[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Problem with RFC 2459?
- To: "'Russ Housley'" <housley@xxxxxxxxxx>
- Subject: RE: Problem with RFC 2459?
- From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
- Date: Thu, 17 Jun 1999 09:55:27 -0700
- Cc: <ietf-pkix@xxxxxxx>
- Importance: Normal
- In-reply-to: <>
- List-archive: http://www.imc.org/ietf-pkix/mail-archive/
- List-unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Hi Russ,
Yes, I suspected (from Dave's mail) that what I proposed wouldn't
be acceptable. However, Dave did suggest a great solution to the
problem - as long as the CA tells me the DistributionPointName
he will put in full CRLs (or none if he won't put any), I can
figure out full CRLs for a CA. That solves my issue.
Thanks,
Ambarish
P.S. Thanks Dave for the idea.
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@valicert.com
1215 Terra Bella Ave. http://www.valicert.com
Mountain View, CA 94043-1833
> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Wednesday, June 16, 1999 5:45 PM
> To: Ambarish Malpani
> Cc: ietf-pkix@imc.org
> Subject: RE: Problem with RFC 2459?
>
>
> Ambarish:
>
> It cannot distinguish a complete CRL from a partial CRL in
> the example you
> have given. However, a relying party that wants to validate
> a particular
> certificate does not need to tell the difference. Given the
> certificate to
> be validated, the replying party can readily determine which
> of the CRLs
> needs to be checked. The CRL Distribution Point extension in the
> certificate to be validated explicitly names the CRL that is needed.
>
> I think that I understand why you might be interested in a way to
> distinguish complete CRLs and partial CRLs. However, the X.509v3
> specification was developed with a simple model in mind.
> That is, given a
> certificate, how can a relying party determine it's validity.
> The X.509v3
> specification was not intended to support the
> determinaltionof validity of
> every certificate in existance at a particular moment. This
> harder problem
> seems to require additional information from the CA. I think
> that you will
> need an out of band mechanism to obtain this additonal information.
> Perhaps a list of every CRL Distribution Point used by the CA will be
> sufficient.
>
> Russ
>
>
> At 03:12 PM 6/7/99 -0700, Ambarish Malpani wrote:
> >
> >Hi Russ,
> > Here is a potential model a CA could assume, comply with
> >the spec and still produce partial CRLs without any of the
> >issuingDistributionPoint flags set:
> >
> >If the CA partitions CRLs based on the serial number of the
> >certificate (say serialNumber %13). Now, the CA has 13 partial
> >CRLs, with onlyContainsUserCerts and onlyContainsCACerts set
> >to false and onlySomeReasons not set. How can an application
> >distinguish any of these 13 CRLs from a full CRL?
> >
> >Regards,
> >Ambarish
> >
> >---------------------------------------------------------------------
> >Ambarish Malpani
> >Architect 650.567.5457
> >ValiCert, Inc.
> ambarish@valicert.com
> >1215 Terra Bella Ave.
http://www.valicert.com
> >Mountain View, CA 94043-1833
> >
> >
> >> -----Original Message-----
> >> From: Russ Housley [mailto:housley@spyrus.com]
> >> Sent: Friday, June 04, 1999 3:02 PM
> >> To: Ambarish Malpani
> >> Cc: ietf-pkix@imc.org
> >> Subject: Re: Problem with RFC 2459?
> >>
> >>
> >> Ambarish:
> >>
> >> The IDP has the following syntax:
> >>
> >> issuingDistributionPoint ::= SEQUENCE {
> >> distributionPoint [0] DistributionPointName OPTIONAL,
> >> onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
> >> onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
> >> onlySomeReasons [3] ReasonFlags OPTIONAL,
> >> indirectCRL [4] BOOLEAN DEFAULT FALSE }
> >>
> >> If indirectCRL is false (the default case), then
> X.509-1993 says the
> >> following three things that taken together answer your question:
> >>
> >> 1. If onlyContainsUserCerts is true, the CRL only contains
> >> revocations for
> >> end-entity certificates.
> >>
> >> 2. If onlyContainsCACerts is true, the CRL only contains
> >> revocations for
> >> CA-certificates.
> >>
> >> 3. If onlySomeReasons is present, the CRL only contains
> >> revocations for
> >> the identified reason or reasons, otherwise the CRL contains
> >> revocations
> >> for all reasons.
> >>
> >> Thus, if the onlyContainsUserCerts is false AND
> onlyContainsCACerts is
> >> false AND onlySomeReasons is absent AND indirectCRL is false,
> >> then the CRL
> >> is complete.
> >>
> >> Russ
> >>
> >>
> >> At 11:48 AM 6/3/99 -0700, Ambarish Malpani wrote:
> >> >
> >> >Hi Folks,
> >> > Have a quick question about RFC 2459 and CRLDPs.
> >> >
> >> >If a CA issues both full CRLs and CRLDPs (which are partitioned
> >> >based on the serial number of the cert), how can an application
> >> >figure out whether it has the full CRL or a DP?
> >> >
> >> >I know a DP (if it is not the full CRL), must contain the Issuing
> >> >Distribution Point (IDP) extension. However, I believe most CAs
> >> >are putting the IDP extension within their full CRLs also. So,
> >> >is there any way for a application to figure out whether it has
> >> >the full CRL or just a DP?
> >> >
> >> >Regards,
> >> >Ambarish
> >> >
> >> >
> >>
> >---------------------------------------------------------------------
> >> >Ambarish Malpani
> >> >Architect 650.567.5457
> >> >ValiCert, Inc.
> >> ambarish@valicert.com
> >> >1215 Terra Bella Ave.
> >http://www.valicert.com
> >>Mountain View, CA 94043-1833
> >>
> >
> >
>
>