Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 20 November 2015 17:07 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CD21B2CBA for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 09:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.886
X-Spam-Level:
X-Spam-Status: No, score=-4.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQdxZdRzQMZa for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 09:07:29 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229291B2CB1 for <pkix@ietf.org>; Fri, 20 Nov 2015 09:07:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9A58BBE73; Fri, 20 Nov 2015 17:07:27 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEbrWVrGFET5; Fri, 20 Nov 2015 17:07:23 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.27.72]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C8209BE80; Fri, 20 Nov 2015 17:07:16 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1448039243; bh=dV1TKR0SB7qEyAJg4WpP2AZu24HOJEmI6Z053tAyM+c=; h=Subject:To:References:From:Date:In-Reply-To:From; b=OQtfQoBmodbn9a43nlsRaeslgp0BvuO3/NTpIYwaam2MTTb1WbdBAPATYaNBLReEh XRX6l8unfB9jM5lO3XvLzhg9bfiCcDsdn32N15JRKObIEoqtWuQtRTUguGiVIlzoeN cRObkppOKdimCpHPK6XMXB9myrqcclnB4N1l19wA=
To: Erik Andersen <era@x500.eu>, x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp> <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com> <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu> <07f801d122fb$50a39ad0$f1ead070$@gmail.com> <001301d12382$890371c0$9b0a5540$@x500.eu> <0b3d01d123aa$3ab3cf10$b01b6d30$@gmail.com> <000b01d123b1$3a78e4c0$af6aae40$@x500.eu> <564F4BFE.20109@cs.tcd.ie> <000e01d123b5$9ed70740$dc8515c0$@x500.eu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <564F5339.8020307@cs.tcd.ie>
Date: Fri, 20 Nov 2015 17:07:05 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <000e01d123b5$9ed70740$dc8515c0$@x500.eu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/1QLU_hxGtJjWvqTgzHtN-UPpQ1g>
Subject: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 17:07:32 -0000


On 20/11/15 17:05, Erik Andersen wrote:
> Hi Stephen,
> 
> I will put the PDAM text and the drat technical corrigendum up on our
> web site (http://www.x500standard.com/) and provide exact links. Any
> comments and suggestions on the lists can then be converted to ballot
> comments to be considered at the ITU-T meeting March 2016. It is
> important to have maximum consensus.

Great,
Thanks,
S.

> 
> Kind regards,
> 
> Erik
> 
> -----Oprindelig meddelelse----- Fra: Stephen Farrell
> [mailto:stephen.farrell@cs.tcd.ie] Sendt: 20 November 2015 17:36 Til:
> Erik Andersen <era@x500.eu>eu>; x500standard@freelists.org; 'PKIX'
> <pkix@ietf.org> Emne: Re: [pkix] [x500standard] SV: Re: SV: Indirect
> CRLs
> 
> 
> 
> On 20/11/15 16:33, Erik Andersen wrote:
>> Hi Santosh,
>> 
>> Thanks a lot. That would be very helpful. I am quite pressed for
>> time. It is the plan to have the next edition of X.509 ready at
>> ITU-T September next year. This is necessary, as the smart grid
>> security people need to reference X.509 for their use of
>> authorization and validation lists (whitelists). To meet the
>> schedule, I need to have the next PDAM out for ballot at the end of
>> this month. The same applies for a technical corrigendum covering
>> all identified defects.
> 
> A suggestion: why not make that draft visible to folks here. I think
> you'd get comments that would improve it.
> 
> S.
> 
>> 
>> Regards,
>> 
>> Erik
>> 
>> -----Oprindelig meddelelse----- Fra: pkix
>> [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani Sendt:
>> 20 November 2015 16:44 Til: x500standard@freelists.org; 'PKIX'
>> <pkix@ietf.org> Emne: Re: [pkix] [x500standard] SV: Re: SV:
>> Indirect CRLs
>> 
>> Erik,
>> 
>> I am happy to help craft or review additional exposition if that
>> helps.
>> 
>> -----Original Message----- From: x500standard-bounce@freelists.org
>>  [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik
>> Andersen Sent: Friday, November 20, 2015 6:00 AM To:
>> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject:
>> [x500standard] SV: Re: SV: [pkix] Indirect CRLs
>> 
>> Hi Santosh,
>> 
>> Try to imagine a guy that is completely new in PKI and pick-up
>> X.509 or RFC 5280 to learn about it. Will he understand what an
>> indirect CRL is by just looking at some brief statements on an iCRL
>> is.
>> 
>> 8.5.2.2	CRL scope extension (deprecated) has the following
>> statements:
>> 
>> –	simple CRLs that provide revocation information about
>> certificates issued by a single authority; –	indirect CRLs that
>> provide revocation information about certificates issued by
>> multiple authorities;
>> 
>> It was a statement like this that made me wrongly to believe that
>> it is only an iCRL if there are certificate info from multiple
>> authorities.
>> 
>> I also some comments on your other mail.
>> 
>> Regards,
>> 
>> Erik
>> 
>> 
>> -----Oprindelig meddelelse----- Fra:
>> x500standard-bounce@freelists.org 
>> [mailto:x500standard-bounce@freelists.org] På vegne af Santosh 
>> Chokhani Sendt: 19 November 2015 19:52 Til:
>> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Emne:
>> [x500standard] Re: SV: [pkix] Indirect CRLs
>> 
>> Erik,
>> 
>> Look at Section 8.6.2.1 of X.509 and I quote the following: "The 
>> cRLIssuer component identifies the authority that issues and signs
>> the CRL. If this component is absent, the CRL issuer name defaults
>> to the certificate issuer name."
>> 
>> Also see Section C.5.1.4 of X.509
>> 
>> -----Original Message----- From: x500standard-bounce@freelists.org
>>  [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik
>> Andersen Sent: Thursday, November 19, 2015 11:52 AM To:
>> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject:
>> [x500standard] SV: [pkix] Indirect CRLs
>> 
>> Within X.509 there is not even a small paragraph introducing
>> indirect CRLs where such information could be introduced. Besides
>> the brief definition, iCRLs are mentioned the first time within the
>> CRL scope extension (which is deprecated).
>> 
>> Erik -----Oprindelig meddelelse----- Fra: pkix
>> [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani Sendt:
>> 19 November 2015 17:27 Til: mrex@sap.com Cc:
>> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Emne: Re: [pkix]
>> [x500standard] Indirect CRLs
>> 
>> Without doing the latter, the relying party will not be able to use
>>  the indirect CRL to verify the revocation status of the
>> certificate in the scope of the indirect CRL.
>> 
>> -----Original Message----- From: Martin Rex [mailto:mrex@sap.com] 
>> Sent: Thursday, November 19, 2015 9:54 AM To: Santosh Chokhani
>> <santosh.chokhani@gmail.com> Cc: x500standard@freelists.org; 'PKIX'
>> <pkix@ietf.org> Subject: Re: [pkix] [x500standard] Indirect CRLs
>> 
>> Santosh Chokhani wrote:
>>> Yes.  That is an indirect CRL.
>>> 
>>> Note that the CA needs to assert appropriate cRLIssuer in the 
>>> DistributionPoint field of CRL DP extension of each certificate
>>> the CA issues.
>> 
>> Huh?  The latter comment has exactly nothing to do with indirect
>> CRLs.
>> 
>> -Martin
>> 
>> _______________________________________________ pkix mailing list 
>> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>> 
>> ----- www.x500standard.com: The central source for information on
>> the X.500 Directory Standard.
>> 
>> 
>> ----- www.x500standard.com: The central source for information on
>> the X.500 Directory Standard.
>> 
>> ----- www.x500standard.com: The central source for information on
>> the X.500 Directory Standard.
>> 
>> 
>> _______________________________________________ pkix mailing list 
>> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>> 
>> _______________________________________________ pkix mailing list 
>> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>> 
> 
> _______________________________________________ pkix mailing list 
> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
>