Re: draft-ietf-pkix-ac509prof -> RFC?
Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> Fri, 01 June 2001 02:16 UTC
Received: from above.proper.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA12871 for <pkix-archive@odin.ietf.org>; Thu, 31 May 2001 22:16:22 -0400 (EDT)
Received: by above.proper.com (8.9.3/8.9.3) id SAA10338 for ietf-pkix-bks; Thu, 31 May 2001 18:30:36 -0700 (PDT)
Received: from tama3.tas.ntt.co.jp (tama3.tas.ntt.co.jp [192.68.248.40]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA10334 for <ietf-pkix@imc.org>; Thu, 31 May 2001 18:30:30 -0700 (PDT)
Received: from nttmail.ecl.ntt.co.jp (nttmail.tas.ntt.co.jp [192.68.248.11]) by tama3.tas.ntt.co.jp (8.9.3+3.2W/3.7W/01/21/00) with ESMTP id KAA14097; Fri, 1 Jun 2001 10:30:14 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp)
Received: from dsa.isl.ntt.co.jp by nttmail.ecl.ntt.co.jp (8.9.3+3.2W/3.7W/03/21/01) with ESMTP id KAA14253; Fri, 1 Jun 2001 10:30:12 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp)
Received: from cats by dsa.isl.ntt.co.jp (8.9.3/isl-2.0) id KAA26471; Fri, 1 Jun 2001 10:30:10 +0900 (JST)
Date: Fri, 01 Jun 2001 10:30:46 +0900
From: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp>
To: stephen.farrell@baltimore.ie
Subject: Re: draft-ietf-pkix-ac509prof -> RFC?
Cc: ietf-pkix@imc.org
In-Reply-To: <3B16112C.15E5BF37@baltimore.ie>
References: <20010530104344.4868.ODAHARA@dsa.isl.ntt.co.jp> <3B16112C.15E5BF37@baltimore.ie>
Message-Id: <20010601100456.8E67.ODAHARA@dsa.isl.ntt.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.00.03
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>
Content-Transfer-Encoding: 7bit
Sir Thank you for an instant reply. Although not soon set easily to RFC, saying soon, it is waiting to be set to RFC with expectation after this. Moreover, since a question will be asked if there are some questions, please let me know then. Thanks ---------- Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp > Hi, > > I'm not entirely clear exactly what question is being asked, > however, I *think* the answer is that I've got to make a few > very minor changes and then that draft will be sent to the RFC > editor. In other words, the work on this specification is done, > it will be an RFC quite soon now, without any substantive > changes being made. > > The minor changes to be made include adding a section saying > that there are no IANA consideration; updating to reflect a > couple of minor changes to the base X.509 document and a change > to allow some s/mime specifications to reference this document > more easily. > > I hope that answers your question, > Regards, > Stephen. > > Hideyuki Odahara wrote: > > > > Mr. Stephen Farrell > > > > Thank you for your reply the example of use of an attribute the other > > day. > > I would like you to teach about RFC-izing of draft-ietf-pkix-ac509prof > > today, and mail was given. While it is said that ac509prof has near > > RFC-izing, it is not RFC-ized easily. Now, would you the argument is > > progressing how much and teach [ when to RFC-be due to beized and ] this > > draft? > > Although humiliated a busy place, I ask of you well. > > > > thanks Received: by above.proper.com (8.9.3/8.9.3) id VAA15692 for ietf-pkix-bks; Thu, 31 May 2001 21:17:45 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA15686; Thu, 31 May 2001 21:17:39 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f514Hfl20633; Thu, 31 May 2001 21:17:41 -0700 (PDT) From: "Michael Myers" <mike@traceroutesecurity.com> To: "Paul Hoffman / IMC" <phoffman@imc.org>, <ietf-pkix@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Thu, 31 May 2001 21:17:07 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDCEJCCBAA.mike@traceroutesecurity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <p05100330b73c94b28f54@[165.227.249.18]> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Paul, This is actually what I had in mind in the long run, an IANA level doc. I for one think we're close enough to get the machinery moving but I'm deferring to you and Russ and whomever else to come back and say whether that's a feasible thing to do or not right now. Mike > -----Original Message----- > From: Paul Hoffman / IMC > > . . . > > - Make it an IANA registry > > . . . > > [etc. re: IANA] > > . . . > > Do we think we are ready enough for that yet? Received: by above.proper.com (8.9.3/8.9.3) id SAA10338 for ietf-pkix-bks; Thu, 31 May 2001 18:30:36 -0700 (PDT) Received: from tama3.tas.ntt.co.jp (tama3.tas.ntt.co.jp [192.68.248.40]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA10334 for <ietf-pkix@imc.org>; Thu, 31 May 2001 18:30:30 -0700 (PDT) Received: from nttmail.ecl.ntt.co.jp (nttmail.tas.ntt.co.jp [192.68.248.11]) by tama3.tas.ntt.co.jp (8.9.3+3.2W/3.7W/01/21/00) with ESMTP id KAA14097; Fri, 1 Jun 2001 10:30:14 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from dsa.isl.ntt.co.jp by nttmail.ecl.ntt.co.jp (8.9.3+3.2W/3.7W/03/21/01) with ESMTP id KAA14253; Fri, 1 Jun 2001 10:30:12 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from cats by dsa.isl.ntt.co.jp (8.9.3/isl-2.0) id KAA26471; Fri, 1 Jun 2001 10:30:10 +0900 (JST) Date: Fri, 01 Jun 2001 10:30:46 +0900 From: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> To: stephen.farrell@baltimore.ie Subject: Re: draft-ietf-pkix-ac509prof -> RFC? Cc: ietf-pkix@imc.org In-Reply-To: <3B16112C.15E5BF37@baltimore.ie> References: <20010530104344.4868.ODAHARA@dsa.isl.ntt.co.jp> <3B16112C.15E5BF37@baltimore.ie> Message-Id: <20010601100456.8E67.ODAHARA@dsa.isl.ntt.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.03 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Sir Thank you for an instant reply. Although not soon set easily to RFC, saying soon, it is waiting to be set to RFC with expectation after this. Moreover, since a question will be asked if there are some questions, please let me know then. Thanks ---------- Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp > Hi, > > I'm not entirely clear exactly what question is being asked, > however, I *think* the answer is that I've got to make a few > very minor changes and then that draft will be sent to the RFC > editor. In other words, the work on this specification is done, > it will be an RFC quite soon now, without any substantive > changes being made. > > The minor changes to be made include adding a section saying > that there are no IANA consideration; updating to reflect a > couple of minor changes to the base X.509 document and a change > to allow some s/mime specifications to reference this document > more easily. > > I hope that answers your question, > Regards, > Stephen. > > Hideyuki Odahara wrote: > > > > Mr. Stephen Farrell > > > > Thank you for your reply the example of use of an attribute the other > > day. > > I would like you to teach about RFC-izing of draft-ietf-pkix-ac509prof > > today, and mail was given. While it is said that ac509prof has near > > RFC-izing, it is not RFC-ized easily. Now, would you the argument is > > progressing how much and teach [ when to RFC-be due to beized and ] this > > draft? > > Although humiliated a busy place, I ask of you well. > > > > thanks Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id RAA07558 for ietf-pkix-bks; Thu, 31 May 2001 17:51:01 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA07551 for <ietf-pkix@imc.org>; Thu, 31 May 2001 17:50:56 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GE800B017PHQV@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 31 May 2001 17:51:17 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GE800B9D7PGKK@ext-mail.valicert.com>; Thu, 31 May 2001 17:51:16 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26TYCR>; Thu, 31 May 2001 17:48:21 -0700 Content-return: allowed Date: Thu, 31 May 2001 17:48:21 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: cA flag and CRL issuers To: Tony Bartoletti <azb@llnl.gov> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01F4A210@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I think this was very good news. Let me put Steve's apparent statements in simpler, declarative form in which each numbered assertion is a self-contained truth devoid of context, other than perhaps assuming the truth of an earlier numbered assertion: 1. OCSP can be used in side-effect modes. 2. It is legitimate to use OCSP responder working in a side effect mode to achieve the goals T&B cite 3. You can "rely" on an OCSP responder/response. 4. You can combine an OCSP side effect mode with reliance on an OCSP responder/respose. 5. A relying party can rely upon an OCSP responder working in side effect mode "V" as "a local means of asserting per-certificate validity judgements that might override those of the CA who issued a cert." 6. To use and rely on an OCSP responder operating in side effect mode "V" is to be operating in a manner compatible with the PKIX overall model. 7. The same general theory holds for a DPV server. Do you agree that some or all of my numbered assertions are consistent with Steve's message, as you intepreted it? -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Wednesday, May 30, 2001 7:24 PM To: Tony Bartoletti Cc: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers Tony & Bob, This discussion re revocation seems to be colored by excessive use of the term "trust." It's common to use that term in discussing PKIs, and the public CA approach to PKI, exemplified by VeriSIgn, encourages that notion, because such CA are viable only if "trusted." However, that is not the only way to think about roles in a PKI. If CAs are aligned with physical world entities that are authoritative for the data contained in certs, e.g., companies issuing certs for employees, then these CAs are not "trusted" in the same way that one trusts a public CA. Moreover, CAs of this sort are authoritative for revocation, just as they are authoritative for cert issuance. Tony seems to agree with this observation, but Bob feels that this is a naive model re NR. I will remind Bob that NR is not the only focus of PKI, that this WG has expended way to much time arguing about NR matters that seem to never be fully resolved in the technical domain, and that the lack of uniform agreement re NR requirements suggests that no single view of technical support for NR can be considered authoritative. What you tow are suggesting is a local means of asserting per-certificate validity judgements that might override those of the CA who issued a cert. While I can appreciate the motivations that you cite for this, they are simply not consistent with the overall X.509 or PKIX models. We cannot tailor the specs to compensate for questionable PKI implementation designs in apps such as browsers. OCSP does allow for local configuration of a local source for revocation information, and that would allow one to achieve the goals you cite, if one relied on OCSP for revocation status. DPV will allow a similar configuration capability. So, I suggest that you be content with the ability to achieve the stated effects via these other protocols, which will provide the capability as a side effect of their other design goals. Steve Received: by above.proper.com (8.9.3/8.9.3) id RAA07491 for ietf-pkix-bks; Thu, 31 May 2001 17:49:24 -0700 (PDT) Received: from [165.227.249.18] (ip18.proper.com [165.227.249.18]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA07486 for <ietf-pkix@imc.org>; Thu, 31 May 2001 17:49:19 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100330b73c94b28f54@[165.227.249.18]> In-Reply-To: <EOEGJNFMMIBDKGFONJJDCEIJCBAA.mike@traceroutesecurity.com> References: <EOEGJNFMMIBDKGFONJJDCEIJCBAA.mike@traceroutesecurity.com> Date: Thu, 31 May 2001 17:48:23 -0700 To: ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> At 2:44 PM -0700 5/31/01, Michael Myers wrote: >I (and I hope others too) deeply appreciate what Paul's doing for us but in >the longer run I'm little bit concerned of direct linkage to a potentially >ephemeral Web site. I recall my aggravation years ago at having to hunt >down authoritative references to OIW OIDs. So, you got a few choices: - Let { Paul | Tim | Steve | Russ | Peter :-) | someone } keep it on a web site that is hopefully well-known - Put it in an Internet Draft that has to be updated at least every six months and is hopefully well-known - Put it into an RFC that will be well-known but won't change - Make it an IANA registry The last one is preferable, if and only if we can come up with a clear and sensible mechanism for IANA to follow. That is the difficult part. This thread shows exactly how hard it is. The IANA folks are good record keepers, and they don't know diddly about ASN.1 or PKIX, nor do they want to learn about it. Probably the best way to let IANA run it is to have them not do the management, but to have an "OID reviewer" run a mailing list and that person is the only one who can tell IANA how the registry should change. This is essentially what we are doing now, except that the registry is on a web server somewhere, not at IANA. At the point we think the registry is well-cooked, someone must write an Internet Draft with the IANA rules, have it cycle here in the WG for a while, and eventually become an RFC. At that point, the registry goes to IANA. Do we think we are ready enough for that yet? --Paul Hoffman, Director --Internet Mail Consortium Received: by above.proper.com (8.9.3/8.9.3) id PAA00858 for ietf-pkix-bks; Thu, 31 May 2001 15:58:55 -0700 (PDT) Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA00853 for <ietf-pkix@imc.org>; Thu, 31 May 2001 15:58:50 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id MA0R2DCD; Thu, 31 May 2001 15:52:07 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <pgut001@cs.auckland.ac.nz>, <mike@traceroutesecurity.com>, <myers@coastside.net>, <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Thu, 31 May 2001 15:56:03 -0700 Message-ID: <KHEDLMGGCCGHDAAKNAFOEEGMCAAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <99134725610945@kahu.cs.auckland.ac.nz> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Perhaps when (someday) PKIX concludes, the OIDs can be documented in a non-ephemeral RFC. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Peter Gutmann Sent: Friday, June 01, 2001 10:14 AM To: mike@traceroutesecurity.com; myers@coastside.net; rhousley@rsasecurity.com Cc: ietf-pkix@imc.org Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list "Michael Myers" <mike@traceroutesecurity.com> writes: >I (and I hope others too) deeply appreciate what Paul's doing for us but in >the longer run I'm little bit concerned of direct linkage to a potentially >ephemeral Web site. As opposed to a non-ephemeral IETF draft? Peter :-). Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id PAA29270 for ietf-pkix-bks; Thu, 31 May 2001 15:29:58 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA29249 for <ietf-pkix@imc.org>; Thu, 31 May 2001 15:29:51 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id SAA24203 for <ietf-pkix@imc.org>; Thu, 31 May 2001 18:29:53 -0400 (EDT) Message-Id: <4.2.0.58.20010531181434.020cf290@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 31 May 2001 18:29:47 -0400 To: ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> Subject: draft delta crl text In-Reply-To: <5.0.1.4.2.20010531101210.01dfacd0@exna07.securitydynamics. com> References: <sb14cdc4.096@cesg.gsi.gov.uk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_180332535==_" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> --=====================_180332535==_ Content-Type: text/plain; charset="us-ascii"; format=flowed Folks, Russ Housley, David Cooper, and I have tried to draft what we hope *will become* consensus text for the delta CRL and CRL number text. We believe that the attached text clarifies (1) the requirements for "conforming applications that support CRLs", (2) the CRL issuer's responsibilities when including the delta CRL indicator and CRL number extensions, (3) the algorithm followed by a CRL issuer when determining what certificates should be listed on a delta CRL, and (4) the algorithm followed by an application when determining whether a complete CRL and a delta CRL may be combined. To do this we have introduced a number of changes, beginning in section 3. In section 3, we introduce the "CRL issuer" in an enhanced version of the ASCII art model of a pKI (figure 1.) In section 5, we define several more terms including CRL scope, base CRL, delta CRL and complete CRL. All this was necessary to set the stage for the CRL number extension and delta CRL indicator extension text. Please read these excerpts carefully. We believe that the text is flexible enough to support reasonable implementations of delta CRLs, does not unduly burden clients that wish to support deltas, and is consistent with X.509. When you read this please ask yourself if you can *live* with it. The attachment contains the following excerpts: Figure 1 from section 3, section 5 (the intro to CRLs), section 5.2.3 (CRL number extension) and 5.2.4 (delta CRL indicator extension). Please ignore the blank spaces; I was trying to remove anything irrelevant to this discussion. Thanks, Tim Polk --=====================_180332535==_ Content-Type: text/plain; charset="us-ascii" Content-Disposition: attachment; filename="deltacrl.txt" INTERNET DRAFT May 2001 +---+ | C | +------------+ | e | <-------------------->| End entity | | r | Operational +------------+ | t | transactions ^ | i | and management | Management | f | transactions | transactions | i | | PKI users | c | v | a | ======================= +--+------------+ ============== | t | ^ ^ | e | | | PKI management | | v | entities | & | +------+ | | | <---------------------| RA |<----+ | | C | Publish certificate +------+ | | | R | | | | L | | | | | v v | R | +------------+ | e | <------------------------------| CA | | p | Publish certificate +------------+ | o | Publish CRL ^ ^ | s | | | Management | i | +------------+ | | transactions | t | <--------------| CRL Issuer |<----+ | | o | Publish CRL +------------+ v | r | +------+ | y | | CA | +---+ +------+ Figure 1 - PKI Entities The components in this model are: end entity: user of PKI certificates and/or end user system that is the subject of a certificate; CA: certification authority; RA: registration authority, i.e., an optional system to which a CA delegates certain management functions; CRL issuer: an optional system to which a CA delegates the publication of certificate revocation lists; repository: a system or collection of distributed systems that store certificates and CRLs and serves as a means of distributing these certificates and CRLs to end entities. Housley, Ford, Polk, & Solo [Page 9] INTERNET DRAFT May 2001 5 CRL and CRL Extensions Profile As described above, one goal of this X.509 v2 CRL profile is to foster the creation of an interoperable and reusable Internet PKI. To achieve this goal, guidelines for the use of extensions are specified, and some assumptions are made about the nature of information included in the CRL. CRLs may be used in a wide range of applications and environments covering a broad spectrum of interoperability goals and an even broader spectrum of operational and assurance requirements. This profile establishes a common baseline for generic applications requiring broad interoperability. The profile defines a set of information that can be expected in every CRL. Also, the profile defines common locations within the CRL for frequently used attributes as well as common representations for these attributes. The entity that issues the CRL is referred to as the CRL issuer. In Housley, Ford, Polk, & Solo [Page 47] INTERNET DRAFT May 2001 general, CAs publish CRLs to provide status information on the certificates they generated. However, a CA MAY delegate this responsibility