[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: "'David P. Kemp'" <dpkemp@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Tue, 8 Jun 1999 15:17:06 -0700
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi Dave,
    Here is the specific issue that I am facing. We have an OCSP
responder that can, among other methods, get information about what
certs are revoked from a CA using CRLs. I need to know if the CA
is sending me parts of a CRL or a full CRL. Want to be able to
distinguish between the two based on the CRL itself.

    Another problem is the case where a CA produces both full
and partial CRLs. If I as an application have the full CRL, I don't
need to look at the partial CRLs to validate a cert. In that
case, how can I know that I have the full CRL.

Hope this clarifies the reasons behind the question.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect					         650.567.5457
ValiCert, Inc.				        ambarish@valicert.com
1215 Terra Bella Ave.		              http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: owner-ietf-pkix@imc.org 
> [mailto:owner-ietf-pkix@imc.org]On Behalf
> Of David P. Kemp
> Sent: Tuesday, June 08, 1999 12:30 PM
> To: ietf-pkix@imc.org
> Subject: RE: Possible clarification to RFC 2459
> 
> 
> 
> > From: Tom Biskupic <tbiskupic@baltimore.ie>
> > To: "'Ambarish Malpani'" <ambarish@valicert.com>
> > Cc: "John_Wray@iris.com" <John_Wray@iris.com>, "'Tom Biskupic'" 
> <tbiskupic@baltimore.ie>, "'Ietf-Pkix (E-mail)'" 
> <ietf-pkix@imc.org>, "'Alex 
> Deacon'" <alex@verisign.com>
> Tom,
>   As you say, the presence of an IDP extension (with onlyUserCerts,
> onlyCACerts, and onlySomeReasons all absent) in the CRL does 
> not indicate
> whether the CRL covers every cert issued by the CA or only some certs.
> A CA's CRLs could, for example, be partitioned by serial number, or by
> the phase of the moon at the start of the certificate's 
> validity, or at
> random.
> 
> But why is that a problem?  If you have a cert with CrlDP, 
> then you can
> determine the revocation status of that cert unambiguously without
> needing to know whether the CRL is full or partial.  That is 
> a feature,
> not a bug, because it allows CAs to do dynamic partitioning.
> 
> If you have a set of certs without CrlDP, then the CA has 
> chosen not to
> partition those certs in a manner that can't be described in the IDP,
> and the status of any particular cert is still unambiguous.
> 
> Why do people feel it is necessary or desirable to know 
> whether a given
> CRL is full or partial?  The only question that must be answered is
> whether a CRL or set of CRLs is complete with respect to a given
> certificate.  RFC 2459 already satisfies that requirement.  Any
> "clarification" to RFC 2459 that would prevent a CA from issuing new
> certs under a different CRL than existing certs is undesirable.
> 
> Dave Kemp
> 
> 
> 
> > Subject: RE: Possible clarification to RFC 2459
> > Date: Tue, 8 Jun 1999 19:06:44 +0100
> > 
> > Ambarish,
> > 
> > Yes I understand what you are saying. Yes as I said you 
> could argue (and in 
> > fact you did) that in the case where you have a CRL/ARL 
> split the presence 
> > of an IDP does indicate the CRL has been partitioned but I 
> am saying there 
> > is no way to tell if the CRL has been split in other ways.
> > 
> > The issue is based on my assumption that there will be many 
> systems that 
> > split a CRL into a CRL and ARL but few that split further. If a CRL 
> > containing a IDP is encountered which has the 
> 'onlyContainsUserCerts' 
> > optional flag (which we believe is a common occurence) 
> there is no way to 
> > tell if the set of revoked certificates has been 
> partitioned further or if 
> > this is the only split criteria. Ok strictly speaking the 
> CRL is split but 
> > in this case that's not very useful as what you really want 
> to know is 
> > where to go to check the validity of the (usually) end user 
> certificate you 
> > are holding.
> > 
> > A more serious problem occurs in the second case I highlighted - an 
> > organisation has no directory service (ie an LDAP server) so they 
> > distribute their CRLs through a URI. Every issued 
> certificate (maybe even 
> > including CA certificates) contains a CDP extension 
> pointing at this URI. A 
> > complete CRL is posted to that location every day. In this case the 
> > presence of an IDP extension in the CRL does not indicate a 
> partial CRL. 
> > Essentially the lack of an IDP implies a full CRL but the 
> presence of an 
> > IDP may not indicate a partial CRL.
> > 
> > Where does that get us? Hmm I'm not sure.
> > 
> > Tom Biskupic
> 
> 
>

References:
- RE: Possible clarification to RFC 2459
  - From: David P. Kemp

Prev by Date: Re: Certificate requests for encryption keys
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: Re: Possible clarification to RFC 2459
Index(es):
- Date
- Thread