Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
"Santosh Chokhani" <santosh.chokhani@gmail.com> Fri, 20 November 2015 15:43 UTC
Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75491B2AAD for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 07:43:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mw_vvxQMenXW for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 07:43:39 -0800 (PST)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D8D81B2AAC for <pkix@ietf.org>; Fri, 20 Nov 2015 07:43:39 -0800 (PST)
Received: by ykdv3 with SMTP id v3so168401564ykd.0 for <pkix@ietf.org>; Fri, 20 Nov 2015 07:43:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=4H9bhwBp3IU+D9J9Kz22b06bmHxfsUDbn8qaEIxEGbw=; b=m2TgsUfyE2hSfh6XdOapSYb9lddrIULDhFY5OeetKs5cF9x3dyvRvlxqzk61QVsaig yriIecRkqEb/0hQD6nWZhxdZ1NiNNPirF4aK/08nPGopf5htPcujT8RC8qoaKaU+F0Uu 1EbpldbExDUSGnnuBpVq+vbWycSPh7cOz7mucBgiCqH8cLo/DxTwGoQdoTyf4b4zH4Rg VKtx37wDoJTYuylJvm6uXr9r5N5jZlwIhAHF0xToGw6yrOOCndE26+c/A1WPDukMpj7Y KFYpKiR424I1ZgTPZn7XiCLexunbuTGf5RvRqPPP2BKnNjAq9DU/v76hHH1yQ7EFREm2 21EA==
X-Received: by 10.129.131.1 with SMTP id t1mr15324538ywf.207.1448034218044; Fri, 20 Nov 2015 07:43:38 -0800 (PST)
Received: from SantoshBrain (pool-108-31-66-4.washdc.fios.verizon.net. [108.31.66.4]) by smtp.gmail.com with ESMTPSA id s83sm146273ywg.21.2015.11.20.07.43.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Nov 2015 07:43:37 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp> <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com> <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu> <07f801d122fb$50a39ad0$f1ead070$@gmail.com> <001301d12382$890371c0$9b0a5540$@x500.eu>
In-Reply-To: <001301d12382$890371c0$9b0a5540$@x500.eu>
Date: Fri, 20 Nov 2015 10:43:39 -0500
Message-ID: <0b3d01d123aa$3ab3cf10$b01b6d30$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJLV6rQki7Ndh+GnxkA8afJ1MxnUAICz3cyAloWsuACQUv0rgIQG4V7A7BMSZedTa5sIA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/JEpc4LR5XciMdanbkJ_xfgCRRzc>
Subject: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 15:43:42 -0000
Erik, I am happy to help craft or review additional exposition if that helps. -----Original Message----- From: x500standard-bounce@freelists.org [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen Sent: Friday, November 20, 2015 6:00 AM To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject: [x500standard] SV: Re: SV: [pkix] Indirect CRLs Hi Santosh, Try to imagine a guy that is completely new in PKI and pick-up X.509 or RFC 5280 to learn about it. Will he understand what an indirect CRL is by just looking at some brief statements on an iCRL is. 8.5.2.2 CRL scope extension (deprecated) has the following statements: simple CRLs that provide revocation information about certificates issued by a single authority; indirect CRLs that provide revocation information about certificates issued by multiple authorities; It was a statement like this that made me wrongly to believe that it is only an iCRL if there are certificate info from multiple authorities. I also some comments on your other mail. Regards, Erik -----Oprindelig meddelelse----- Fra: x500standard-bounce@freelists.org [mailto:x500standard-bounce@freelists.org] På vegne af Santosh Chokhani Sendt: 19 November 2015 19:52 Til: x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Emne: [x500standard] Re: SV: [pkix] Indirect CRLs Erik, Look at Section 8.6.2.1 of X.509 and I quote the following: "The cRLIssuer component identifies the authority that issues and signs the CRL. If this component is absent, the CRL issuer name defaults to the certificate issuer name." Also see Section C.5.1.4 of X.509 -----Original Message----- From: x500standard-bounce@freelists.org [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen Sent: Thursday, November 19, 2015 11:52 AM To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject: [x500standard] SV: [pkix] Indirect CRLs Within X.509 there is not even a small paragraph introducing indirect CRLs where such information could be introduced. Besides the brief definition, iCRLs are mentioned the first time within the CRL scope extension (which is deprecated). Erik -----Oprindelig meddelelse----- Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani Sendt: 19 November 2015 17:27 Til: mrex@sap.com Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Emne: Re: [pkix] [x500standard] Indirect CRLs Without doing the latter, the relying party will not be able to use the indirect CRL to verify the revocation status of the certificate in the scope of the indirect CRL. -----Original Message----- From: Martin Rex [mailto:mrex@sap.com] Sent: Thursday, November 19, 2015 9:54 AM To: Santosh Chokhani <santosh.chokhani@gmail.com> Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject: Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani wrote: > Yes. That is an indirect CRL. > > Note that the CA needs to assert appropriate cRLIssuer in the > DistributionPoint field of CRL DP extension of each certificate the CA > issues. Huh? The latter comment has exactly nothing to do with indirect CRLs. -Martin _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard. ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.
- [pkix] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Re: Indirect CRLs Kemp, David P.
- Re: [pkix] [x500standard] Re: Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Martin Rex
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Martin Rex
- Re: [pkix] [x500standard] SV: Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Re: SV: Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Santosh Chokhani
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Stephen Farrell
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Stephen Farrell