[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Problem with RFC 2459?
I agree with Russ.
In addition, the following rules can be used to determine completeness
of CRL altogether or vis-a-vis scope.
1. If the IDP is absent from the CRL, it is a full and complete CRL for
the scope.
2. If the DP is missing from the CRL, it is a complete CRL for the
entity type and/or reason codes asserted in the IDP.
3. If the DP is missing and no reason code is asserted, it is a
complete CRL for the entity type.
4. If the DP is missing and no entity type is asserted, it is a
complete CRL for the reason code asserted.
5. If all three, DP, entity type and reason code are missing, it is a
complete CRL for the CA. Please note that in that case, it could
contain indirectCRL field of the IDP.
> -----Original Message-----
> From: Russ Housley [SMTP:housley@spyrus.com]
> Sent: Wednesday, June 16, 1999 8:45 PM
> To: Ambarish Malpani
> Cc: ietf-pkix@imc.org
> Subject: RE: Problem with RFC 2459?
>
> Ambarish:
>
> It cannot distinguish a complete CRL from a partial CRL in the example
> you
> have given. However, a relying party that wants to validate a
> particular
> certificate does not need to tell the difference. Given the
> certificate to
> be validated, the replying party can readily determine which of the
> CRLs
> needs to be checked. The CRL Distribution Point extension in the
> certificate to be validated explicitly names the CRL that is needed.
>
> I think that I understand why you might be interested in a way to
> distinguish complete CRLs and partial CRLs. However, the X.509v3
> specification was developed with a simple model in mind. That is,
> given a
> certificate, how can a relying party determine it's validity. The
> X.509v3
> specification was not intended to support the determinaltionof
> validity of
> every certificate in existance at a particular moment. This harder
> problem
> seems to require additional information from the CA. I think that you
> will
> need an out of band mechanism to obtain this additonal information.
> Perhaps a list of every CRL Distribution Point used by the CA will be
> sufficient.
>
> Russ
>
>
> At 03:12 PM 6/7/99 -0700, Ambarish Malpani wrote:
> >
> >Hi Russ,
> > Here is a potential model a CA could assume, comply with
> >the spec and still produce partial CRLs without any of the
> >issuingDistributionPoint flags set:
> >
> >If the CA partitions CRLs based on the serial number of the
> >certificate (say serialNumber %13). Now, the CA has 13 partial
> >CRLs, with onlyContainsUserCerts and onlyContainsCACerts set
> >to false and onlySomeReasons not set. How can an application
> >distinguish any of these 13 CRLs from a full CRL?
> >
> >Regards,
> >Ambarish
> >
> >---------------------------------------------------------------------
> >Ambarish Malpani
> >Architect 650.567.5457
> >ValiCert, Inc.
> ambarish@valicert.com
> >1215 Terra Bella Ave.
> http://www.valicert.com
> >Mountain View, CA 94043-1833
> >
> >
> >> -----Original Message-----
> >> From: Russ Housley [mailto:housley@spyrus.com]
> >> Sent: Friday, June 04, 1999 3:02 PM
> >> To: Ambarish Malpani
> >> Cc: ietf-pkix@imc.org
> >> Subject: Re: Problem with RFC 2459?
> >>
> >>
> >> Ambarish:
> >>
> >> The IDP has the following syntax:
> >>
> >> issuingDistributionPoint ::= SEQUENCE {
> >> distributionPoint [0] DistributionPointName OPTIONAL,
> >> onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
> >> onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
> >> onlySomeReasons [3] ReasonFlags OPTIONAL,
> >> indirectCRL [4] BOOLEAN DEFAULT FALSE }
> >>
> >> If indirectCRL is false (the default case), then X.509-1993 says
> the
> >> following three things that taken together answer your question:
> >>
> >> 1. If onlyContainsUserCerts is true, the CRL only contains
> >> revocations for
> >> end-entity certificates.
> >>
> >> 2. If onlyContainsCACerts is true, the CRL only contains
> >> revocations for
> >> CA-certificates.
> >>
> >> 3. If onlySomeReasons is present, the CRL only contains
> >> revocations for
> >> the identified reason or reasons, otherwise the CRL contains
> >> revocations
> >> for all reasons.
> >>
> >> Thus, if the onlyContainsUserCerts is false AND onlyContainsCACerts
> is
> >> false AND onlySomeReasons is absent AND indirectCRL is false,
> >> then the CRL
> >> is complete.
> >>
> >> Russ
> >>
> >>
> >> At 11:48 AM 6/3/99 -0700, Ambarish Malpani wrote:
> >> >
> >> >Hi Folks,
> >> > Have a quick question about RFC 2459 and CRLDPs.
> >> >
> >> >If a CA issues both full CRLs and CRLDPs (which are partitioned
> >> >based on the serial number of the cert), how can an application
> >> >figure out whether it has the full CRL or a DP?
> >> >
> >> >I know a DP (if it is not the full CRL), must contain the Issuing
> >> >Distribution Point (IDP) extension. However, I believe most CAs
> >> >are putting the IDP extension within their full CRLs also. So,
> >> >is there any way for a application to figure out whether it has
> >> >the full CRL or just a DP?
> >> >
> >> >Regards,
> >> >Ambarish
> >> >
> >> >
> >>
> >---------------------------------------------------------------------
> >> >Ambarish Malpani
> >> >Architect 650.567.5457
> >> >ValiCert, Inc.
> >> ambarish@valicert.com
> >> >1215 Terra Bella Ave.
> >http://www.valicert.com
> >>Mountain View, CA 94043-1833
> >>
> >
> >