Re: [CGA-EXT] Next steps

Roque Gagliano <> Wed, 18 November 2009 14:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D98F23A6BC2 for <>; Wed, 18 Nov 2009 06:07:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.227
X-Spam-Status: No, score=-2.227 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wMa3dcY5RWtc for <>; Wed, 18 Nov 2009 06:07:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A6AB93A6BAF for <>; Wed, 18 Nov 2009 06:06:48 -0800 (PST)
Received: from [IPv6:2001:4300:abcd::225:ff:fe4b:94a8] (unknown [IPv6:2001:4300:abcd:0:225:ff:fe4b:94a8]) by (Postfix) with ESMTP id 7AC2E3084F4 for <>; Wed, 18 Nov 2009 12:06:30 -0200 (UYST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1077)
From: Roque Gagliano <>
In-Reply-To: <>
Date: Wed, 18 Nov 2009 16:05:44 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
X-Mailer: Apple Mail (2.1077) Please contact the ISP for more information Found to be clean
Subject: Re: [CGA-EXT] Next steps
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Nov 2009 14:07:25 -0000


I would like to start the discussion on how the host should fetch the CRLs. This will serve as a base for a future I-D.

We have at least three options:

1) To specify the  "Certificate Revocation Solicitation /  Certificate Revocation Advertisement" messages just like in SEND to request certificates.

		- The router could cache the CRLs, which will be the same ones for most of the hosts. More-over the certs and the CRL may be pre-loaded by the router which only needs to check for a new CRL before the "next update".
		- Lightweight implementation at the hosts.
		- Need specification, probable changes to RFC 3971.

2) To use the default fetching mechanism at the CRL Distribution Points extension for each CA. Today the only mandatory fetching mechanism is RSYNC.
		- no changes in the current specifications.

		- need to implement RSYNC client in hosts.
		- no cache, the same CRL will be fetch by every host from the source. 

3) To modify the Certification Path Advertisement Message in the sense that every time a certificate is sent to the host, it will also include the CRL shown in its  CRL Distribution Points extension. So, you asked for a CERT, I send you both the CERT and the CRL (for signed with the same key).

What does the WG think?


Roque Gagliano
GPG Fingerprint: E929 06F4 D8CD 2AD8 9365  DB72 9E4F 964A 01E9 6CEE