to another trusted authority. Whenever the CRL issuer is not the CA that issued the certificates, the CRL is referred to as an indirect CRL. Each CRL has a particular scope. The CRL scope is the set of certificates that could appear on a given CRL. For example, the scope could be "all certificates issued by CA X", "all CA certificates issued by CA X", "all certificates issued by CA X that have been revoked for reasons of key compromise and CA compromise", or could be a set of certificates based on arbitrary local information, such as "all certificates issued to the NIST employees located in Boulder". A complete CRL lists all un-expired certificates, within its scope, that have been revoked for one of the revocation reasons covered by the CRL scope. The CRL issuer MAY also generate delta CRLs. A delta CRL only lists those un-expired certificates, within its scope, whose revocation status has changed since the issuance of a referenced complete CRL. The referenced complete CRL is referred to as a base CRL. The scope of a delta CRL MUST be the same as the base CRL that it references. This profile does not define any private Internet CRL extensions or CRL entry extensions. Environments with additional or special purpose requirements may build on this profile or may replace it. Conforming CAs are not required to issue CRLs if other revocation or certificate status mechanisms are provided. Conforming CAs that issue CRLs MUST issue version 2 CRLs, include the date by which the next CRL will be issued in the nextUpdate field (see sec. 5.1.2.5), include the CRL number extension (see sec. 5.2.3), and include the authority key identifier extension (see sec. 5.2.1). Conforming applications that support CRLs are required to process both version 1 and 2 CRLs that are complete for a given scope. Conforming applications are not required to support processing of delta CRLs or indirect CRLs. <<stuff deleted>> Housley, Ford, Polk, & Solo [Page 48] INTERNET DRAFT May 2001 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL. CRL issuers conforming to this profile MUST include this extension in all CRLs. If a CRL issuer generates delta CRLs in addition to complete CRLs for a given scope, the complete CRLs and delta CRLs MUST share one numbering sequence. If a delta CRL and a complete CRL that cover the same scope are issued at the same time, they MUST have the same CRL number. This indicates that the combination of the delta CRL and an acceptable complete CRL provide the same revocation information as the simultaneously issued complete CRL. If a CRL issuer generates a delta CRL and a complete CRL at different times, the delta and complete CRL MUST NOT have the same CRL number. That is, if the this update field (see sec. 5.1.2.4.) in the delta and complete CRL are not identical, the CRL numbers are required to be different. id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } cRLNumber ::= INTEGER (0..MAX) 5.2.4 Delta CRL Indicator The delta CRL indicator is a critical CRL extension that identifies a CRL as being a delta CRL. Delta CRLs contain updates to revocation information previously distributed, rather than all the information that would appear in a complete CRL. The use of delta CRLs can significantly reduce network load and processing time in some environments. Delta CRLs are generally smaller than the CRLs they update, so applications that obtain delta CRLs consume less network bandwidth than applications that obtain the corresponding complete CRLs. Applications which store revocation information in a format other than the CRL structure can add new revocation information to the local database without reprocessing information. The delta CRL indicator extension contains the single value of type BaseCRLNumber. This value identifies the CRL number of the base CRL that was used as the foundation in the generation of this delta CRL. The referenced base CRL is a CRL that was explicitly issued as a CRL that is complete for a given scope. The CRL containing the delta CRL indicator extension contains all updates to the certificate revocation status for that same scope. The combination of a CRL containing the delta CRL indicator extension plus the CRL referenced Housley, Ford, Polk, & Solo [Page 54] INTERNET DRAFT May 2001 in the BaseCRLNumber component of this extension is equivalent to a complete CRL, for the applicable scope, at the time of publication of the delta CRL. When a conforming CRL issuer generates a delta CRL, the delta CRL MUST include a critical delta CRL indicator extension. When a delta CRL is issued, it MUST cover the same set of reasons and the same set of certificates that were covered by the base CRL it references. That is, the scope of the delta CRL MUST be the same as the scope of the complete CRL referenced as the base. An application that supports delta CRLs can construct a CRL that is complete for a given scope, at the current time, in either of the following ways: (a) by retrieving the current delta CRL for that scope, and combining it with an issued CRL that is complete for that scope and that has a cRLNumber greater than or equal to the base CRL number referenced in the current delta CRL; or (b) by retrieving the current delta CRL for that scope and combining it with a locally constructed CRL whose cRLNumber is greater than or equal to the base CRL number referenced in the current delta CRL. When a delta CRL is combined with a complete CRL or a locally constructed CRL, the resulting locally constructed CRL has the CRL number specified in the CRL number extension found in the delta CRL used in its construction. A complete CRL and a delta CRL MUST NOT be combined unless both of the following conditions are satisfied: (a) The CRL number specified in the complete CRL MUST be greater than or equal to the CRL number of the base CRL referenced in the delta CRL. That is, the complete CRL contains (at a minimum) all the revocation information held by the referenced base CRL. (b) The CRL number of the complete CRL MUST be less than the CRL number of the delta CRL. That is, the delta CRL follows the complete CRL in the numbering sequence. CRL issuers MUST ensure that the combination of a delta CRL and any appropriate complete CRL accurately reflects the current status of revocation. For each certificate whose status has changed since the generation of the referenced base CRL: Housley, Ford, Polk, & Solo [Page 55] INTERNET DRAFT May 2001 (a) If the certificate is revoked for a reason included in the scope of the CRL, list the certificate as revoked. (b) If not (a), list the certificate with the reason code removeFromCRL. It is appropriate to list a certificate with reason code removeFromCRL on a delta CRL even if the certificate was not on hold on the referenced base CRL. If the certificate was placed on hold on any CRL issued after the base but before this delta CRL and then released from hold, it MUST be listed on the delta CRL with revocation reason removeFromCRL. Applications that support delta CRLs are not required to support local construction of CRLs. Since the delta CRLs are required to reference a base CRL that was explicitly issued as a complete CRL, the information required to process delta CRLs is always available in a complete CRL. id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } baseCRLNumber ::= CRLNumber Housley, Ford, Polk, & Solo [Page 56] --=====================_180332535==_-- Received: by above.proper.com (8.9.3/8.9.3) id PAA28152 for ietf-pkix-bks; Thu, 31 May 2001 15:14:21 -0700 (PDT) Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA28148 for <ietf-pkix@imc.org>; Thu, 31 May 2001 15:14:15 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id KAA23795; Fri, 1 Jun 2001 10:14:16 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <99134725610945>; Fri, 1 Jun 2001 10:14:16 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: mike@traceroutesecurity.com, myers@coastside.net, rhousley@rsasecurity.com Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Cc: ietf-pkix@imc.org Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Fri, 1 Jun 2001 10:14:16 (NZST) Message-ID: <99134725610945@kahu.cs.auckland.ac.nz> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> "Michael Myers" <mike@traceroutesecurity.com> writes: >I (and I hope others too) deeply appreciate what Paul's doing for us but in >the longer run I'm little bit concerned of direct linkage to a potentially >ephemeral Web site. As opposed to a non-ephemeral IETF draft? Peter :-). Received: by above.proper.com (8.9.3/8.9.3) id OAA27506 for ietf-pkix-bks; Thu, 31 May 2001 14:45:16 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA27492 for <ietf-pkix@imc.org>; Thu, 31 May 2001 14:45:10 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4VLj8x01401; Thu, 31 May 2001 14:45:08 -0700 (PDT) From: "Michael Myers" <mike@traceroutesecurity.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, "Michael Myers" <myers@coastside.net> Cc: <ietf-pkix@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Thu, 31 May 2001 14:44:32 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDCEIJCBAA.mike@traceroutesecurity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <5.0.1.4.2.20010531150312.01ee5af0@exna07.securitydynamics.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Russ, I (and I hope others too) deeply appreciate what Paul's doing for us but in the longer run I'm little bit concerned of direct linkage to a potentially ephemeral Web site. I recall my aggravation years ago at having to hunt down authoritative references to OIW OIDs. Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Housley, Russ > Sent: Thursday, May 31, 2001 12:06 PM > To: Michael Myers > Cc: ietf-pkix@imc.org > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > I can certainly publish the OID list periodically in an I-D. Say > every six > months. In the I-D, I can say that the files on the IMC web site are > updated more frequently. Are there document editors that do not > know this > already? > > Russ > > At 03:38 PM 5/29/2001 -0700, Michael Myers wrote: > >I think so Russ. At a minimum we need to leave behind a highly > visible and > >definitive OID structure. In my opinion PKIX isn't done until > we document > >all that we've defined. > > > >Mike > > > > > > > >Michael Myers > >t: +415.819.1362 > >e: mailto:mike@traceroutesecurity.com > >w: http://www.traceroutesecurity.com > > > > > -----Original Message----- > > > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > > > Sent: Tuesday, May 29, 2001 2:32 PM > > > To: Michael Myers > > > Cc: Russ Housley; ietf-pkix@imc.org > > > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > > > > > > > Mike: > > > > > > This seems like a reasonable thing to do as the PKIX WG is winding > > > down. Is there really any point in a document that documents the > > > current snapshot? > > > > > > Russ > > > > > > At 02:13 PM 5/29/2001 -0700, Michael Myers wrote: > > > >Russ, > > > > > > > >Good to hear of this. Thanks. Any chance for an Informational > > > >I-D laying out the OID structure? I'm willing to help. > > > > > > > >Mi > Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA22384 for ietf-pkix-bks; Thu, 31 May 2001 13:49:50 -0700 (PDT) Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA22375 for <ietf-pkix@imc.org>; Thu, 31 May 2001 13:49:44 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <L7GNSQ0Z>; Thu, 31 May 2001 16:49:15 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD02389B42@sottmxs09.entrust.com> From: Carlisle Adams <carlisle.adams@entrust.com> To: "'tim.polk@nist.gov'" <tim.polk@nist.gov>, "'kent@bbn.com'" <kent@bbn.com>, "'rgm@icsalabs.com'" <rgm@icsalabs.com> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>, "'ca-talk@icsa.net'" <ca-talk@icsa.net> Subject: CMP and CRMF (again)... Date: Thu, 31 May 2001 16:49:15 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0EA13.27402F90" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0EA13.27402F90 Content-Type: text/plain Hi all, I have submitted "draft-ietf-pkix-rfc2510bis-04.txt" and "draft-ietf-pkix-rfc2511bis-02.txt" to the internet-drafts address; they should show up soon at the usual repositories. As you may know, calls for a clean-up of the ASN.1 modules in CMP and CRMF have necessitated yet another revision of the specs. One of those "callers" has been kind enough to look over the revised ASN.1 modules. Although they're still not ideal (88 syntax importing 93 or 97 syntax, mixing EXPLICIT and IMPLICIT in the process), the fixable syntax errors (adding a semicolon to the end of the IMPORT section, etc.) have been fixed and he can live with these improved versions. As well, I've taken this opportunity to make a small number of other minor changes to take into account feedback from Peter Gutmann, YongChul Kwon, Jeff Brinskelle, and Magnus Nystrom; see pages 23 ("senderKID" text), 28 ("For simplicity" text), 36 ("rand" text), 46 ("Supported Languages" section; see also p.87), and 76 (1st and 3rd paragraph, and 1st bullet). Call me starry-eyed, but I persist in my belief that these specs are now ready to go to IESG for consideration for advancement to Draft Standard status. Interoperability testing has been on-going, and increasingly successful, over the past couple of years and the necessary clarifications have been reflected in the drafts since RFCs 2510 and 2511. Bob: could you please ensure that some document reflecting the successful interoperability testing of all the MUSTs and SHOULDs is sent to Tim and Steve as soon as possible? Tim, Steve: once you receive this document from Bob, could you please begin the process of moving these onto the IESG agenda? Thanks again to everyone for all the feedback over the years on these specs! Carlisle. ------_=_NextPart_001_01C0EA13.27402F90 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>CMP and CRMF (again)...</TITLE> </HEAD> <BODY> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Hi = all,</FONT> </P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">I have = submitted</FONT> <FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New = Roman">"draft-ietf-pkix-rfc251</FONT><FONT COLOR=3D"#0000FF" = SIZE=3D2 FACE=3D"Times New Roman">0</FONT><FONT COLOR=3D"#0000FF" = SIZE=3D2 FACE=3D"Times New Roman">bis-0</FONT><FONT COLOR=3D"#0000FF" = SIZE=3D2 FACE=3D"Times New Roman">4</FONT><FONT COLOR=3D"#0000FF" = SIZE=3D2 FACE=3D"Times New Roman">.txt"</FONT><FONT = COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman"> and = "draft-ietf-pkix-rfc2511bis-02.txt" to the internet-drafts = address; they should show up soon at the usual repositories.</FONT></P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">As you may = know, calls for a clean-up of the ASN.1 modules in CMP and CRMF have = necessitated yet another revision of the specs. One of those = "callers" has been kind enough to look over the revised ASN.1 = modules. Although they're still not ideal (88 syntax importing 93 = or 97 syntax, mixing EXPLICIT and IMPLICIT in the process), the fixable = syntax errors (adding a semicolon to the end of the IMPORT section, = etc.) have been fixed and he can live with these improved = versions.</FONT></P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">As well, = I've taken this opportunity to make a small number of other minor = changes to take into account feedback from Peter Gutmann, YongChul = Kwon, Jeff Brinskelle, and Magnus Nystrom; see pages 23 = ("senderKID" text), 28 ("For simplicity" text), 36 = ("rand" text), 46 ("Supported Languages" section; = see also p.87), and 76 (1st and 3rd paragraph, and 1st = bullet).</FONT></P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Call me = starry-eyed, but I persist in my belief that these specs are now ready = to go to IESG for consideration for advancement to Draft Standard = status. Interoperability testing has been on-going, and = increasingly successful, over the past couple of years and the = necessary clarifications have been reflected in the drafts since RFCs = 2510 and 2511.</FONT></P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Bob: = could you please ensure that some document reflecting the successful = interoperability testing of all the MUSTs and SHOULDs is sent to Tim = and Steve as soon as possible?</FONT></P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Tim, = Steve: once you receive this document from Bob, could you please = begin the process of moving these onto the IESG agenda?</FONT></P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New Roman">Thanks = again to everyone for all the feedback over the years on these = specs!</FONT> </P> <P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Times New = Roman">Carlisle.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0EA13.27402F90-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA21435 for ietf-pkix-bks; Thu, 31 May 2001 13:36:28 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA21428 for <ietf-pkix@imc.org>; Thu, 31 May 2001 13:36:21 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Thu, 31 May 2001 14:35:44 -0600 Message-Id: <sb1656c0.027@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Thu, 31 May 2001 14:36:16 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <azb@llnl.gov>, <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org>, <dpkemp@missi.ncsc.mil> Subject: Re: cA flag and CRL issuers Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA21429 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Russ, The more that I think about it, the more I believe that what Tony and I (and Peter Williams) are getting at is the difference between a rather blind syntactic validation of a certificate chain, including the binding between the certificate contents and the public key by the issuer's signature, vs. the somewhat more amorphous notion of "trust" -- not of the certificate, but of the designated entity. As Steve correctly points out, although "trust" is a rather slippery concept, it is unavoidable, at least with respect to the CA. Whatever it means, and that is really and finally in the eye of the beholder, i.e., the relying party, if you don't "trust" the CA, you certainly shouldn't include their root in your browser's list of trusted roots. But why should this be so? After all, whether they would admit it or not, Microsoft and Netscape serve very well as de facto global CAs by including a collection of CA roots in their browsers. And I believe that code is signed, as well. So presumably there isn't any question as to whether those roots are syntactically valid or not, and their CPS is effectively embedded in their click-wrapped contract which you have to accept before installing the product. Well, one possible reason for rejecting some CA's certificate is that you don't like, trust, or agree with the due diligence that CA has decided to provide, or maybe you don't feel comfortable with the digital signature statutes of Afghanistan or Zambia, or the state-run CA of Iraq, or the Mafia. So despite the fact that there is no disagreement that the name of the CA has been accurately conveyed with appropriate due diligence, or that the public key (and hence the private key, indirectly) has been properly bound to that name and not compromised or revoked, nonetheless we don't choose to accept that CA's certificate. But isn't this inconsistent with the "identity is all that matters" PKI philosophy some would espouse? If you agree that there are circumstances where you as the relying party might choose not to trust a CA, despite the fact that all of the circumstances of the signature chain are in order, then why shouldn't the same logic apply to an end user, someone who is much more likely to cause me some harm than the CA is? It really shouldn't matter why I choose not to trust that individual -- maybe he is gay, or a Boy Scout, or a red-head, or an Iraqi terrorist; or all of the above -- I simply choose to trust him, or to accept his credentials. (And to disagree with Steve on one point, this has nothing to do with nonrepudiation.) But t answer your question, just because I choose not to trust some entity, or their certificate, or the horse they rode in on, doesn't mean that their certificate is suddenly invalid from a global perspective, or that someone else might quite legitimately continue to trust the entity. And so I have very little cause to even ask the CA to revoke the certificate, and certainly no way to compel the CA to do so. And it wouldn't be right. That view is consistent with not accepting a CA's certificate in a browser, and it is also consistent with the local policy control mechanism which has already been accepted in RFC in the case of OCSP. So it is really the CRL path validation mechanism that we are treating inconsistently. Now, I will certainly grant that there would be other ways to control the acceptance of a certificate, other than the CRL mechanism. I could certainly add that certificate to a directory of blackballed certificates. But the question is, who would use such a mechanism? As a single end-user enterprise, I certainly can't afford to go off and rewrite all of the browsers, SSL, and S/MIME code I have lying around, not to mention Adobe Acrobat, a number of forms processors, B2B transaction processors, etc. It is simply too huge a job. And even if I could somehow cajole one vendor into doing it, that doesn't solve the problem -- I need EVERYONE to do it with one uniform mechanism, or the system is still broken. Maybe I'm missing a technical nuance or "gotcha" somewhere, but I continue to believe that a local CRL chain that is tied back to a trusted root in the browser, i.e., my own Enterprise's certificate, solves these problems almost automatically, and with little if any changes required to existing code. If that simply can't be made to work without upsetting the apple cart, then I suppose we (or the RP) could jettison support for CRLs entirely and just use OCSP, but that seems both inconsistent from a standards perspective and undesirable from a performance standpoint in some cases. Regards, Bob >>> "Housley, Russ" <rhousley@rsasecurity.com> 05/31/01 08:47AM >>> Tony: If YourOrg decides that a particular UserNameN and UserKeyN that was certified by WhoeverCA, they can do so. PKIX does not (and I think should not) have a standard mechanism to do so. If YourOrg feels that one certificate issued by WhoeverCA should be revoked, and WhoeverCA has not/will not revoke it, then why would YourOrg continue to trust WhoeverCA for any certificates? It seems to me that the WhoeverCA certificate should be revoked or removed from the certificate trust list. Russ At 11:43 AM 5/30/2001 -0700, Tony Bartoletti wrote: >At 10:10 AM 5/30/01 -0400, you wrote: >>3) An authority stands up on its own with no CA blessing, and overtly claims >>that it will not reflect the CA's revocation status, but instead will reflect >>some local policy such as an employee's right to access company assets. >> >>By dictionary and common sense, #3 is not a "Certificate Revocation List", >>it is an "Access Control List". You and Tony argue that it is a good idea >>to mix authentication and access control because such mixing is expedient -- >>products support revocation of authentication credentials but do not widely >>support access control. You further argue that the PKIX path validation >>algorithm should be modified to officially sanction the merging of >>authentication and access control. >> >>I argue that such merging (done unofficially) is a bad idea from a security >>point of view, and it would be an even worse idea to modify X.509 and >>PKIX to officially support non-CA-authorized CRL signers. > >Dave, > >I agree that mixing (identity) authentication and authorization is bad >(however expedient.) > >My issue, perhaps academic, was not one of authorization. I intend that >the RP (or RP organization) unilaterally declares that binding of identity >(DN) to key is voided. The net result might not be the same regarding >authorization. If an "identity" binding fails, there may be myriad >separate authorizations the need to be revoked, but only the one name-key >binding. > >I argue the RP has a right to declare the CA-issued certificate to be >"null and void", and to be able to promote this declaration throughout the >organization. > >Perhaps this "should" be accomplished by having the RP-organization-as-CA >issue its own certification for every public key of possible interest, in >which case it could revoke according to the present mechanisms, and >everything "works". To ensure that third-party certifications are (by >default) untrusted, it would need to purge the vendor-installed default >root certificates from its systems. > >___tony___ > > > > >___tony___ > > > >Tony Bartoletti 925-422-3881 <azb@llnl.gov> >Information Operations, Warfare and Assurance Center >Lawrence Livermore National Laboratory >Livermore, CA 94551-9900 > > Received: by above.proper.com (8.9.3/8.9.3) id MAA16687 for ietf-pkix-bks; Thu, 31 May 2001 12:19:10 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA16677 for <ietf-pkix@imc.org>; Thu, 31 May 2001 12:19:01 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 31 May 2001 19:18:19 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA20841 for <ietf-pkix@imc.org>; Thu, 31 May 2001 15:19:02 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <LR8TCB8X>; Thu, 31 May 2001 15:19:01 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.67]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8TCB8N; Thu, 31 May 2001 15:18:54 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Michael Myers <myers@coastside.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010531150312.01ee5af0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 31 May 2001 15:05:36 -0400 Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list In-Reply-To: <EOEGJNFMMIBDKGFONJJDEEGFCBAA.myers@coastside.net> References: <5.0.1.4.2.20010529172947.01dea008@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I can certainly publish the OID list periodically in an I-D. Say every six months. In the I-D, I can say that the files on the IMC web site are updated more frequently. Are there document editors that do not know this already? Russ At 03:38 PM 5/29/2001 -0700, Michael Myers wrote: >I think so Russ. At a minimum we need to leave behind a highly visible and >definitive OID structure. In my opinion PKIX isn't done until we document >all that we've defined. > >Mike > > > >Michael Myers >t: +415.819.1362 >e: mailto:mike@traceroutesecurity.com >w: http://www.traceroutesecurity.com > > > -----Original Message----- > > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > > Sent: Tuesday, May 29, 2001 2:32 PM > > To: Michael Myers > > Cc: Russ Housley; ietf-pkix@imc.org > > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > > > > Mike: > > > > This seems like a reasonable thing to do as the PKIX WG is winding > > down. Is there really any point in a document that documents the > > current snapshot? > > > > Russ > > > > At 02:13 PM 5/29/2001 -0700, Michael Myers wrote: > > >Russ, > > > > > >Good to hear of this. Thanks. Any chance for an Informational > > >I-D laying out the OID structure? I'm willing to help. > > > > > >Mi Received: by above.proper.com (8.9.3/8.9.3) id KAA12974 for ietf-pkix-bks; Thu, 31 May 2001 10:30:52 -0700 (PDT) Received: from mail.funk.com (mail.funk.com [198.186.160.22]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA12969 for <ietf-pkix@imc.org>; Thu, 31 May 2001 10:30:46 -0700 (PDT) Received: by mail.funk.com with Internet Mail Service (5.5.2653.19) id <LLY0FBKD>; Thu, 31 May 2001 13:33:01 -0400 Message-ID: <2D6D813F2AEBD411BC6C000103C42C9412AB16@mail.funk.com> From: Aslam <aslam@funk.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: CRLs doubts... Date: Thu, 31 May 2001 13:33:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Hi, I have some doubts: 1. Like we have a "cert serial no and issuer name" to uniquely identify a certificate, do we have such thing for CRL also. 2. If the CRL Distribution Point extension has two URIs in it, do they refer to same CRLs or they point to different CRLs with different scope. 3. In order to make a CRL cache thing work, what can be the primary key to get a CRL blob from the cache just by having the certificate, for which the revocation info has to be obtained. Thanks Aslam Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA02357 for ietf-pkix-bks; Thu, 31 May 2001 08:23:37 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA02349 for <ietf-pkix@imc.org>; Thu, 31 May 2001 08:23:27 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 31 May 2001 15:22:45 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id LAA29540; Thu, 31 May 2001 11:23:28 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <LR8TB8QW>; Thu, 31 May 2001 11:23:27 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.126]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8TB8QS; Thu, 31 May 2001 11:23:24 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Tony Bartoletti <azb@llnl.gov> Cc: ietf-pkix@imc.org, "David P. Kemp" <dpkemp@missi.ncsc.mil> Message-Id: <5.0.1.4.2.20010531104237.01e61e48@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 31 May 2001 10:47:49 -0400 Subject: Re: cA flag and CRL issuers In-Reply-To: <4.3.2.7.2.20010530114306.00c48580@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Tony: If YourOrg decides that a particular UserNameN and UserKeyN that was certified by WhoeverCA, they can do so. PKIX does not (and I think should not) have a standard mechanism to do so. If YourOrg feels that one certificate issued by WhoeverCA should be revoked, and WhoeverCA has not/will not revoke it, then why would YourOrg continue to trust WhoeverCA for any certificates? It seems to me that the WhoeverCA certificate should be revoked or removed from the certificate trust list. Russ At 11:43 AM 5/30/2001 -0700, Tony Bartoletti wrote: >At 10:10 AM 5/30/01 -0400, you wrote: >>3) An authority stands up on its own with no CA blessing, and overtly claims >>that it will not reflect the CA's revocation status, but instead will reflect >>some local policy such as an employee's right to access company assets. >> >>By dictionary and common sense, #3 is not a "Certificate Revocation List", >>it is an "Access Control List". You and Tony argue that it is a good idea >>to mix authentication and access control because such mixing is expedient -- >>products support revocation of authentication credentials but do not widely >>support access control. You further argue that the PKIX path validation >>algorithm should be modified to officially sanction the merging of >>authentication and access control. >> >>I argue that such merging (done unofficially) is a bad idea from a security >>point of view, and it would be an even worse idea to modify X.509 and >>PKIX to officially support non-CA-authorized CRL signers. > >Dave, > >I agree that mixing (identity) authentication and authorization is bad >(however expedient.) > >My issue, perhaps academic, was not one of authorization. I intend that >the RP (or RP organization) unilaterally declares that binding of identity >(DN) to key is voided. The net result might not be the same regarding >authorization. If an "identity" binding fails, there may be myriad >separate authorizations the need to be revoked, but only the one name-key >binding. > >I argue the RP has a right to declare the CA-issued certificate to be >"null and void", and to be able to promote this declaration throughout the >organization. > >Perhaps this "should" be accomplished by having the RP-organization-as-CA >issue its own certification for every public key of possible interest, in >which case it could revoke according to the present mechanisms, and >everything "works". To ensure that third-party certifications are (by >default) untrusted, it would need to purge the vendor-installed default >root certificates from its systems. > >___tony___ > > > > >___tony___ > > > >Tony Bartoletti 925-422-3881 <azb@llnl.gov> >Information Operations, Warfare and Assurance Center >Lawrence Livermore National Laboratory >Livermore, CA 94551-9900 > > Received: by above.proper.com (8.9.3/8.9.3) id HAA26733 for ietf-pkix-bks; Thu, 31 May 2001 07:15:37 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id HAA26724 for <ietf-pkix@imc.org>; Thu, 31 May 2001 07:15:31 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 31 May 2001 14:14:44 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id KAA21834; Thu, 31 May 2001 10:15:24 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <LR8TB67Z>; Thu, 31 May 2001 10:15:23 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.44]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8TB674; Thu, 31 May 2001 10:15:17 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Richard Lampard <Richard.Lampard@cesg.gsi.gov.uk> Cc: ietf-pkix@imc.org, Andrew Watson <Andrew.Watson@cesg.gsi.gov.uk> Message-Id: <5.0.1.4.2.20010531101210.01dfacd0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 31 May 2001 10:15:13 -0400 Subject: Re: Algorithms in PKIX and S/MIME - query In-Reply-To: <sb14cdc4.096@cesg.gsi.gov.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Richard: PKIX has not selected any algorithms as mandatory to implement. PKIX has left such decisions to the protocols that make use of certificates. S/MIME documents are being updated to reflect: signature generation: RSA or DSA or both signature validation: RSA and DSA hash: SHA-1 encrypt: Triple-DES CBC key management: RSA (PKCS#1 v1.5) Russ At 10:38 AM 5/30/2001 +0100, Richard Lampard wrote: >We recently completed an interoperability trial looking at PKI and S/MIME >v3 interoperability. If you're interested, the final report is available at: > >www.cesg.gov.uk/cloudcover/PKIdemonstrator.htm > >We are about to embark on a second phase, this time looking at S/MIME v3 >encryption. We are keen to mirror current thinking on S/MIME algorithms, >which I >believe is: > >Signature generation: DSA or RSA may be implemented >Signature processing: DSA and RSA must both be supported >Key transport: RSA > >However, I also believe that PKIX thinking at the moment is that DSA is >still the mandatory to implement algorithm for certificate and CRL signing. > >This leads to the awkward situation where an implementation, for example, >only signs S/MIME messages using RSA, but has to sign its RSA transport >keys using >DSA. I can imagine other mismatches whereby the keys for one algorithm are >signed by a different algorithm. > >This seems to stem from the fact that thinking on algorithms between PKIX >and S/MIME is not yet aligned. I'd be very grateful for some advice on >how we should >play our second phase, and what we should be asking vendors to bring to >the trial. Is it realistic to expect vendors to support both DSA and RSA, >especially in >their CAs? > >Many thanks > >Richard > >Richard Lampard >CESG >PO Box 144 >Cheltenham >Gloucestershire GL52 5UE >Tel: +441242 221491 x4086 >Fax: +441242 709113 >********************************************************************** >This email and any files transmitted with it is intended solely for >the use of the individual or entity to whom they are addressed. If >you have received this email in error please notify >postmaster@cesg.gsi.gov.uk. >********************************************************************** Received: by above.proper.com (8.9.3/8.9.3) id DAA11703 for ietf-pkix-bks; Thu, 31 May 2001 03:26:28 -0700 (PDT) Received: from hip.baltimore.ie ([193.41.17.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA11691 for <ietf-pkix@imc.org>; Thu, 31 May 2001 03:26:17 -0700 (PDT) Received: from Baltimore-FW1 ([172.19.1.1]) by hip.baltimore.ie (8.9.3/8.9.3) with SMTP id LAA20224 for <ietf-pkix@imc.org>; Thu, 31 May 2001 11:18:01 +0100 Received: from Baltimore-FW1 (wilde-i-1.ie.baltimore.com) by emeairlsw1.baltimore.com (Content Technologies SMTPRS 4.2.1) with SMTP id <T53dad5cb330a9919350ac@emeairlsw1.baltimore.com> for <ietf-pkix@imc.org>; Thu, 31 May 2001 10:42:09 +0100 Received: from baltimore.ie (ip226-24.ie.baltimore.com [10.153.24.226]) by bobcat.baltimore.ie (8.9.3/8.9.3) with ESMTP id KAA30029; Thu, 31 May 2001 10:45:48 +0100 Message-ID: <3B16112C.15E5BF37@baltimore.ie> Date: Thu, 31 May 2001 10:38:52 +0100 From: Stephen Farrell <stephen.farrell@baltimore.ie> Reply-To: stephen.farrell@baltimore.ie Organization: Baltimore Technologies Ltd. X-Mailer: Mozilla 4.72 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> CC: ietf-pkix@imc.org Subject: Re: draft-ietf-pkix-ac509prof -> RFC? References: <20010410173741.DB73.ODAHARA@dsa.isl.ntt.co.jp> <3ADC3F64.895C47B0@baltimore.ie> <20010530104344.4868.ODAHARA@dsa.isl.ntt.co.jp> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Hi, I'm not entirely clear exactly what question is being asked, however, I *think* the answer is that I've got to make a few very minor changes and then that draft will be sent to the RFC editor. In other words, the work on this specification is done, it will be an RFC quite soon now, without any substantive changes being made. The minor changes to be made include adding a section saying that there are no IANA consideration; updating to reflect a couple of minor changes to the base X.509 document and a change to allow some s/mime specifications to reference this document more easily. I hope that answers your question, Regards, Stephen. Hideyuki Odahara wrote: > > Mr. Stephen Farrell > > Thank you for your reply the example of use of an attribute the other > day. > I would like you to teach about RFC-izing of draft-ietf-pkix-ac509prof > today, and mail was given. While it is said that ac509prof has near > RFC-izing, it is not RFC-ized easily. Now, would you the argument is > progressing how much and teach [ when to RFC-be due to beized and ] this > draft? > Although humiliated a busy place, I ask of you well. > > thanks > -- ____________________________________________________________ Stephen Farrell Baltimore Technologies, tel: (direct line) +353 1 881 6716 39 Parkgate Street, fax: +353 1 881 7000 Dublin 8. mailto:stephen.farrell@baltimore.ie Ireland http://www.baltimore.com Received: by above.proper.com (8.9.3/8.9.3) id AAA20592 for ietf-pkix-bks; Thu, 31 May 2001 00:07:44 -0700 (PDT) Received: from server.ica.cz (server.ica.cz [195.47.13.11]) by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA20562 for <ietf-pkix@imc.org>; Thu, 31 May 2001 00:07:36 -0700 (PDT) Received: from SZOTKOWSKI (com.ica.cz [195.47.13.10]) by server.ica.cz (8.9.2/8.8.7) with SMTP id JAA30402 for <ietf-pkix@imc.org>; Thu, 31 May 2001 09:07:21 +0200 (CEST) Message-ID: <06cf01c0e9a0$569023e0$212911ac@ica.cz> From: "Martin Szotkowski" <martin.szotkowski@ica.cz> To: <ietf-pkix@imc.org> Subject: LDAP and certificates Date: Thu, 31 May 2001 09:07:21 +0200 Organization: PVT, a.s. X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Hi, I started study LDAP and I like know how add user certificate into LDAP DB. How create entry for one user? >From DN? (what is right order of RDN in DN) >From some other information? How browsers connect LDAP server to obtain certificates or CRL? please send me some RFC or drafts, where it is described. thanks Martin Received: by above.proper.com (8.9.3/8.9.3) id TAA29145 for ietf-pkix-bks; Wed, 30 May 2001 19:54:03 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA29141 for <ietf-pkix@imc.org>; Wed, 30 May 2001 19:53:57 -0700 (PDT) Received: from [128.33.238.84] (TC030.BBN.COM [128.33.238.30]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id WAA00006; Wed, 30 May 2001 22:53:56 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010408b73b5701a36c@[128.33.238.84]> In-Reply-To: <4.3.2.7.2.20010529161445.00b0fbf0@poptop.llnl.gov> References: <4.3.2.7.2.20010529115907.00b09840@poptop.llnl.gov> <4.3.2.7.2.20010529161445.00b0fbf0@poptop.llnl.gov> Date: Wed, 30 May 2001 22:23:45 -0400 To: Tony Bartoletti <azb@llnl.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Tony & Bob, This discussion re revocation seems to be colored by excessive use of the term "trust." It's common to use that term in discussing PKIs, and the public CA approach to PKI, exemplified by VeriSIgn, encourages that notion, because such CA are viable only if "trusted." However, that is not the only way to think about roles in a PKI. If CAs are aligned with physical world entities that are authoritative for the data contained in certs, e.g., companies issuing certs for employees, then these CAs are not "trusted" in the same way that one trusts a public CA. Moreover, CAs of this sort are authoritative for revocation, just as they are authoritative for cert issuance. Tony seems to agree with this observation, but Bob feels that this is a naive model re NR. I will remind Bob that NR is not the only focus of PKI, that this WG has expended way to much time arguing about NR matters that seem to never be fully resolved in the technical domain, and that the lack of uniform agreement re NR requirements suggests that no single view of technical support for NR can be considered authoritative. What you tow are suggesting is a local means of asserting per-certificate validity judgements that might override those of the CA who issued a cert. While I can appreciate the motivations that you cite for this, they are simply not consistent with the overall X.509 or PKIX models. We cannot tailor the specs to compensate for questionable PKI implementation designs in apps such as browsers. OCSP does allow for local configuration of a local source for revocation information, and that would allow one to achieve the goals you cite, if one relied on OCSP for revocation status. DPV will allow a similar configuration capability. So, I suggest that you be content with the ability to achieve the stated effects via these other protocols, which will provide the capability as a side effect of their other design goals. Steve Received: by above.proper.com (8.9.3/8.9.3) id SAA24818 for ietf-pkix-bks; Wed, 30 May 2001 18:55:27 -0700 (PDT) Received: from [165.227.249.18] (ip18.proper.com [165.227.249.18]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA24811; Wed, 30 May 2001 18:55:20 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p05100317b73b527edc1a@[165.227.249.18]> In-Reply-To: <OF4FCCFE87.A3C94FF9-ON85256A5C.00642C5B@somers.hqregion.ibm.com> References: <OF4FCCFE87.A3C94FF9-ON85256A5C.00642C5B@somers.hqregion.ibm.com> Date: Wed, 30 May 2001 18:54:24 -0700 To: "Tom Gindin" <tgindin@us.ibm.com>, ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: Re: Patent disclosure Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> At 2:40 PM -0400 5/30/01, Tom Gindin wrote: >IBM is unable to provide more specific >information regarding the application, until such time as the application >is published or the patent is issued. IBM often does The Right Thing with respect to patents used in IETF protocols, so I am not eager to kick them around. However, the above statement is simply not true. IBM is quite able to provide more specific information: it is choosing not to. And by choosing not to, the PKIX WG cannot move forwards with either document with any understanding about what doing so means. It would be great if IBM would reconsider its choice to be almost silent as soon as possible. --Paul Hoffman, Director --Internet Mail Consortium Received: by above.proper.com (8.9.3/8.9.3) id RAA18225 for ietf-pkix-bks; Wed, 30 May 2001 17:11:24 -0700 (PDT) Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA18213 for <ietf-pkix@imc.org>; Wed, 30 May 2001 17:11:18 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id RAA19872; Wed, 30 May 2001 17:10:45 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id RAA15930; Wed, 30 May 2001 17:10:45 -0700 (PDT) Message-Id: <4.3.2.7.2.20010530164955.00c33c70@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 30 May 2001 17:17:50 -0700 To: "Bob Jueneman" <bjueneman@novell.com>, <ietf-pkix@imc.org> From: Tony Bartoletti <azb@llnl.gov> Subject: Re: cA flag and CRL issuers Cc: <dpkemp@missi.ncsc.mil> In-Reply-To: <sb152366.006@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> At 04:44 PM 5/30/01 -0600, Bob Jueneman wrote: > > > >Perhaps this "should" be accomplished by having the RP-organization-as-CA > >issue its own certification for every public key of possible interest, in > >which case it could revoke according to the present mechanisms, and > >everything "works". >Fortunately, revocation of particular certificates can be done on an >exception basis, without having to (re-)issue all of the certificates >directly, and that is my point. > >Bob :) That is mostly why "should" and "works" are in quotes. The scheme is hardly workable except in a very limited arrangement. My concerns also joined with that of CA root-key compromise. I suppose a CA that issues a CRL listing its own signing key as revoked *can* be trusted (if it too signed the CRL) since either the CA intended to revoke, or the key is in fact compromised. Ala SPKI "loop-of-trust", wherein authority begins (and ends) with the Relying Party, I sought to allow any party of authority to act as a "CA over the CAs" by "certifying" their root keys, and thus to be able to revoke them if desired, to address the root compromise problem for a "Relying Community". That community would (once) install this super-CA root in its user's software. Thereafter, if a CA needed to issue a new root upon compromise, the "authority" of each community could seek out that CA and certify that new key via the "community root". This would allow the end user software a path to "accept" a new CA root electronically, since it would verify with the installed community key. This mechanism reduces manual intervention in the N systems to only those operations that concern a community's trust in it own authority. ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: by above.proper.com (8.9.3/8.9.3) id PAA12220 for ietf-pkix-bks; Wed, 30 May 2001 15:45:05 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA12207 for <ietf-pkix@imc.org>; Wed, 30 May 2001 15:44:57 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 30 May 2001 16:44:22 -0600 Message-Id: <sb152366.006@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Wed, 30 May 2001 16:44:50 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <azb@llnl.gov> Cc: <dpkemp@missi.ncsc.mil> Subject: Re: cA flag and CRL issuers Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id PAA12208 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> >I argue the RP has a right to declare the CA-issued certificate to be "null >and void", and to be able to promote this declaration throughout the >organization. > >Perhaps this "should" be accomplished by having the RP-organization-as-CA >issue its own certification for every public key of possible interest, in >which case it could revoke according to the present mechanisms, and >everything "works". To ensure that third-party certifications are (by >default) untrusted, it would need to purge the vendor-installed default >root certificates from its systems. > Tony, I completely agree with you, but I would point out that although having the RP organization issue its own certification for all public keys of interest might be technically do-able, it certainly wouldn't scale beyond the boundaries of that organization. Once you start trying to manage the public keys of all of the employees of your extranet partners, you are out of the frying pan and into the fire from a management and control aspect. Fortunately, revocation of particular certificates can be done on an exception basis, without having to (re-)issue all of the certificates directly, and that is my point. Bob Received: by above.proper.com (8.9.3/8.9.3) id LAA28931 for ietf-pkix-bks; Wed, 30 May 2001 11:41:35 -0700 (PDT) Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA28921 for <ietf-pkix@imc.org>; Wed, 30 May 2001 11:41:29 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id OAA125574; Wed, 30 May 2001 14:38:33 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id OAA111224; Wed, 30 May 2001 14:34:40 -0400 Importance: Normal Subject: Patent disclosure To: ietf-pkix@imc.org Cc: iesg-secretary@ietf.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF4FCCFE87.A3C94FF9-ON85256A5C.00642C5B@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Wed, 30 May 2001 14:40:01 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/30/2001 02:40:09 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> IBM has submitted patent applications in a technology area that may be employed by the PKIX working group in developing its final specifications. The technology area relates to the use of certificateHold for Non-Repudiation. This may prove relevant to some parts of the draft-ietf-pkix-ocspv2-02.txt and to some parts of draft-ietf-pkix-new-part1-06.txt. IBM is unable to provide more specific information regarding the application, until such time as the application is published or the patent is issued. IBM, in support of IETF intellectual property rights procedures, is willing to offer non-exclusive licenses to issued patents, upon written request, under reasonable and non-discriminatory terms and conditions, in accordance with IBM's usual licensing practices, when there is a necessary dependence upon these IBM patents to implement PKIX specifications. Tom Gindin Received: by above.proper.com (8.9.3/8.9.3) id LAA28691 for ietf-pkix-bks; Wed, 30 May 2001 11:37:24 -0700 (PDT) Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA28683 for <ietf-pkix@imc.org>; Wed, 30 May 2001 11:37:18 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id LAA22824; Wed, 30 May 2001 11:36:44 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA21182; Wed, 30 May 2001 11:36:44 -0700 (PDT) Message-Id: <4.3.2.7.2.20010530114306.00c48580@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 30 May 2001 11:43:49 -0700 To: ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: cA flag and CRL issuers Cc: "David P. Kemp" <dpkemp@missi.