[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: <John_Wray@xxxxxxxx>, "'Tom Biskupic'" <tbiskupic@xxxxxxxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Tue, 8 Jun 1999 10:42:13 -0700
Cc: "'Alex Deacon'" <alex@xxxxxxxxxxxx>, "'Ietf-Pkix (E-mail)'" <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

I am not clear why what I proposed wouldn't work.

Assumption: A full CRL contains *all* the revoked and unexpired
certs issued by this CA. This would include both end user and
CA certs.

The full CRL doesn't need to contain the IDP extension unless it
is an indirect CRL, in which case, it will contain the IDP
extension, but with *only* the indirectCRL field set.

You could still issue end user CRLs with IDP and
onlyContainsUserCerts set or ARLs, with IDP and onlyContainsCACerts -
neither of these are the full CRL.

Am I missing something?

Regards,
Ambarish


---------------------------------------------------------------------
Ambarish Malpani
Architect					         650.567.5457
ValiCert, Inc.				        ambarish@valicert.com
1215 Terra Bella Ave.		              http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: owner-ietf-pkix@imc.org 
> [mailto:owner-ietf-pkix@imc.org]On Behalf
> Of John_Wray@iris.com
> Sent: Tuesday, June 08, 1999 5:23 AM
> To: Tom Biskupic
> Cc: 'Alex Deacon'; Ambarish Malpani [ambarish@valicert.com] (E-mail);
> Ietf-Pkix (E-mail)
> Subject: RE: Possible clarification to RFC 2459
> 
> 
> 
> 
> That's precisely what Jonah does - we need to be able to determine by
> inspection whether a given CRL is a user CRL or an ARL, and 
> the only way we
> could find to do this was to use the "onlyContainsUserCerts" and
> "onlyContainsCACerts" flags within the IDP extension.
> 
> John
> 
> 
> 
> 
> 
> Tom Biskupic <tbiskupic@baltimore.ie>@imc.org on 06/08/99 06:12:11 AM
> 
> Sent by:  owner-ietf-pkix@imc.org
> 
> 
> To:   "'Alex Deacon'" <alex@verisign.com>, "Ambarish Malpani
>       [ambarish@valicert.com] (E-mail)" <ambarish@valicert.com>
> cc:   "Ietf-Pkix (E-mail)" <ietf-pkix@imc.org>
> 
> Subject:  RE: Possible clarification to RFC 2459
> 
> 
> Alex, Ambarish,Russ,
> 
> Something to take into account here is that some CAs may use 
> the IDP for
> full CRLs in order to distinguish them from a ARLs. I see this as a
> requirement for CAs posting to directories in which case the 
> CRL and ARL go
> into the same location and without this extension, are 
> indistinguishable.
> 
> This makes the criteria somewhat more muddy as a partial CRL is then
> defined as one which has an IDP containing a DP that is not 
> the same as the
> default location for the issuing CA. That is, the only way to 
> tell if this
> is a partial CRL is that it has something in the IDP to say 
> it was issued
> to somewhere different to the default location.
> 
> You could argue that splitting a CRL between a CRL/ARL is effectively
> partitioning however in most cases the question you want answered is
> 'Should this CRL contain this end user certificate if it is 
> revoked" and
> this criteria won't help.
> 
> Now if CDPs where being used just to allow full CRLs to be 
> published to a
> URI or some other type of location (ie a full CRL published 
> to a URI) then
> you have no way to tell at all.
> 
> Tom Biskupic
> 
> On Tuesday, June 08, 1999 4:07 AM, Alex Deacon 
> [SMTP:alex@verisign.com]
> wrote:
> >
> > OK, on first though this sound like a reasonable way to 
> specify a full
> CRL.
> > Basically, what you are saying is that if a cert using 
> application gets a
> > cert which contains a CDP pointing to a particular 
> partition, but for
> some
> > reason this application only has a CRL which does not 
> contain an IDP,
> then
> > they can be confident that they can verify the status of 
> the cert based
> on
> > this CRL.
> >
> > Right?
> >
> > Alex
> >
> > > -----Original Message-----
> > > From: Ambarish Malpani [mailto:ambarish@valicert.com]
> > > Sent: Monday, June 07, 1999 3:06 PM
> > > To: tgindin@us.ibm.com; ietf-pkix@imc.org
> > > Subject: RE: Possible clarification to RFC 2459
> > >
> > >
> > >
> > > I agree with what Tom wants - would like to be able to
> > > distinguish whether a CRL is a full or a partial CRL. Can we
> > > add the following paragraph to section 5.2.5:
> > >
> > > A full CRL from/for a CA MUST NOT contain the
> > > issuingDistributionPoint extension, unless it is an indirect CRL,
> > > in which case, it MAY contain the issuingDistributionPoint
> > > extension with only the indirectCRL field set to true.
> > >
> > > Would this work for most people? Any objections?
> > > Ambarish
> > >
> > >
> > > 
> ---------------------------------------------------------------------
> > > Ambarish Malpani
> > > Architect                               650.567.5457
> > > ValiCert, Inc.
> > > ambarish@valicert.com
> > > 1215 Terra Bella Ave.                        
> http://www.valicert.com
> > > Mountain View, CA 94043-1833
> > >
> 
> > >
> > > > -----Original Message-----
> > > > From: owner-ietf-pkix@imc.org
> > > > [mailto:owner-ietf-pkix@imc.org]On Behalf
> > > > Of tgindin@us.ibm.com
> > > > Sent: Monday, June 07, 1999 8:25 AM
> > > > To: Ambarish Malpani; ietf-pkix@imc.org
> > > > Subject: Possible clarification to RFC 2459
> > > >
> > > >
> > > >      The current definition of Issuing Distribution Point
> > > > leaves it relatively
> > > > unclear whether the presence of the "DistributionPoint" field
> > > > within this
> > > > extension indicates that the CRL at that distribution point
> > > > is a partial CRL.  I
> > > > would like to suggest that the following text be added to RFC
> > > > 2459 section
> > > > 5.2.5:
> > > >
> > > >      Where the issuingDistributionPoint extension contains
> > > > either a DN or an
> > > > RDN, the distribution point SHOULD contain only certificates
> > > > which contain a CRL
> > > > Distribution Point extension one of whose DistributionPoint's
> > > > contains the same
> > > > value in the "distributionPoint" field.
> > > >
> > > >      To make it clear that CRL Distribution Point's support
> > > > partitioning even
> > > > for URL's, the following existing text in section 4.2.1.14
> > > > could be modified as
> > > > follows:
> > > > [Old]     the URI is a pointer to the current CRL for the
> > > > associated reasons and
> > > > will be issued by the associated cRLIssuer.
> > > > [New]     the URI is a pointer to a current CRL for the
> > > > associated reasons for
> > > > those certificates and will be issued by the associated
> > > > cRLIssuer.  The CRL so
> > > > referenced SHOULD contain only certificates whose CRL
> > > > Distribution Point
> > > > extension contains this URI and certificates not containing
> > > > any CRL Distribution
> > > > Point extension.
> > > >
> > > >           Tom Gindin
> > > >
> > > >
> > > >
> > > >
> > >
> 
> 
> 
> 
>

References:
- RE: Possible clarification to RFC 2459
  - From: John_Wray

Prev by Date: Re: Certificate requests for encryption keys
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread