[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: tgindin@xxxxxxxxxx
Date: Wed, 9 Jun 1999 18:51:40 -0400
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

     Dave has proposed that all CRL's, whether they have a distributionPoint
field in their IDP (issuingDistributionPoint) extension or not, must be
considered authoritative for those certificates issued by that CA which do not
have distribution points.  Because of the potentially very large number of CRL's
with distributionPoint fields containing DN's for such CA's, I propose that they
should not be considered authoritative for such certificates, but only those
CRL's which are either missing the IDP extension or have no DN in its
distributionPoint field should be considered authoritative for such
certificates.
     In considering which CRL's should need to contain revocations for non-DP
certificates (those which contain no CRLDistributionPoint extension), it might
be useful to consider under what circumstances a CA would have generated both DP
and non-DP certificates.  It seems to me that the  likeliest scenarios are
first, that a software upgrade has been performed that "turns on" distribution
points as a feature so that old certificates are non-DP while new ones are DP;
second, that CA certificates are considered as belonging to an existing
partitioned CRL of manageable size (one with no name, but with the
onlyContainsCACerts flag set) so that they are non-DP while user certificates
are DP; and third, a combination of the two effects, in which the only new
non-DP certificates are CA certificates.  In all of these cases, no new non-DP
user certificates are being issued.
     The other issue here is how a verifier gets a CRL and then knows that he
has obtained the correct CRL.  For any non-DP certificate, the verifier will
have to try to get the CRL from the default repository for the CA.  Since the
global CRL will have to be maintained anyway, in conformance to X.509's note f
to section 12.6.1 (June '97 version) which states, "every CA shall, as a common
fall-back approach, issue complete CRLs covering all certificates it issues", it
will presumably be reachable there.  Thus I don't see why other CRL's should
have to include the non-DP certificates.

          Tom Gindin



"David P. Kemp" <dpkemp@missi.ncsc.mil> on 06/09/99 05:00:37 PM

Please respond to "David P. Kemp" <dpkemp@missi.ncsc.mil>

To:   ietf-pkix@imc.org
cc:    (bcc: Tom Gindin/Watson/IBM)
Subject:  RE: Possible clarification to RFC 2459





>> [Dave]
>>   "A CRL containing an issuingDistributionPoint extension with the
>>   distributionPoint field present MUST be authoritative for all
>>   certificates* that do not contain a CRLDistributionPoints extension."
>>
>>  *user certs, CA certs, or both, as specified in the IDP.


> [Tom Gindin]   Should that really be "with the distributionPoint field
present"
> or "without the distributionPoint field present"?  It would seem to be true
when
> the distributionPoint field is absent.

I meant "with the distributionPoint field present or absent", but intended to
emphasise that the case where it is present should be interpreted no differently
with respect to certs without CRLdp than the case where it is absent.


> I would say that "A CRL containing an
> issuingDistributionPoint extension with the   distributionPoint field
containing
> a DN MUST be authoritative for all certificates that contain that value of the
> field in their  CRLDistributionPoints extension", and also that "A CRL
> containing an issuingDistributionPoint extension without the distributionPoint
> field present MUST be authoritative for all certificates* that do not contain
a
> CRLDistributionPoints extension."  What isn't obvious, I suppose, is whether
> CRL's at named distribution points (with a DN name, as there are specifics
about
> DP's with URI names) cover certificates without distribution points.


Tom,
That is an excellent statement of the problem!

Assume that a CA issues three certs with:
  Cert1[no CRLdp]  Cert2[CRLdp 2]    Cert3[CRLdp 3]

And assume that the CA may publish three CRLs, with the following
distributionPoint fields:
  CRL1[no DP]      CRL2[DP 2]        CRL3[DP 3]

Then the CRLs are authoritative for the following certs:

  CRL1             CRL2              CRL3
  -----            -----             -----
  Cert1            Cert1?            Cert1?
  Cert2            Cert2               -
  Cert3              -               Cert3

As you say, it may not be obvious that CRLs at named distribution
points cover certs without distribution points (the ones marked
with a ? in the table).

I believe that RFC 2459 should be clarified, if necessary, to ensure
that CRL2 and CRL3 MUST be authoritative for Cert1.  That way, CRL2 can
be regarded as a "full CRL", so can CRL3, and the CA has maximum
flexibility in deciding whether to populate the CRLdp extension in its
certs.  A CA taking maximum advantage of dynamic partitioning would
never have to issue a bulky CRL1 but could still meet the requirement
of publishing a "full CRL".


That's why I disagree with Ambarish's proposal that only CRL1 (the one
with no DP field) be defined as a "full CRL".

Prev by Date: RE: Delegation of rights -- end-entity issued certs.
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread