Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 20 November 2015 17:07 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12CD21B2CBA for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 09:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.886
X-Spam-Level:
X-Spam-Status: No, score=-4.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQdxZdRzQMZa for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 09:07:29 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229291B2CB1 for <pkix@ietf.org>; Fri, 20 Nov 2015 09:07:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9A58BBE73; Fri, 20 Nov 2015 17:07:27 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEbrWVrGFET5; Fri, 20 Nov 2015 17:07:23 +0000 (GMT)
Received: from [10.87.48.91] (unknown [86.46.27.72]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C8209BE80; Fri, 20 Nov 2015 17:07:16 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1448039243; bh=dV1TKR0SB7qEyAJg4WpP2AZu24HOJEmI6Z053tAyM+c=; h=Subject:To:References:From:Date:In-Reply-To:From; b=OQtfQoBmodbn9a43nlsRaeslgp0BvuO3/NTpIYwaam2MTTb1WbdBAPATYaNBLReEh XRX6l8unfB9jM5lO3XvLzhg9bfiCcDsdn32N15JRKObIEoqtWuQtRTUguGiVIlzoeN cRObkppOKdimCpHPK6XMXB9myrqcclnB4N1l19wA=
To: Erik Andersen <era@x500.eu>, x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp> <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com> <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu> <07f801d122fb$50a39ad0$f1ead070$@gmail.com> <001301d12382$890371c0$9b0a5540$@x500.eu> <0b3d01d123aa$3ab3cf10$b01b6d30$@gmail.com> <000b01d123b1$3a78e4c0$af6aae40$@x500.eu> <564F4BFE.20109@cs.tcd.ie> <000e01d123b5$9ed70740$dc8515c0$@x500.eu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <564F5339.8020307@cs.tcd.ie>
Date: Fri, 20 Nov 2015 17:07:05 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <000e01d123b5$9ed70740$dc8515c0$@x500.eu>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/1QLU_hxGtJjWvqTgzHtN-UPpQ1g>
Subject: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 17:07:32 -0000
On 20/11/15 17:05, Erik Andersen wrote: > Hi Stephen, > > I will put the PDAM text and the drat technical corrigendum up on our > web site (http://www.x500standard.com/) and provide exact links. Any > comments and suggestions on the lists can then be converted to ballot > comments to be considered at the ITU-T meeting March 2016. It is > important to have maximum consensus. Great, Thanks, S. > > Kind regards, > > Erik > > -----Oprindelig meddelelse----- Fra: Stephen Farrell > [mailto:stephen.farrell@cs.tcd.ie] Sendt: 20 November 2015 17:36 Til: > Erik Andersen <era@x500.eu>; x500standard@freelists.org; 'PKIX' > <pkix@ietf.org> Emne: Re: [pkix] [x500standard] SV: Re: SV: Indirect > CRLs > > > > On 20/11/15 16:33, Erik Andersen wrote: >> Hi Santosh, >> >> Thanks a lot. That would be very helpful. I am quite pressed for >> time. It is the plan to have the next edition of X.509 ready at >> ITU-T September next year. This is necessary, as the smart grid >> security people need to reference X.509 for their use of >> authorization and validation lists (whitelists). To meet the >> schedule, I need to have the next PDAM out for ballot at the end of >> this month. The same applies for a technical corrigendum covering >> all identified defects. > > A suggestion: why not make that draft visible to folks here. I think > you'd get comments that would improve it. > > S. > >> >> Regards, >> >> Erik >> >> -----Oprindelig meddelelse----- Fra: pkix >> [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani Sendt: >> 20 November 2015 16:44 Til: x500standard@freelists.org; 'PKIX' >> <pkix@ietf.org> Emne: Re: [pkix] [x500standard] SV: Re: SV: >> Indirect CRLs >> >> Erik, >> >> I am happy to help craft or review additional exposition if that >> helps. >> >> -----Original Message----- From: x500standard-bounce@freelists.org >> [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik >> Andersen Sent: Friday, November 20, 2015 6:00 AM To: >> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject: >> [x500standard] SV: Re: SV: [pkix] Indirect CRLs >> >> Hi Santosh, >> >> Try to imagine a guy that is completely new in PKI and pick-up >> X.509 