Re: [pkix] Why is the crlNumber an OCTET STRING?

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 20 April 2021 22:16 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EEAB3A1F78 for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:16:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.4, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LY0YL1Mpr04V for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:16:15 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A7D63A1F76 for <pkix@ietf.org>; Tue, 20 Apr 2021 15:16:15 -0700 (PDT)
Received: from [10.32.60.51] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 13KMGWtR061769 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Apr 2021 15:16:33 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] claimed to be [10.32.60.51]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Russ Housley" <housley@vigilsec.com>
Cc: "Peter Gutmann" <pgut001@cs.auckland.ac.nz>, "IETF PKIX" <pkix@ietf.org>
Date: Tue, 20 Apr 2021 15:16:08 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <6B85C8EB-2749-4933-91CC-88EA4A9EE319@vpnc.org>
In-Reply-To: <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz> <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/3E51jdbdQGfG4P2Co9kMIlwgZ2A>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 22:16:20 -0000

On 20 Apr 2021, at 15:04, Russ Housley wrote:

> I do not read it that way at all.  It is saying that relying parties 
> need to the able to handle INTEGER values that are up to 20 octets in 
> size.  Of course RSA keys use INTEGER values that are much bigger than 
> that.  And, the text explains there are various ways that a CRL issuer 
> can assign numbers for different scopes that can lead to larger 
> values.

I do not see how the text says that, and am concerned that you do. Are 
you saying that an CRL issuer can pick an initial number for the scope 
that is large? If so, where in 5280 (or somewhere else) does it say 
that?

--Paul Hoffman