[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Usage of CRL Issuing Distribution Point

To: <pau@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Usage of CRL Issuing Distribution Point
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Wed, 10 Feb 1999 12:11:18 -0800
Cc: <carlisle.adams@xxxxxxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi Pau,
    If your CA is "really" using CRLDP, then you need to be
careful when you say you have "the" CRL. Part of the point of
CRLDP (as opposed to simple CRLs), is, that a CA can now issue
multiple little CRLs, depending on how it decides to partition
revocation data.

For example, it may create one CRLDP for certificates with serial
numbers between 1-100. Another one for certs from 101-200 and so
on.

Also, it may decide to issue multple potential CRLs on which
a particular cert may occur - for example, there may be one CRL
for key compromise (which is updated very, very frequently), another
for lost keys, etc.

So, there isn't necessarily a single CRL you need to look at.

If your CA decides to use CRLDP in its simplest form and just
issue a single CRL that contains all revocation data, you
still need to be careful. A CRL contains 2 times - a thisUpdate
and a nextUpdate, where the thisUpdate is the time at which
the CRL was issued, while the nextUpdate is the time
at or *before* which the next CRL will be issued.

This means that there is *no* guarantee that the CRL you have
from the CA is the latest one it issued. So depending on the
sensitivity of the transaction, you may decide to go check
the CA for a newer CRL, use the cached CRL, or wait till
nextUpdate is in the past, go grab a new CRL from the CA at
that time and verify that the cert is not on that CRL.

Hope this helps,
Regards,
Ambarish

P.S. To figure out which CRLs apply to the certificate you are
trying to check, you normally look for the path to the CRLs in
the certificate. Once you retrieve the CRL, you need to check
that the CRL has the same name as the one you thought you
were retrieving. So the extension you look for in the cert
is the one with OID id-ce-cRLDistributionPoints, while the name
of the CRL can be found in the CRL (if present), with the
OID id-ce-issuingDistributionPoint.


---------------------------------------------------------------------
Ambarish Malpani
Architect					         650.567.5457
ValiCert, Inc.				        ambarish@valicert.com
1215 Terra Bella Ave.		              http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: owner-ietf-pkix@imc.org 
> [mailto:owner-ietf-pkix@imc.org]On Behalf
> Of pau@watson.ibm.com
> Sent: Monday, February 08, 1999 8:55 AM
> To: ietf-pkix@imc.org
> Subject: Usage of CRL Issuing Distribution Point
> 
> 
> Hellow, I am a new comer to PKIX.
> I have a question about the usage of the
> CRL distribution point:
> 
> If I have the CRL, then do I still need to know
> the distribution point ? Is this entension intended
> for furture retrival of CRL's (and of course, to indicate
> why the cert's in the list are revoked.) ?
> 
> If I don't know the distribution point, is there a
> standard/suggested way to learn it without getting the
> CRL ?
> 
> Thanks in advance.
> 
> 
> Regards, Pau-Chen
>

References:
- Usage of CRL Issuing Distribution Point
  - From: pau

Prev by Date: Re: Finding PKIX Servers!
Next by Date: RE: Finding PKIX Servers!
Previous by thread: Usage of CRL Issuing Distribution Point
Next by thread: RE: Usage of CRL Issuing Distribution Point
Index(es):
- Date
- Thread