Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
"Larry Masinter" <LMM@acm.org> Tue, 28 June 2005 07:09 UTC
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5S79olO076556; Tue, 28 Jun 2005 00:09:50 -0700 (PDT) (envelope-from owner-ietf-ltans@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5S79osa076555; Tue, 28 Jun 2005 00:09:50 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-ltans@mail.imc.org using -f
Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5S79n1A076400 for <ietf-ltans@imc.org>; Tue, 28 Jun 2005 00:09:49 -0700 (PDT) (envelope-from LMM@acm.org)
Received: from pimout2-ext.prodigy.net (pimout2-int.prodigy.net [207.115.4.217]) by ylpvm43.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id j5S79cmn016899 for <ietf-ltans@imc.org>; Tue, 28 Jun 2005 03:09:40 -0400
X-ORBL: [67.125.232.60]
Received: from MasinterT43p (adsl-67-125-232-60.dsl.snfc21.pacbell.net [67.125.232.60]) by pimout2-ext.prodigy.net (8.13.4 outbound domainkey aix/8.13.4) with ESMTP id j5S79aJX208356 for <ietf-ltans@imc.org>; Tue, 28 Jun 2005 03:09:37 -0400
Message-Id: <200506280709.j5S79aJX208356@pimout2-ext.prodigy.net>
From: Larry Masinter <LMM@acm.org>
To: ietf-ltans@imc.org
Subject: Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
Date: Tue, 28 Jun 2005 00:09:35 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcV7sFbV1fIF0HCXTrWFwYM71w4zzw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j5S79o1A076549
Sender: owner-ietf-ltans@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-ltans/mail-archive/>
List-Unsubscribe: <mailto:ietf-ltans-request@imc.org?body=unsubscribe>
List-ID: <ietf-ltans.imc.org>
We were sent some comments on the -02 draft, I thought I should forward the substantive comment for mailing list discussion: There was a comment on The problem with CRLs is that they might not be synchronized with revocation mechanisms and there is no real information whether a signature is valid or not at specific point in time. In theory CRLs should be issued immediately after a certificate is revoked. The comment was: This is not advisable, because this “on the spot” CRL issuance paves the way to man in the middle / replay attacks. An attacker could store a CRL issued before implementing a, say, private key compromise attack. After the attack the attacker could intercept CRL retrieval requests issued before the CRL nextUpdate time and send back the requester the previous CRL, where the revoked certificate is not listed. If the nextUpdate time has not yet expired the relying parties would trust the CRL they receive, without having a means to realise it is the old one. If instead CRLs are issued only at nextUpdate time, or just slightly before, RPs would be aware they should wait until the so called “grace period” expires. CAs could take no responsibility on verifications based on CRLs issued before the “grace period”. By grace period it is intended the time necessary for a revocation request to be processed by the revocation management service to make it available to relying parties. If such request is submitted to the revocation service too close to the next CRL issuance time to be included in it, then the revocation will be published in the subsequent CRL. Please see CWA 14171 section 5.3 for details (http://www.uninfo.polito.it/WS_Esign/doc/cwa14171.pdf or ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14172-01-2004-Mar.pdf). (There were a couple of editorial comments, e.g., "When speed is not of essence" should probably be "When speed is not of the essence"
- Comments on CRL issuance after certificate revoca… Larry Masinter
- RE: Comments on CRL issuance after certificate re… Santosh Chokhani