[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Problem with RFC 2459?
- To: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
- Subject: RE: Problem with RFC 2459?
- From: Russ Housley <housley@xxxxxxxxxx>
- Date: Wed, 16 Jun 1999 20:45:21 -0400
- Cc: <ietf-pkix@xxxxxxx>
- In-reply-to: <>
- List-archive: http://www.imc.org/ietf-pkix/mail-archive/
- List-unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
- References: <>
Ambarish:
It cannot distinguish a complete CRL from a partial CRL in the example you
have given. However, a relying party that wants to validate a particular
certificate does not need to tell the difference. Given the certificate to
be validated, the replying party can readily determine which of the CRLs
needs to be checked. The CRL Distribution Point extension in the
certificate to be validated explicitly names the CRL that is needed.
I think that I understand why you might be interested in a way to
distinguish complete CRLs and partial CRLs. However, the X.509v3
specification was developed with a simple model in mind. That is, given a
certificate, how can a relying party determine it's validity. The X.509v3
specification was not intended to support the determinaltionof validity of
every certificate in existance at a particular moment. This harder problem
seems to require additional information from the CA. I think that you will
need an out of band mechanism to obtain this additonal information.
Perhaps a list of every CRL Distribution Point used by the CA will be
sufficient.
Russ
At 03:12 PM 6/7/99 -0700, Ambarish Malpani wrote:
>
>Hi Russ,
> Here is a potential model a CA could assume, comply with
>the spec and still produce partial CRLs without any of the
>issuingDistributionPoint flags set:
>
>If the CA partitions CRLs based on the serial number of the
>certificate (say serialNumber %13). Now, the CA has 13 partial
>CRLs, with onlyContainsUserCerts and onlyContainsCACerts set
>to false and onlySomeReasons not set. How can an application
>distinguish any of these 13 CRLs from a full CRL?
>
>Regards,
>Ambarish
>
>---------------------------------------------------------------------
>Ambarish Malpani
>Architect 650.567.5457
>ValiCert, Inc. ambarish@valicert.com
>1215 Terra Bella Ave. http://www.valicert.com
>Mountain View, CA 94043-1833
>
>
>> -----Original Message-----
>> From: Russ Housley [mailto:housley@spyrus.com]
>> Sent: Friday, June 04, 1999 3:02 PM
>> To: Ambarish Malpani
>> Cc: ietf-pkix@imc.org
>> Subject: Re: Problem with RFC 2459?
>>
>>
>> Ambarish:
>>
>> The IDP has the following syntax:
>>
>> issuingDistributionPoint ::= SEQUENCE {
>> distributionPoint [0] DistributionPointName OPTIONAL,
>> onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
>> onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
>> onlySomeReasons [3] ReasonFlags OPTIONAL,
>> indirectCRL [4] BOOLEAN DEFAULT FALSE }
>>
>> If indirectCRL is false (the default case), then X.509-1993 says the
>> following three things that taken together answer your question:
>>
>> 1. If onlyContainsUserCerts is true, the CRL only contains
>> revocations for
>> end-entity certificates.
>>
>> 2. If onlyContainsCACerts is true, the CRL only contains
>> revocations for
>> CA-certificates.
>>
>> 3. If onlySomeReasons is present, the CRL only contains
>> revocations for
>> the identified reason or reasons, otherwise the CRL contains
>> revocations
>> for all reasons.
>>
>> Thus, if the onlyContainsUserCerts is false AND onlyContainsCACerts is
>> false AND onlySomeReasons is absent AND indirectCRL is false,
>> then the CRL
>> is complete.
>>
>> Russ
>>
>>
>> At 11:48 AM 6/3/99 -0700, Ambarish Malpani wrote:
>> >
>> >Hi Folks,
>> > Have a quick question about RFC 2459 and CRLDPs.
>> >
>> >If a CA issues both full CRLs and CRLDPs (which are partitioned
>> >based on the serial number of the cert), how can an application
>> >figure out whether it has the full CRL or a DP?
>> >
>> >I know a DP (if it is not the full CRL), must contain the Issuing
>> >Distribution Point (IDP) extension. However, I believe most CAs
>> >are putting the IDP extension within their full CRLs also. So,
>> >is there any way for a application to figure out whether it has
>> >the full CRL or just a DP?
>> >
>> >Regards,
>> >Ambarish
>> >
>> >
>> >---------------------------------------------------------------------
>> >Ambarish Malpani
>> >Architect 650.567.5457
>> >ValiCert, Inc.
>> ambarish@valicert.com
>> >1215 Terra Bella Ave.
>http://www.valicert.com
>>Mountain View, CA 94043-1833
>>
>
>