Re: [pkix] Delegating certificate revocation

"Erik Andersen" <era@x500.eu> Wed, 08 July 2015 13:15 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415571B354C for <pkix@ietfa.amsl.com>; Wed, 8 Jul 2015 06:15:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.41
X-Spam-Level: *
X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lp9dMcTDQEsE for <pkix@ietfa.amsl.com>; Wed, 8 Jul 2015 06:15:39 -0700 (PDT)
Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 924B51B354B for <pkix@ietf.org>; Wed, 8 Jul 2015 06:15:14 -0700 (PDT)
Received: from Morten ([62.44.134.206]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201507081515094246; Wed, 08 Jul 2015 15:15:09 +0200
From: Erik Andersen <era@x500.eu>
To: '王文正' <wcwang@cht.com.tw>, 'Directory list' <x500standard@freelists.org>, 'PKIX' <pkix@ietf.org>
References: <000201d0b965$8597d4e0$90c77ea0$@x500.eu> <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw>
In-Reply-To: <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw>
Date: Wed, 08 Jul 2015 15:15:10 +0200
Message-ID: <001801d0b980$1ecc6ad0$5c654070$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0019_01D0B990.E259F5C0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQEnZye0rHlvOB3wLRCexS1K7tSvAwE9VGpwnxpFo0A=
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/KtLwbmg1lFCzv2UGc-rM-UuSTMc>
Subject: Re: [pkix] Delegating certificate revocation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 13:15:42 -0000

Hi Wen-Cheng,

 

Thank you very much for your input.

 

What public-key certificate is then used for signing the ACRL?

 

Kind regard,

 

Erik

 

Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af ???
Sendt: 08 July 2015 14:47
Til: Directory list; PKIX
Emne: Re: [pkix] Delegating certificate revocation

 

Eric,

 

I think an AA can do that.

 

Actually, there is a paragraph describes how a CA authorizes a different entity to perform revocation.

 

Only a CA that is authorized to issue CRLs may choose to delegate that authority to another entity. If this delegation is

done, it shall be verifiable at the time of certificate/CRL verification. The cRLDistributionPoints extension can be

used for this purpose. The cRLIssuer field of this extension would be populated with the name(s) of any entities, other

than the certificate issuer itself, that have been authorized to issue CRLs concerning the revocation status of the

certificate in question.

 

The same method can be used by an AA. You can simply replace “CA” with “AA”, “CRL” with “ACRL”, “certificate” with “attribute certificate” and done.

 

Only a AA that is authorized to issue ACRLs may choose to delegate that authority to another entity. If this delegation is

done, it shall be verifiable at the time of attribute certificate/ACRL verification. The cRLDistributionPoints extension can be

used for this purpose. The cRLIssuer field of this extension would be populated with the name(s) of any entities, other

than the attribute certificate issuer itself, that have been authorized to issue ACRLs concerning the revocation status of the

attribute certificate in question.

 

That means the AA can include a cRLDistributionPoints extension in attribute certificates and use the cRLIssuer field of this extension to specify the name of the delegated CARL issuer.

 

Wen-Cheng Wang

 

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen
Sent: Wednesday, July 08, 2015 6:05 PM
To: Directory list; PKIX
Subject: [pkix] Delegating certificate revocation

 

Clause 7.10 of X.509 on Certificate revocation lists states:

 

“the certificate-issuing authority authorizes a different entity to perform revocation.”

 

Can an AA do that, and if yes, how?

 

Regards,

 

Erik 



本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.