RE: CRLs
pawel@interclear.com Tue, 27 March 2001 08:33 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id DAA15261 for <pkix-archive@odin.ietf.org>; Tue, 27 Mar 2001 03:33:11 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id AAA13868; Tue, 27 Mar 2001 00:32:16 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 27 Mar 2001 00:32:11 -0800
Received: from server.interclear.net (server.interclear.net [193.130.149.198]) by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA13834 for <ietf-pkix@imc.org>; Tue, 27 Mar 2001 00:32:08 -0800 (PST)
From: pawel@interclear.com
Received: by server.interclear.co.uk with Internet Mail Service (5.5.2650.21) id <HMMJWPHK>; Tue, 27 Mar 2001 09:25:02 +0100
Message-ID: <707FDBEC4AD2D31194F90050044F041853ABDF@server.interclear.co.uk>
To: povey@dstc.qut.edu.au
Cc: ietf-pkix@imc.org
Subject: RE: CRLs
Date: Tue, 27 Mar 2001 09:25:02 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0B697.6B436630"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Hi Dean, I was thinking about CRLDistributionPoint. But the question is how to verify such CRL, and what about CRL extensions and entry extension. From the begining. 1. What exactly should include field cRLIssuer in CRLDistributionPoint extension? 2. I should received verification path for the cert, which signed CRL. And I think that the root certificate should the one, which sign certificate. Otherwise it's possible to create false CRL (maybe I'm wrong, I don't know the answer to question #1). 3. What about CRL extension: Issuing Distribution Point - to indicate that CRL is indirect, and CRL entry extension: Certificate Issuer - to identify certificate issuer. In general, how such CRL should be validated? I think that standard is not consistent, and should be changed. Regards, Pawel Krupinski -----Original Message----- From: Dean Povey [mailto:povey@dstc.qut.edu.au] Sent: Tuesday, March 27, 2001 1:25 AM To: pawel@interclear.com Cc: ietf-pkix@imc.org Subject: Re: CRLs >Hi, > I'm trying to split CA functionality. I want to have one private key >to sign certificates (CA key), and the second one to sign CRLs. > First is it possible to do it? Because in the standard I've found: >"The CRL is signed using the CA's private key." (is it the same CA, which >sign this certificate? In other words, CA can only revoke certificates it >signed, Am I right?) Hi Pawel, You can use the cRLDistributionPoint extension to indicate a CRL issuer other than the CA that issued the Certificate. See section 4.2.1.14 of RFC2459, or of the updated Cert and CRL profile at: http://www.ietf.org/internet-drafts/draft-ietf-pkix-new-part1-05.txt -- Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded Security Unit, DSTC | fax: +61 7 3864 1282 | systems Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit