[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: "'David P. Kemp'" <dpkemp@xxxxxxxxxxxxxx>, "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: Tom Biskupic <tbiskupic@xxxxxxxxxxxx>
Date: Wed, 9 Jun 1999 09:39:02 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Baltimore
Sender: owner-ietf-pkix@xxxxxxx

Dave,

I was thinking of the case where you have a certificate without a CDP 
extension and you have a cached CRL containing an IDP. Do I need to get 
another CRL or should this certificate be contained in the one I have?

I think the bottom line is you can only use the CRL if its DP matches your 
certificate's (either explicitly through a CDP extension or implicitly). 
Presence/absence of an IDP is not enough to determine this.

I'm really arguing against Ambarish's statement (and not som much the other 
Tom's [TomG's] original comments) so I guess we are off-topic a bit:-

"A full CRL from/for a CA MUST NOT contain the
issuingDistributionPoint extension, unless it is an indirect CRL,
in which case, it MAY contain the issuingDistributionPoint
extension with only the indirectCRL field set to true."

Tom Biskupic

On Tuesday, June 08, 1999 8:30 PM, David P. Kemp 
[SMTP:dpkemp@missi.ncsc.mil] wrote:
>
> > From: Tom Biskupic <tbiskupic@baltimore.ie>
> > To: "'Ambarish Malpani'" <ambarish@valicert.com>
> > Cc: "John_Wray@iris.com" <John_Wray@iris.com>, "'Tom Biskupic'"
> <tbiskupic@baltimore.ie>, "'Ietf-Pkix (E-mail)'" <ietf-pkix@imc.org>, 
"'Alex
> Deacon'" <alex@verisign.com>
> Tom,
>   As you say, the presence of an IDP extension (with onlyUserCerts,
> onlyCACerts, and onlySomeReasons all absent) in the CRL does not indicate
> whether the CRL covers every cert issued by the CA or only some certs.
> A CA's CRLs could, for example, be partitioned by serial number, or by
> the phase of the moon at the start of the certificate's validity, or at
> random.
>
> But why is that a problem?  If you have a cert with CrlDP, then you can
> determine the revocation status of that cert unambiguously without
> needing to know whether the CRL is full or partial.  That is a feature,
> not a bug, because it allows CAs to do dynamic partitioning.
>
> If you have a set of certs without CrlDP, then the CA has chosen not to
> partition those certs in a manner that can't be described in the IDP,
> and the status of any particular cert is still unambiguous.
>
> Why do people feel it is necessary or desirable to know whether a given
> CRL is full or partial?  The only question that must be answered is
> whether a CRL or set of CRLs is complete with respect to a given
> certificate.  RFC 2459 already satisfies that requirement.  Any
> "clarification" to RFC 2459 that would prevent a CA from issuing new
> certs under a different CRL than existing certs is undesirable.
>
> Dave Kemp
>
>
>
> > Subject: RE: Possible clarification to RFC 2459
> > Date: Tue, 8 Jun 1999 19:06:44 +0100
> >
> > Ambarish,
> >
> > Yes I understand what you are saying. Yes as I said you could argue 
(and in
> > fact you did) that in the case where you have a CRL/ARL split the 
presence
> > of an IDP does indicate the CRL has been partitioned but I am saying 
there
> > is no way to tell if the CRL has been split in other ways.
> >
> > The issue is based on my assumption that there will be many systems 
that
> > split a CRL into a CRL and ARL but few that split further. If a CRL
> > containing a IDP is encountered which has the 'onlyContainsUserCerts'
> > optional flag (which we believe is a common occurence) there is no way 
to
> > tell if the set of revoked certificates has been partitioned further or 
if
> > this is the only split criteria. Ok strictly speaking the CRL is split 
but
> > in this case that's not very useful as what you really want to know is
> > where to go to check the validity of the (usually) end user certificate 
you
> > are holding.
> >
> > A more serious problem occurs in the second case I highlighted - an
> > organisation has no directory service (ie an LDAP server) so they
> > distribute their CRLs through a URI. Every issued certificate (maybe 
even
> > including CA certificates) contains a CDP extension pointing at this 
URI. A
> > complete CRL is posted to that location every day. In this case the
> > presence of an IDP extension in the CRL does not indicate a partial 
CRL.
> > Essentially the lack of an IDP implies a full CRL but the presence of 
an
> > IDP may not indicate a partial CRL.
> >
> > Where does that get us? Hmm I'm not sure.
> >
> > Tom Biskupic

Prev by Date: Timestamp: CMS vs standalone
Next by Date: RE: Timestamp: TDA in timestamp
Previous by thread: Re: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread