IETF Logo Mail Archive

[pkix] A question regarding certificate status service delegation

Thomas Kopp <thomas.kopp@luxtrust.lu> Mon, 23 November 2020 15:39 UTC

Return-Path: <thomas.kopp@luxtrust.lu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BE2F3A07A0; Mon, 23 Nov 2020 07:39:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.017
X-Spam-Level:
X-Spam-Status: No, score=-0.017 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA-Lki0v07uq; Mon, 23 Nov 2020 07:39:38 -0800 (PST)
Received: from mx1.luxtrust.lu (mx1.luxtrust.lu [185.69.225.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8DD83A0763; Mon, 23 Nov 2020 07:39:37 -0800 (PST)
Received: from SV-1447WVP05.corp.1447.local (sv-1447wvp05.corp.1447.local [10.82.96.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mx1.luxtrust.lu (MTA) with ESMTPS id 4CfrtQ5zQBz2Bs4; Mon, 23 Nov 2020 16:39:26 +0100 (CET)
Received: from SV-1447WVP06.corp.1447.local (10.82.96.76) by SV-1447WVP05.corp.1447.local (10.82.96.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.2106.2; Mon, 23 Nov 2020 16:39:26 +0100
Received: from SV-1447WVP06.corp.1447.local ([10.82.96.76]) by SV-1447WVP06.corp.1447.local ([10.82.96.76]) with mapi id 15.01.2106.002; Mon, 23 Nov 2020 16:39:26 +0100
From: Thomas Kopp <thomas.kopp@luxtrust.lu>
To: pkix <pkix-bounces@ietf.org>
CC: "pkix@ietf.org" <pkix@ietf.org>, "rfc-editor@rfc-editor.org" <rfc-editor@rfc-editor.org>
Thread-Topic: A question regarding certificate status service delegation
Thread-Index: AdbBrrkFh2Y1xbpbRWSjitYAMlxasw==
Date: Mon, 23 Nov 2020 15:39:26 +0000
Message-ID: <a2436a14b48c4db8af1ba5d0d550695c@luxtrust.lu>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.82.96.71]
x-tm-as-product-ver: SMEX-14.0.0.3006-8.6.1012-25808.000
x-tm-as-result: No-10--25.081700-8.000000
x-tmase-matchedrid: HZeDOaDDTQRsL8l27qdxkA1B4Qdos1QPEjoicdQAXuxlb1pSuH+9gIyC ITJXo1PuEvPO5aZGu9vApYO3UnZGPWkokSSmTRvR49HxnUjkGJjmXayjFnZbBWxgXuQ5oGcCyEd zS8wDbZbJZInvtSqTw0aMPBFKXyAUZLOuxY/5f3pXG3yI9k2vbIfNL7D/HMEOxCW4LIIVzgK71x DpzuEXprOHD/a8UPOWKrDHzH6zmUWflfdUjnwx+f5Ya9RJuA7SMH5J9m1W04+L30ibjUzf68Vhm 8uR4OngLEu3XubSvQExNOsBwNfn/gHBpPquNCJ09Qk3AhhIhXrdCJvdlTfm7BIronMZIpzS0AAj 4Lcjr8VlP5MblRjjHv48iDghCUMx/3x8h/jAheVre4AoC7Yi5oNSCfL1dw7/aJFPGv7WWzD4B2F pl0q7fWpa8m0JvhYVlIlVPzMCz/ShKzbbSmEIFyNGK7UC7ElMIUEcOllE7cM2yxJ7ZHbls2+n/M aDigIslBjWnGWPeQ9v/kcFnp29GMt3zHe6QppeBicL1CIsSjKw6jrE46eRK519q8qVeHPlei0uf yGhtdSK/GW/21vJ3g6w00GeWBFa5f3Gy/yvVgTsWjO/lPD2Sf7E6GNqs6ceyJcnlrZBpYHCAhNz aLzAbgM1KjalyTeqD82CjaZxre30oR82JDBQTYaLgURsglESd9v+qENPaq8=
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--25.081700-8.000000
x-tmase-version: SMEX-14.0.0.3006-8.6.1012-25808.000
x-tm-snts-smtp: 21EE213AFCF8A9615393392526C6B83F86CDA7BE6EFC2405A55FC0865A38189C2000:8
Content-Type: multipart/related; boundary="_004_a2436a14b48c4db8af1ba5d0d550695cluxtrustlu_"; type="multipart/alternative"
MIME-Version: 1.0
x-msw-jemd-newsletter: false
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/K0pjnxtuocBlmrxDbdijBzDlMic>
Subject: [pkix] A question regarding certificate status service delegation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 15:39:40 -0000

Dear all,

According to RFC 5280, a certificate issuer can delegate CRL issuance to a different CA which may particularly be part of a different hierarchy than the one the certificate issuer belongs to (cf. the crlDistributionPoints extension, specifically sections 4.2.1.13 and 6.3.3. (b) 1) of the RFC).

By contrast, in the case of OCSP delegation, it is required that an OCSP responder belongs to the same hierarchy like the certificate issuer (cf. section 2.6 of RFC 6960). Which is the motivation for this latter limitation? Is it just the lack of an OCSP-specific certificate extension that corresponds to the CRL-related crlDistributionPoints extension or are there any other reasons; if yes, which ones ?

[LuxTrust_logo_blue_signature]
Thomas KOPP
Chief Scientist

Email: thomas.kopp@luxtrust.lu<mailto:thomas.kopp@luxtrust.lu>
Mobile:+352 621 229 316
Office: +352 26 68 15 - 574
LuxTrust S.A. |  IVY Building | 13-15, Parc d'activités | L-8308 Capellen | Luxembourg | www.luxtrust.lu<http://www.luxtrust.lu/>

v2.23.0 | Report a Bug | By Email