or RFC 5280 to learn about it. Will he understand what an >> indirect CRL is by just looking at some brief statements on an iCRL >> is. >> >> 8.5.2.2 CRL scope extension (deprecated) has the following >> statements: >> >> – simple CRLs that provide revocation information about >> certificates issued by a single authority; – indirect CRLs that >> provide revocation information about certificates issued by >> multiple authorities; >> >> It was a statement like this that made me wrongly to believe that >> it is only an iCRL if there are certificate info from multiple >> authorities. >> >> I also some comments on your other mail. >> >> Regards, >> >> Erik >> >> >> -----Oprindelig meddelelse----- Fra: >> x500standard-bounce@freelists.org >> [mailto:x500standard-bounce@freelists.org] På vegne af Santosh >> Chokhani Sendt: 19 November 2015 19:52 Til: >> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Emne: >> [x500standard] Re: SV: [pkix] Indirect CRLs >> >> Erik, >> >> Look at Section 8.6.2.1 of X.509 and I quote the following: "The >> cRLIssuer component identifies the authority that issues and signs >> the CRL. If this component is absent, the CRL issuer name defaults >> to the certificate issuer name." >> >> Also see Section C.5.1.4 of X.509 >> >> -----Original Message----- From: x500standard-bounce@freelists.org >> [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik >> Andersen Sent: Thursday, November 19, 2015 11:52 AM To: >> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject: >> [x500standard] SV: [pkix] Indirect CRLs >> >> Within X.509 there is not even a small paragraph introducing >> indirect CRLs where such information could be introduced. Besides >> the brief definition, iCRLs are mentioned the first time within the >> CRL scope extension (which is deprecated). >> >> Erik -----Oprindelig meddelelse----- Fra: pkix >> [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani Sendt: >> 19 November 2015 17:27 Til: mrex@sap.com Cc: >> x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Emne: Re: [pkix] >> [x500standard] Indirect CRLs >> >> Without doing the latter, the relying party will not be able to use >> the indirect CRL to verify the revocation status of the >> certificate in the scope of the indirect CRL. >> >> -----Original Message----- From: Martin Rex [mailto:mrex@sap.com] >> Sent: Thursday, November 19, 2015 9:54 AM To: Santosh Chokhani >> <santosh.chokhani@gmail.com> Cc: x500standard@freelists.org; 'PKIX' >> <pkix@ietf.org> Subject: Re: [pkix] [x500standard] Indirect CRLs >> >> Santosh Chokhani wrote: >>> Yes. That is an indirect CRL. >>> >>> Note that the CA needs to assert appropriate cRLIssuer in the >>> DistributionPoint field of CRL DP extension of each certificate >>> the CA issues. >> >> Huh? The latter comment has exactly nothing to do with indirect >> CRLs. >> >> -Martin >> >> _______________________________________________ pkix mailing list >> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix >> >> ----- www.x500standard.com: The central source for information on >> the X.500 Directory Standard. >> >> >> ----- www.x500standard.com: The central source for information on >> the X.500 Directory Standard. >> >> ----- www.x500standard.com: The central source for information on >> the X.500 Directory Standard. >> >> >> _______________________________________________ pkix mailing list >> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix >> >> _______________________________________________ pkix mailing list >> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix >> > > _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix >
- [pkix] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Re: Indirect CRLs Kemp, David P.
- Re: [pkix] [x500standard] Re: Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Martin Rex
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Martin Rex
- Re: [pkix] [x500standard] SV: Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Re: SV: Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Santosh Chokhani
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Stephen Farrell
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Stephen Farrell