[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: ietf-pkix@xxxxxxx
Subject: RE: Possible clarification to RFC 2459
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Tue, 8 Jun 1999 15:30:29 -0400 (EDT)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

> From: Tom Biskupic <tbiskupic@baltimore.ie>
> To: "'Ambarish Malpani'" <ambarish@valicert.com>
> Cc: "John_Wray@iris.com" <John_Wray@iris.com>, "'Tom Biskupic'" 
<tbiskupic@baltimore.ie>, "'Ietf-Pkix (E-mail)'" <ietf-pkix@imc.org>, "'Alex 
Deacon'" <alex@verisign.com>
Tom,
  As you say, the presence of an IDP extension (with onlyUserCerts,
onlyCACerts, and onlySomeReasons all absent) in the CRL does not indicate
whether the CRL covers every cert issued by the CA or only some certs.
A CA's CRLs could, for example, be partitioned by serial number, or by
the phase of the moon at the start of the certificate's validity, or at
random.

But why is that a problem?  If you have a cert with CrlDP, then you can
determine the revocation status of that cert unambiguously without
needing to know whether the CRL is full or partial.  That is a feature,
not a bug, because it allows CAs to do dynamic partitioning.

If you have a set of certs without CrlDP, then the CA has chosen not to
partition those certs in a manner that can't be described in the IDP,
and the status of any particular cert is still unambiguous.

Why do people feel it is necessary or desirable to know whether a given
CRL is full or partial?  The only question that must be answered is
whether a CRL or set of CRLs is complete with respect to a given
certificate.  RFC 2459 already satisfies that requirement.  Any
"clarification" to RFC 2459 that would prevent a CA from issuing new
certs under a different CRL than existing certs is undesirable.

Dave Kemp



> Subject: RE: Possible clarification to RFC 2459
> Date: Tue, 8 Jun 1999 19:06:44 +0100
> 
> Ambarish,
> 
> Yes I understand what you are saying. Yes as I said you could argue (and in 
> fact you did) that in the case where you have a CRL/ARL split the presence 
> of an IDP does indicate the CRL has been partitioned but I am saying there 
> is no way to tell if the CRL has been split in other ways.
> 
> The issue is based on my assumption that there will be many systems that 
> split a CRL into a CRL and ARL but few that split further. If a CRL 
> containing a IDP is encountered which has the 'onlyContainsUserCerts' 
> optional flag (which we believe is a common occurence) there is no way to 
> tell if the set of revoked certificates has been partitioned further or if 
> this is the only split criteria. Ok strictly speaking the CRL is split but 
> in this case that's not very useful as what you really want to know is 
> where to go to check the validity of the (usually) end user certificate you 
> are holding.
> 
> A more serious problem occurs in the second case I highlighted - an 
> organisation has no directory service (ie an LDAP server) so they 
> distribute their CRLs through a URI. Every issued certificate (maybe even 
> including CA certificates) contains a CDP extension pointing at this URI. A 
> complete CRL is posted to that location every day. In this case the 
> presence of an IDP extension in the CRL does not indicate a partial CRL. 
> Essentially the lack of an IDP implies a full CRL but the presence of an 
> IDP may not indicate a partial CRL.
> 
> Where does that get us? Hmm I'm not sure.
> 
> Tom Biskupic

Follow-Ups:
- RE: Possible clarification to RFC 2459
  - From: Ambarish Malpani

Prev by Date: Re: Certificate requests for encryption keys
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread