Re: [pkix] Why is the crlNumber an OCTET STRING?

"Dars, Mihran [VendorPass]" <MDars@chevron.com> Fri, 30 April 2021 17:02 UTC

Return-Path: <MDars@chevron.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F9403A1F99 for <pkix@ietfa.amsl.com>; Fri, 30 Apr 2021 10:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chevron.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5i6-bFtSvWzK for <pkix@ietfa.amsl.com>; Fri, 30 Apr 2021 10:02:25 -0700 (PDT)
Received: from san520mox1.chevron.com (san520mox1.chevron.com [146.23.18.147]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D6533A1F96 for <pkix@ietf.org>; Fri, 30 Apr 2021 10:02:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chevron.com; q=dns/txt; s=dkim; t=1619802145; x=1621011745; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=Yi4yWqqqRdNjTtR0y5AvbwkCl/xuc++6QrAdYziQvP0=; b=GH0CQgQV9xZwjNMxmRPz5oqql3jljJzxayRdf7CkSOgEE/swx4sr2cqk yBNSB7YDf6hxlpxIWCdPIUhW2DrXJ62ryqIS1ZODzB1FkPVNHLB6Lzl43 PMPHD7CuhXj33oRpgvTK+LRp/DLQz6qwjx1RTiDUL6zLp6kajFjek7UDE AUIFJRlC31Y4WoU3vge0L/zcrKqypRFRuo1u66axm7tZ18pq3J2VPWR7M 3FpT10snG5jU4fUYD+QxxJ1L9vx6SUCowpfenvPv5+dN7IW6gsjvQkVYP 37mktv6nB/Vwz4s0DKaL8XzAtqW8+9Jcz16agDAwM8GSSx5fbfTz3pYNz w==;
IronPort-SDR: PZ/80gdg5jPIytmTEaglxF3t2GI+1pUu9rTBP1Dw+53pumtRIB6qq71TM29WOUjiPScUK7wY1r +hPBqDMCqx0Q==
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3ATMeJ6K9E+WjVxIaM08Buk+BMI+orLtY04l?= =?us-ascii?q?Q7vn1ZYxpTb8CeioSSjO0WvCWE7wo5dVMBvZS7OKeGSW7B7pId2+IsFJqrQQ?= =?us-ascii?q?WOghrMEKhM9o3nqgeAJwTa9vRBkZtmabR0EtfqDVN35PyV3CCdH8w7yNeKtI?= =?us-ascii?q?CE7N2w815ITQVnL55t9B14DAHzKDwTeCB8CZA0FIWR66N8zlLLRV0tYt2/Fj?= =?us-ascii?q?05WYH4x+Hjro7sYhINGnccmWuzpA6vgYSKcCSw71MbbihGw/Mp0UWtqWDEz5?= =?us-ascii?q?Tmt8yhwh2Z00//hq46pOfc?=
X-IronPort-AV: E=Sophos;i="5.82,263,1613455200"; d="scan'208";a="408728563"
Thread-Topic: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-CVX-Departure: Verified
X-CVX-InternalRelay: True
Received: from gmwcpmsxp0106.gdc0.chevron.net ([136.171.65.63]) by san520mox1.gdc0.chevron.net with ESMTP/TLS/AES256-GCM-SHA384; 30 Apr 2021 12:02:23 -0500
Received: from gmwcpmsxp0105.gdc0.chevron.net (136.171.65.62) by gmwcpmsxp0106.gdc0.chevron.net (136.171.65.63) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Fri, 30 Apr 2021 12:02:23 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (146.46.134.178) by gmwcpmsxp0105.gdc0.chevron.net (136.171.65.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2 via Frontend Transport; Fri, 30 Apr 2021 12:02:23 -0500
Received: from BYAPR01MB4101.prod.exchangelabs.com (2603:10b6:a03:14::20) by BY5PR01MB5987.prod.exchangelabs.com (2603:10b6:a03:1b9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.23; Fri, 30 Apr 2021 17:02:21 +0000
Received: from BYAPR01MB4101.prod.exchangelabs.com ([fe80::b85c:4850:a5d7:a12]) by BYAPR01MB4101.prod.exchangelabs.com ([fe80::b85c:4850:a5d7:a12%5]) with mapi id 15.20.4065.030; Fri, 30 Apr 2021 17:02:20 +0000
From: "Dars, Mihran [VendorPass]" <MDars@chevron.com>
To: Ernst G Giessmann <giessman@informatik.hu-berlin.de>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Index: AQHXN2nAUO632r7U302AW02qXEHepKrAwnwAgAySg0A=
Date: Fri, 30 Apr 2021 17:02:20 +0000
Message-ID: <BYAPR01MB41014AA2930D9989FA1710E4B75E9@BYAPR01MB4101.prod.exchangelabs.com>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz> <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com> <1618957726686.74538@cs.auckland.ac.nz> <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com> <1619018456026.55711@cs.auckland.ac.nz> <E16F5376-2D0F-4B04-8734-FB16892DD448@vigilsec.com> <1619020072637.77385@cs.auckland.ac.nz> <724D3978-46C6-4527-8A81-A928EEFDE217@vigilsec.com> <f6d0bc20-2c92-3df8-a2a5-651f4e4f1dc1@aaa-sec.com> <1619090483847.17566@cs.auckland.ac.nz> <a9032193-801e-a65b-cc3b-a0dc6e366aa0@informatik.hu-berlin.de>
In-Reply-To: <a9032193-801e-a65b-cc3b-a0dc6e366aa0@informatik.hu-berlin.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_Enabled=true; MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_SetDate=2021-04-30T16:57:32Z; MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_Method=Standard; MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_Name=Internal; MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_SiteId=fd799da1-bfc1-4234-a91c-72b3a1cb9e26; MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_ActionId=07bc2483-eabf-4cea-b07f-043f9932d389; MSIP_Label_6e4db608-ddec-4a44-8ad7-7d5a79b7448e_ContentBits=0
authentication-results: informatik.hu-berlin.de; dkim=none (message not signed) header.d=none;informatik.hu-berlin.de; dmarc=none action=none header.from=chevron.com;
x-originating-ip: [146.23.8.2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21cc0299-047e-4ba5-5e7e-08d90bf9b7ea
x-ms-traffictypediagnostic: BY5PR01MB5987:
x-microsoft-antispam-prvs: <BY5PR01MB5987492B44FBA7F9C643562EB75E9@BY5PR01MB5987.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r5lTYRrq9caDpWTah4GEm4aAVSnN7nEdgd+rgZTIOljoAZ7rUAxs/CFW50TL8FrAvPxifnCV932JnRhoeNbBqPb7Ena7RDyxdQ+GRvnIp2nN/OtX2SBpZ+/koOn7Va2rHcvN8+fHO5eC4KIqbHk030XliF4eEpir2jfDWGz6p1AOFG3s3g0Zyp3m9IMwAQuvTzDcQK5G+lob4gqABM2uQh+I+9Jp+NEGKJQC3oxv3Rjh4z0ZsUlw/Xi70BFayRiYwxZh/hTizcjXyfaGIyWgLqVfXi8Nq2ZPIpnkRpYo0lnCv/gJMuJmm9AYeIFKh74+HiZyYqiBtpR/CrSx/DruYe1l3khdtx5B+aMi0+tO2fL/7LBgU2d9/u26PfcK36zsRzi+WYW0025TxfuTtI5prDPk5NyaZSAm5thXgcQ4qa0j+pVAwD5RDn9N21/LwMLPbKABKfsdLnjnaolhT/brbBaOrJqS7xgjC0dGMSfGi9wRlJ0iYTDJd1mlDAHKX8kU2qtOA9rrNy7UHJa6RzPMK+fsc0WzUu85Uo7tIkTJznouHOSkeWV8WRbN3+8iDibzp9nDi2fzGDr494P+MsjsTO85trIy6o5+Zdgy8PnPZhQTFv4CiIC45+KVGK4ZyNqgteQWICAZPMNtzS3EPMYMK8dnLaBCcHBjFDP5OhkEOL8sdUETeJEkrJ1b52ddci2/
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR01MB4101.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39860400002)(366004)(346002)(396003)(136003)(33656002)(7696005)(83380400001)(66556008)(86362001)(66446008)(66476007)(64756008)(76116006)(966005)(110136005)(8936002)(8676002)(478600001)(66946007)(122000001)(38100700002)(53546011)(6506007)(26005)(9686003)(2906002)(55016002)(186003)(52536014)(71200400001)(5660300002)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?P7wfvx7xjD8DPHAyEj9UzQhpu34/Xy+9qyyiRVrAmW19xW6VpV3WAFSfQatm?= =?us-ascii?Q?WGC1Ph05itB7FQz2jtmMbdkxUi7yXm6m9GIdRfff9I+Lm/aAP3MLvJhelkoQ?= =?us-ascii?Q?hRqTxMxwKy8dsl5MfzcjKQe7VzWPNfWvQ8ee/wwyKyNC96C3k9BFNjU2v4+5?= =?us-ascii?Q?JsPto3PWOlCPaLCbw2yBcO1pE0XcwNgWMxZZbOb3db6UKadU+Helz8cMwnHC?= =?us-ascii?Q?r5NUvqsE9MIcokNzmlFON78dY7pfnhwSm8lwxdrx/LW5q2cFC65qb1JlQYnU?= =?us-ascii?Q?/qoMgxHidF5FWNSidKr8UwJOryAFwJd6sn+AmLC5iegbgn8B5oH311dKm/IK?= =?us-ascii?Q?M/YNrOXHugyNrl7W9lsl6ctdif9Gj1WyxA9XZYdopV6s/SYKubRskUIMXYfl?= =?us-ascii?Q?8ZgbLJUQQirETiaru/WDHWJZrWNR+ZNJa+XrCPd7d1tT0jgoGjlkiCxl+W5c?= =?us-ascii?Q?8sCTufEIXf5fJG/xL7Sb6g4f7oAZLpnv3j9GCxPTCK15SPTMikS6LSJoDO7P?= =?us-ascii?Q?nINu8heBuUz5j6yTUpTUv4uzJ1TdzTLNAaqwIWac+XKBXexIqk3bR0EtWu/W?= =?us-ascii?Q?5ocpw82z2Ws2PWJ1h1zMB2dd4HEEC2kPoImJ2rNtbx+8wPHq8WVmQF2ajMR+?= =?us-ascii?Q?A6ba5wf6MQGVeS031h0zyqmVFMH3VMt9Z+I9bdfFSe4vlG5D9s4tS74+V7EB?= =?us-ascii?Q?6LCdDiDyektjzZ7CUyx+2TReMpEKJUtDDBdN1xbVNBBO66ryXMSFslJ7hJCm?= =?us-ascii?Q?4LrK9oQ2ws0OtdJqnmiwGSRIyNLAlkjkGN86MKhpSwmtMPmqEWJBfPrfPtc1?= =?us-ascii?Q?aqnjVg+N6GR5NZajaAmELc4CJPAO/23tIxb2K9pV8m8p0Ag46BrSg8+j6hLi?= =?us-ascii?Q?l/ulLZGMx1yoCjPeQJnZfVTDUUv/VBqNnRihaPZ/5KYuDVPgUN3q8mffk5xh?= =?us-ascii?Q?DMcyX1g0wV4yqDkW/Tg7E/5iqF1cjTYpZeznh8Fxz8Xuldx2A+agGTAdvJXN?= =?us-ascii?Q?CijsXf9SOzwCfS91y11GzMymxI8ke0eKxWv8Xst8t4MXYyG9hsC+0Z/rAwq7?= =?us-ascii?Q?q//bRKU413fMj3WFdT3gJyMSgOmg3XKYPOI02F8G6vKxQP4f/T+pVEJQNGBR?= =?us-ascii?Q?HbOfmqbRxDu3FSpUkOfdV8OnRKuQXpjQugTS2/h22UNCm2AQsgRcjpwlCUIq?= =?us-ascii?Q?CyEbV+20GTGsH7ReGFzd+xzknLFLBTFKNnr9SJYpAZ1hvEMmim2oUE+jd9I/?= =?us-ascii?Q?L8OqtIIOjdaC/rBu/fIJoL05p5dLzVUH/MN4VW3MK3zWfMS733ptL6tl+h8X?= =?us-ascii?Q?yGA=3D?=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dx5zug+xogaD2chL7HvpOoee9Jbyox2gtWhLbzq4+vlnlMlY0sXbXy+WS/SX8QauqwmmkDSKEsmeP/EY7SNyVT5AaAx7ksTD7pWKg5sDAuJpA+t3rEn6Tcq272e51wr3q+Ce5W8u5ErSaixCirutppeuJwPt8uy4CpFt2oxuoA0vzyWGWMvMFZITk8e1vUWk6Qo0nPEtuqJqjMTGmrWRpwI6rFknoAOnyruQ3ujtnEJBMFbnjgudjk2dYMSzYpfkK6G1sEPWlDaDJIbYBcaOJbgJMCH1G1cW+sbb3xznoJXpJGjx0WE219Z5hZ5ihdhtWD1QsdQDcSiFql+vL4G5/Q==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Tz1jKw/g2IDL5lEaQl6zkQuqTqVNcR7lpVX9zpZt0fM=; b=ZL/tpx3YjyWj8lonwSW4Fz2S2T8olJfSlbMVDZpmQlv8TvnfNtlYqkcYZqlmwzBuIP3EQMnvJMFt0tbDoI6GRVWj8cTcSo7J+ugxBsE/UrG2J/p4Pda1NS/IDHEJCf10UPCHOM84iXXU43/xFfZkwtSZulS4BTYs1+Ccty4ZPmsmlxf26NissbNIIV04vQXqwNapw7yfUwzEmxttGztJixpuWnt3w8Ko+X2uLxdHwtjGddWYtW2qntVYbQGjShLZnOMYgayCYFRwj5D7zGPXSsD4W1itSXwTOEIg5HSPhCd6uTzyhp4aHk98PvHwaKUktxFcJV1EkYDRA2d5y+RX6g==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=chevron.com; dmarc=pass action=none header.from=chevron.com; dkim=pass header.d=chevron.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: BYAPR01MB4101.prod.exchangelabs.com
x-ms-exchange-crosstenant-network-message-id: 21cc0299-047e-4ba5-5e7e-08d90bf9b7ea
x-ms-exchange-crosstenant-originalarrivaltime: 30 Apr 2021 17:02:20.8668 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: fd799da1-bfc1-4234-a91c-72b3a1cb9e26
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: 3y+9OQVcmrsoE1KYefWB9vOo85wYALEnIYp4Tr2bd+HGqBwAINiIbaLnJ4ITJwfKaWIB0H032HmlP+6+LmS6MQ==
x-ms-exchange-transport-crosstenantheadersstamped: BY5PR01MB5987
x-originatororg: chevron.com
x-cbr: ByPass
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/KeXG7OZLmyoTcYtici4S0iemNVk>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2021 17:02:30 -0000

Tend to agree with Ernst, if a CRL is copied to an isolated site, then number seems a better option to determine the latest one.
/Mihran

-----Original Message-----
From: pkix <pkix-bounces@ietf.org> On Behalf Of Ernst G Giessmann
Sent: Thursday, April 22, 2021 09:58
To: pkix@ietf.org
Subject: [**EXTERNAL**] Re: [pkix] Why is the crlNumber an OCTET STRING?

Stefan,
nevertheless it could happen, that you got two different CRLs, e.g. from
two different CRL distribution points, both valid (current time inside
thisUpdate and NextUpdate). How you decide which is the "current"?
Comparing the corresponding thisUpdate information? And if they are the
same due to lousy accuracy?
If you always implemented it this way, then your implementations are
wrong. The correct check is comparing the CRL numbers.
Sorry.
/Ernst.

Am 2021-04-22 um 13:21 schrieb Peter Gutmann:
> Stefan Santesson <stefan@aaa-sec.com> writes:
>
>> I have done quite some PKI validation implementations, but I have never found
>> any reason yet to check the CRL number for any reason what so ever.
>
> Same here, could never figure out what the purpose of it was.  Russ' answer
> about partitioned CRLs makes sense, but I'd never even considered that
> because, like delta CRLs, I've never encountered anyone brave enough to want
> to see what clients do in response to seeing one.
>
>> When I do CRL checking, I download the current CRL, check that it is current
>> and still valid, and has the intended scope.
>>
>> No more, and no less. CRL number is not part of that process.
>
> Yup.
>
>> So basically, I find this interesting intellectually, but in what practical
>> context does this matter?
>
> I've got a client who asked about it, and my response of "I have no idea what
> purpose these things serve" was possibly a bit underwhelming :-).
>
> Peter.
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix