Re: [pkix] Why is the crlNumber an OCTET STRING?
Paul Hoffman <paul.hoffman@vpnc.org> Tue, 20 April 2021 22:14 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1A283A1F5F for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:14:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.4, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JnTuBdjyKdWA for <pkix@ietfa.amsl.com>; Tue, 20 Apr 2021 15:14:34 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 625993A1F5E for <pkix@ietf.org>; Tue, 20 Apr 2021 15:14:34 -0700 (PDT)
Received: from [10.32.60.51] (76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id 13KMElIn061727 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 20 Apr 2021 15:14:48 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 76-209-242-70.lightspeed.mtryca.sbcglobal.net [76.209.242.70] claimed to be [10.32.60.51]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: IETF PKIX <pkix@ietf.org>
Date: Tue, 20 Apr 2021 15:13:59 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <78581484-8B2A-4AF0-B61E-91BA80BE73EC@vpnc.org>
In-Reply-To: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/DSbwGaXztq5eaD85PvIAYrxdiKo>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 22:14:39 -0000
Not only is it not an OCTET STRING, you chose to use RFC 3280 instead of RFC 5280. :-( Having said that, the question is germane. I cannot see how: The CRL number is a non-critical CRL extension that conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. and Given the requirements above, CRL numbers can be expected to contain long integers. CRL verifiers MUST be able to handle CRLNumber values up to 20 octets. can both be true. I think that "long integers" is correct for some value of "long", but "20 octets" is just silly. I don't mind saying that CRL verifiers must be able to handle silly values, but would prefer to not have said that. --Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Paul Hoffman
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Manger, James
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Manger, James
- Re: [pkix] Why is the crlNumber an OCTET STRING? Niklas Matthies
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stephen Farrell
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Russ Housley
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Niklas Matthies
- Re: [pkix] Why is the crlNumber an OCTET STRING? Stefan Santesson
- Re: [pkix] Why is the crlNumber an OCTET STRING? Jeffrey Walton
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Ernst G Giessmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Peter Gutmann
- Re: [pkix] Why is the crlNumber an OCTET STRING? Dars, Mihran [VendorPass]