter is the result.

Current wording in RFC 3280 (page 59):

   The CRL issuer MUST assert the indirectCRL boolean, if the scope of
   the CRL includes certificates issued by authorities other than the
   CRL issuer.

Proposed replacement:

   When the CRL issuer is a CA and the scope of the CRL includes
   certificates issued by other CAs, the indirectCRL boolean MUST asserted.

When the CRL issuer is not a CA, the indirectCRL boolean MUST asserted.

Denis

David,
You are correct, but there are two hats and that's why the text
should be modified to:
   If the distributionPoint field is absent, the CRL MUST contain
   entries for all revoked unexpired certificates *issued* by the
   issuer CA, if any, within the scope of the CRL
Using the CRL issuer hat, there is no issued cert.
Cheers,
Ed Gerck
David P. Kemp wrote:
Not only do other sections suggest that the CA can be a CRL issuer, the text regarding "CRL issuer" on page 6 is *not* a definition of that term, it is an item in the list of components in the PKIX architectural model. That model is shown in the accompanying diagram.
Any reasonable reading of the phrase "CRL issuer" in an English language
sentence would hold that it means the issuer of a CRL.  There are two
components that issue CRLs in the PKIX architecture; one of these
components also issues certificates.
Stefan Santesson wrote:
Denis,
On page 59, we have the following sentence:
   If the distributionPoint field is absent, the CRL MUST contain
   entries for all revoked unexpired certificates *issued* by the CRL
   issuer, if any, within the scope of the CRL
This sentence is either ambiguous or incorrect: a CRL issuer does not *issue* certificates. On page 7, the definition of a CRL issuer is: CRL issuer: an optional system to which a CA delegates the publication
of

certificate revocation lists.
I agree that the definition is not consistent with the standard text in
general. Other sections definitely suggest that the CA can be the CRL
issuer also without delegation.
From 4.2.1.14 CRL Distribution Points:
  If the certificate issuer is not the CRL
  issuer, then the cRLIssuer field MUST be present and contain the Name
  of the CRL issuer.  If the certificate issuer is also the CRL issuer,
  then the cRLIssuer field MUST be omitted and the distributionPoint
  field MUST be present.
Stefan Santesson
Microsoft Security Center of Excellence (SCOE)

References:
- RE: CA Rekey and CRL Validation
  - From: Stefan Santesson
- Re: CA Rekey and CRL Validation
  - From: David P. Kemp
- Re: CA Rekey and CRL Validation
  - From: Ed Gerck

Prev by Date: RE: CA Rekey and CRL Validation
Next by Date: Re: CA Rekey and CRL Validation
Previous by thread: Re: CA Rekey and CRL Validation
Next by thread: Re: CA Rekey and CRL Validation
Index(es):
- Date
- Thread