Re: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained
Dhaura Pathirana <dhaurapathirana@gmail.com> Thu, 29 February 2024 04:44 UTC
Return-Path: <dhaurapathirana@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63CF9C14CEE3 for <pkix@ietfa.amsl.com>; Wed, 28 Feb 2024 20:44:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0764jMPPouAV for <pkix@ietfa.amsl.com>; Wed, 28 Feb 2024 20:44:11 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E5BDC14CF17 for <pkix@ietf.org>; Wed, 28 Feb 2024 20:44:11 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2d27fef509eso4817931fa.3 for <pkix@ietf.org>; Wed, 28 Feb 2024 20:44:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709181849; x=1709786649; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=5BF037fU1gRYCksp/bnsIisXZYXosgZU53teAPBoQ+E=; b=j4CjFHg3P4Kk3SNmVZIoXhU4NvofFp8FSmulUnurdClVYkZkSzeyHN/NmIcoZtM8HK bPZrs/Et0H0DAOzs77MRsw1e2GG+45rzpa1iOda6u57BrRWX/h4GhBazZLZFzvK2eBOt DYUA3TKM9EAkbregJB7HEA2FfoOAekEtpuLWg4MiuYRNVm2FmjW4lR9VrtK1OJ7nPNgd eVdmUxCNjMZ/J27HYhxBeO//aksjPcLECpqGxbOas/1rFhfG4vtnJfI3pz31vNg0S4eh JCkwEY6p778vo+hGC4EUqJQao1twL78N9Q3gaecSVymwatYgR3j3SMLYWMJy2yr4n+hd lTHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709181849; x=1709786649; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5BF037fU1gRYCksp/bnsIisXZYXosgZU53teAPBoQ+E=; b=vGFuRpJYZ1+G+RgBJ2w5+ElWYjsqqz4YmPYCwhmDPCag0kpL6MOmjfJKt6W1r/XHDf XZTR2xP9I4DoY+LReoFmsSTf6r/Ntwcw4eG7uS/Mo94PICGtKG6eRvLhGZG+9iOtrMfF 9gHnccEAPxGv3761bKMWHiibWNeqy8LBe1qeC7NMF58MLevCvziTCoAFPG0B1PJ2K1iF IfnLUjV5PsyVaomedsilWVUQMEt1wkynaTgKXpC2Vc3+NzlqZUpBo9sG2FK4KXL98Sc4 Qzv2Uz8zWKffJbC9f6YaExiy7WhqlPdw3EbsYJ5vQqD4zRKCeFS24hX4kRRLUE2i53hC 9wIw==
X-Gm-Message-State: AOJu0Yyiz3u9fvFhMHH1YFopudPO/KZJ0Ki8LjT0g8vJ10jxhMnsluTw qDANXMZOKJfb4cDhFEfQQ9V8vhH4381z5Z8LEwfzq5XH26TI+54I7wfnxe7vQsvDQcDFGEkZIxp vYYdeGK2wYMnprARERinRmuNXGZ4=
X-Google-Smtp-Source: AGHT+IFCRc3CAviA9lqxH2s9ZbbjRpG1m+j/2TXnxnPgPEhrkJdyhaWjALX7YnBxaWyH1DYPFkPWI80IYJ6npixGkBU=
X-Received: by 2002:a05:651c:1a21:b0:2d2:937d:f5f5 with SMTP id by33-20020a05651c1a2100b002d2937df5f5mr626012ljb.7.1709181848953; Wed, 28 Feb 2024 20:44:08 -0800 (PST)
MIME-Version: 1.0
References: <CAL4nJSYSJtgKPBmk+LGwYaeyk34i7CRibQ3qnLiNtaLUkVLiSg@mail.gmail.com> <256901da6a47$f7e80050$e7b800f0$@gmail.com>
In-Reply-To: <256901da6a47$f7e80050$e7b800f0$@gmail.com>
From: Dhaura Pathirana <dhaurapathirana@gmail.com>
Date: Thu, 29 Feb 2024 10:14:05 +0530
Message-ID: <CAL4nJSYFt-7cjEqwD3j6p2z1z_OeDqjdnJWjF_x+WppEVSu7xQ@mail.gmail.com>
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: pkix@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f6a85206127de8c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/72GvPw6nHlI0QKmVmhO0xXX_hpw>
Subject: Re: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 04:44:15 -0000
Hi all, Thank you very much for your quick responses. Kind regards, Dhaura. On Wed, 28 Feb 2024 at 18:43, Santosh Chokhani <santosh.chokhani@gmail.com> wrote: > CRL URL needs to be obtained from the certificate or using other local > means or doing LDAP lookup for the issuer DN in the certificate and > obtaining proper attribute for the issuer DN LDAP entry. > > > > CRL URL in issuer certificate will have pointer to the CRL to check the > revocation status of the issuer certificate and NOT the subject certificate. > > > > *From:* pkix [mailto:pkix-bounces@ietf.org] *On Behalf Of *Dhaura > Pathirana > *Sent:* Wednesday, February 28, 2024 1:18 AM > *To:* pkix@ietf.org > *Subject:* [pkix] RFC 5280 - Clarification on the Location where CRL URL > should be Obtained > > > > Hi all, > > > > Kindly requesting assistance in clarifying the location where CRL URL > should be obtained in order to do CRL validation on a X509 certificate > since it was not specifically clear in the specification [1]. > > 1. Should we extract the CRL URL from the certificate itself or from > the issuer certificate associated with the validating certificate? > 2. Furthermore, if the default behavior is to obtain the CRL URL from > the certificate itself and if the CRL URl is unavailable in the certificate > itself, is it customary to obtain it from the issuer certificate? > > Any assistance on these two questions would be greatly appreciated. > > > > [1] - https://datatracker.ietf.org/doc/html/rfc5280 > > > > Thank you. > > Kind regards, > > Dhaura. >
- [pkix] RFC 5280 - Clarification on the Location w… Dhaura Pathirana
- Re: [pkix] RFC 5280 - Clarification on the Locati… Santosh Chokhani
- Re: [pkix] RFC 5280 - Clarification on the Locati… Michael StJohns
- Re: [pkix] RFC 5280 - Clarification on the Locati… Dhaura Pathirana