IETF Logo Mail Archive

Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02

"Larry Masinter" <LMM@acm.org> Tue, 28 June 2005 07:09 UTC

Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5S79olO076556; Tue, 28 Jun 2005 00:09:50 -0700 (PDT) (envelope-from owner-ietf-ltans@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j5S79osa076555; Tue, 28 Jun 2005 00:09:50 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-ltans@mail.imc.org using -f
Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j5S79n1A076400 for <ietf-ltans@imc.org>; Tue, 28 Jun 2005 00:09:49 -0700 (PDT) (envelope-from LMM@acm.org)
Received: from pimout2-ext.prodigy.net (pimout2-int.prodigy.net [207.115.4.217]) by ylpvm43.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id j5S79cmn016899 for <ietf-ltans@imc.org>; Tue, 28 Jun 2005 03:09:40 -0400
X-ORBL: [67.125.232.60]
Received: from MasinterT43p (adsl-67-125-232-60.dsl.snfc21.pacbell.net [67.125.232.60]) by pimout2-ext.prodigy.net (8.13.4 outbound domainkey aix/8.13.4) with ESMTP id j5S79aJX208356 for <ietf-ltans@imc.org>; Tue, 28 Jun 2005 03:09:37 -0400
Message-Id: <200506280709.j5S79aJX208356@pimout2-ext.prodigy.net>
From: Larry Masinter <LMM@acm.org>
To: ietf-ltans@imc.org
Subject: Comments on CRL issuance after certificate revocation in draft-ietf-ltans-notareqs-02
Date: Tue, 28 Jun 2005 00:09:35 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: AcV7sFbV1fIF0HCXTrWFwYM71w4zzw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j5S79o1A076549
Sender: owner-ietf-ltans@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-ltans/mail-archive/>
List-Unsubscribe: <mailto:ietf-ltans-request@imc.org?body=unsubscribe>
List-ID: <ietf-ltans.imc.org>

We were sent some comments on the -02 draft, I thought
I should forward the substantive comment for mailing
list discussion:

There was a comment on 
   The problem with CRLs is that they might not be synchronized with
   revocation mechanisms and there is no real information whether a
   signature is valid or not at specific point in time. In theory CRLs
   should be issued immediately after a certificate is revoked.

The comment was:

This is not advisable, because this “on the spot” CRL issuance
paves the way to man in the middle / replay attacks.

An attacker could store a CRL issued before implementing a, say, 
private key compromise attack. After the attack the attacker could 
intercept CRL retrieval requests issued before the CRL nextUpdate
 time and send back the requester the previous CRL, where the revoked 
certificate is not listed. If the nextUpdate time has not yet expired 
the relying parties would trust the CRL they receive, without having 
a means to realise it is the old one. If instead CRLs are issued only 
at nextUpdate time, or just slightly before, RPs would be aware they 
should wait until the so called “grace period” expires. CAs could 
take no responsibility on verifications based on CRLs issued before 
the “grace period”. By grace period it is intended the time necessary 
for a revocation request to be processed by the revocation management 
service to make it available to relying parties. If such request is 
submitted to the revocation service too close to the next CRL issuance 
time to be included in it, then the revocation will be published in 
the subsequent CRL. Please see CWA 14171 section 5.3 for details
 (http://www.uninfo.polito.it/WS_Esign/doc/cwa14171.pdf or 
ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14172-01-2004-Mar.pdf).




(There were a couple of editorial comments, e.g., "When speed is not of essence"
should probably be "When speed is not of the essence"

v2.23.0 | Report a Bug | By Email