Re: [pkix] Why is the crlNumber an OCTET STRING?

Russ Housley <housley@vigilsec.com> Wed, 21 April 2021 15:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 013183A2D4B for <pkix@ietfa.amsl.com>; Wed, 21 Apr 2021 08:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FD_T5AAYl43T for <pkix@ietfa.amsl.com>; Wed, 21 Apr 2021 08:55:57 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43D113A2D46 for <pkix@ietf.org>; Wed, 21 Apr 2021 08:55:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 0329A300B91 for <pkix@ietf.org>; Wed, 21 Apr 2021 11:55:55 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JMHtqvmOpTm3 for <pkix@ietf.org>; Wed, 21 Apr 2021 11:55:53 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id DCF02300B20; Wed, 21 Apr 2021 11:55:53 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <1619020072637.77385@cs.auckland.ac.nz>
Date: Wed, 21 Apr 2021 11:55:54 -0400
Cc: IETF PKIX <pkix@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <724D3978-46C6-4527-8A81-A928EEFDE217@vigilsec.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz> <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com> <1618957726686.74538@cs.auckland.ac.nz> <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com> <1619018456026.55711@cs.auckland.ac.nz> <E16F5376-2D0F-4B04-8734-FB16892DD448@vigilsec.com> <1619020072637.77385@cs.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/2Czx74_v6CxF2xLNwLcbXvvI8QY>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 15:56:02 -0000

Peter:

>> The CRL number is helpful in any situation where the CRL issuer produces CRLs
>> with different scopes.
> 
> How would the crlNumber help there?  And in particular, since thisUpdate is a
> monotonically increasing sequence number, why is there a need for a second
> parallel monotonically increasing sequence number?  It looks like an easy way
> to implement crlNumber is:
> 
>  crlNumber := thisUpdate;
> 
> Which, in effect, is what the 8601-based implementation that's causing the
> problem is doing, it's literally just copying the value of thisUpdate into
> crlNumber.

This would work if and only if the CRL issuer is dealing with one scope.

For example, if a CRL issuer has partitioned the certificate population into multiple distribution points, all of these CRLs might be updated at the same time, but they each need different CRL numbers.  This kind of partitioning is used to make sure that none of the CRLs becomes overly large, even if the entire certificate population that it covers is revoked.

Russ