IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

"Andris Berzins" <pkix@inbox.lv> Tue, 02 April 2013 17:50 UTC

Return-Path: <pkix@inbox.lv>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4004221F8B6E for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 10:50:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, MANGLED_FROM=2.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1J6iNX6wi9LL for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 10:50:55 -0700 (PDT)
Received: from shark2.inbox.lv (shark2.inbox.lv [89.111.3.82]) by ietfa.amsl.com (Postfix) with ESMTP id 54BD221F8B65 for <pkix@ietf.org>; Tue, 2 Apr 2013 10:50:55 -0700 (PDT)
Received: by shark2.inbox.lv (Postfix, from userid 1000) id 75F57DA9A; Tue, 2 Apr 2013 20:50:45 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1]) by shark2-plain-b64d2.inbox.lv (Postfix) with ESMTP id 27BD0DA8C; Tue, 2 Apr 2013 20:50:45 +0300 (EEST)
Received: from localhost ([10.0.1.20]) by localhost (shark2.inbox.lv [10.0.1.80]) (spamfilter, port 27) with ESMTP id pDB1LkzxnnZQ; Tue, 2 Apr 2013 20:50:44 +0300 (EEST)
Received: from 193.40.12.10 ( [193.40.12.10]) by mail.inbox.lv with HTTP; Tue, 02 Apr 2013 20:50:43 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Compose: web=mail.inbox.lv, node=w10.inbox.lv, l=en, compose=Plaintext
X-REMOTE-ADDR: 193.40.12.10
X-HTTP-USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22
Message-ID: <1364925043.515b1a73f12b6@mail.inbox.lv>
Date: Tue, 02 Apr 2013 20:50:43 +0300
From: Andris Berzins <pkix@inbox.lv>
To: Piyush Jain <piyush@ditenity.com>
References: <1364921690.515b0d5a1192d@mail.inbox.lv> <032a01ce2fc8$a229b4d0$e67d1e70$@ditenity.com>
In-Reply-To: <032a01ce2fc8$a229b4d0$e67d1e70$@ditenity.com>
User-Agent: Inbox.lv Webmail
Cc: 'Stefan Santesson' <stefan@aaa-sec.com>, sts@aaa-sec.com, pkix@ietf.org
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 17:50:58 -0000

Quoting "Piyush Jain" <piyush@ditenity.com>:
>> 
>> That would signal to relying party that relying party has received old
>> information (old thisUpdate) and would query again on nextUpdate and
>> again would get old response with old thisUpdate and so on.
>> 
>> thisUpdate and nextUpdate should be current time IMHO.
> 
> [Piyush] This is the intent.
> The information is correct as of CA start validity time and can change anyti
>me.

That information is correct not only as of CA start of validity, but also on time
requested, and therefore thisUpdate should be set to the current time, i.e.,
to the time that CA knows that certificate is still not issued.

This is what thisUpdate is about. Why to fix it to some useless value?



> 
> In this case the certificate is revoked since the CA came into being.
> The only time when this information gets updates is when the certificate get
>s issued. At that time the response will contain thisUpdate and nextUpdate f
>rom the CRL.

v2.23.0 | Report a Bug | By Email