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> At 10:10 AM 5/30/01 -0400, you wrote: >3) An authority stands up on its own with no CA blessing, and overtly claims >that it will not reflect the CA's revocation status, but instead will reflect >some local policy such as an employee's right to access company assets. > >By dictionary and common sense, #3 is not a "Certificate Revocation List", >it is an "Access Control List". You and Tony argue that it is a good idea >to mix authentication and access control because such mixing is expedient -- >products support revocation of authentication credentials but do not widely >support access control. You further argue that the PKIX path validation >algorithm should be modified to officially sanction the merging of >authentication and access control. > >I argue that such merging (done unofficially) is a bad idea from a security >point of view, and it would be an even worse idea to modify X.509 and >PKIX to officially support non-CA-authorized CRL signers. Dave, I agree that mixing (identity) authentication and authorization is bad (however expedient.) My issue, perhaps academic, was not one of authorization. I intend that the RP (or RP organization) unilaterally declares that binding of identity (DN) to key is voided. The net result might not be the same regarding authorization. If an "identity" binding fails, there may be myriad separate authorizations the need to be revoked, but only the one name-key binding. I argue the RP has a right to declare the CA-issued certificate to be "null and void", and to be able to promote this declaration throughout the organization. Perhaps this "should" be accomplished by having the RP-organization-as-CA issue its own certification for every public key of possible interest, in which case it could revoke according to the present mechanisms, and everything "works". To ensure that third-party certifications are (by default) untrusted, it would need to purge the vendor-installed default root certificates from its systems. ___tony___ ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA24712 for ietf-pkix-bks; Wed, 30 May 2001 10:36:12 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA24704 for <ietf-pkix@imc.org>; Wed, 30 May 2001 10:36:05 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Wed, 30 May 2001 11:35:27 -0600 Message-Id: <sb14daff.062@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Wed, 30 May 2001 11:35:55 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <dpkemp@missi.ncsc.mil> Subject: Re: cA flag and CRL issuers Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA24705 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, thanks for the clarification. For a while there I was afraid I was going to have to appeal to Charleton Heston! I agree that semantically, only the issuer can revoke the issuer's binding of a key to whatever else may be contained in the certificate, normally the identity of the holder of that key, and state, as you say, that in the eyes of the issuer, that binding is no long in effect. But you then jumped from notion of certificate revocation, or what might more accurately be called certificate trust revocation, to the notion of access control and PMI. I don't equate the two, although of course there is some overlap. So I don't agree that your case #3 isn't a CRL, but rather access control, or PMI. Instead, I want to use some form of certificate revocation or whatever we call it to revoke encryption certificates for various recipients, and to revoke digital signature certificates for people I no longer trust to sign documents or transactions. I suppose you could argue that if X.509 PKI is exclusively about identity, then there is some justification for claiming that the CA is reasonably authoritative for identity and thus only the CA should be able to revoke the trust relationship inherent in the certificate -- the end-entity presumably hasn't been transmogrified into someone else, and even if they were, they are presumably still responsible for their actions. But we all know by now, I hope, that the initial naive "nonrepudiation" conceit of the technologists (and I include myself there) that if we could just be sure who someone really was, that the world would be a much better place, simply hasn't materialized. We handed the car dealer our driver's license and drove off in the Ferrari on a test drive, and never returned. Even if the driver's license wasn't falsified, what are you going to do next -- send the sheriff into cyberspace to arrest some e-mail name? In fact, putting aside religious arguments about ASN.1 vs. "simpler" mechanisms, the SPKI crowd probably had it closer to right than the PKI crowd, because the essence of a workable PKI isn't just identity, but authority and credibility, i.e., trust. Remember, the original use of X.509 was to authenticate an individual to a directory, where such decisions could be made. but we effectively threw away the directory, and proposed making decision based on the certificate itself, with no other information. That's why there have been virtually no Residential Person certificates issued to speak of -- only Organizational Person certs -- because rightly or wrongly, the implicit affiliation of the individual with an organization carries a lot of weight, to the point that the name almost doesn't matter an most cases. (I said almost. :-) and hence there is little or not acceptance of a Residential person certificate, except perhaps for casual e-mail encryption. I note that the current specification allows an independent OCSP responder to comment on the status of a certificate, and indirectly on the trust associated with the end-user. You deprecate that usage, but there it is. So why does the certificate validation concept depend on the choice of protocols? We should be arguing philosophy, not protocols and whether or not the certificate is checked in real time. You argue that "such merging (done unofficially) is a bad idea from a security point of view, and it would be an even worse idea to modify X.509 and PKIX to officially support non-CA-authorized CRL signers." Particularly if the "merging" is local to a single relying party's organization, I would like to better understand your reasoning as to why you think that is a bad idea, for that certainly isn't obvious to me. Instead, I believe that continuing the rely on the CA's potentially out of date world view, when that CA has no obligation to continuing monitor the trust relationship associated with that user, is in fact the Bad Idea, if relied on exclusively. The CA is only obligated to revoke a certificate upon the request of the end-user, who may have every interest in the world to continue to use that certificate. That simply isn't good enough for all situations. Likewise, I disagree with the assertion that it would be an even worse idea to modify X.509 and PKIX to officially support non-CA-authorized CRL signers. Local RP organizational control is one such case that makes eminently good sense to me, as does the notion of some overarching authority such as a State or Federal CA licensing authority, for example. And if we get into Attribute Certificates, or attributes within a certificate that reflect a credential such as whether or not someone is a medical doctor (that's an attribute, not a privilege, although the RP may decide to confer a privilege based on that attribute), then I think having a non-CA such as the state medical association be able to revoke such credentials is even more important. The issue of whether products do, or should support PMI is a separate issue. They don't, and they should, but in my view, at least, that still doesn't solve the trust problem. And we are ten years and counting. Regards, Bob >>> "David P. Kemp" <dpkemp@missi.ncsc.mil> 05/30/01 08:10AM >>> Bob Jueneman wrote: > > > > [dpk] ** No one but the issuer can revoke that issuer's certification. ** > > Well, that is precisely the disagreement, isn't it? Or let me clarify that > just a bit. What I care about is revoking the certificate itself. > Revoking the issuer's certification of that certificate is a slight, > but perhaps a significant nuance of difference. My statement was a bit terse, and I certainly see how it could be interpreted, not as intended, but as a stone-tablet pronouncement. The issuer has signed a statement binding name to key, and only the issuer, from the standpoint of Noah Webster (as opposed to the standpoint of Moses) is able to state that in the eyes of the issuer that binding is no longer in effect. There are three cases to consider: 1) The CA can revoke certificates using its own signing key directly, or indirectly by signing a cRLSign certificate, an Authorized OCSP responder certificate, or an EE cert with a CRLDP referring to an ICRLA. 2) A revocation authority could stand up on its own, with no blessing from a CA, but claim that it will faithfully reflect the CA's revocation status to the best of its ability. This is the Trusted OCSP responder model. 3) An authority stands up on its own with no CA blessing, and overtly claims that it will not reflect the CA's revocation status, but instead will reflect some local policy such as an employee's right to access company assets. By dictionary and common sense, #3 is not a "Certificate Revocation List", it is an "Access Control List". You and Tony argue that it is a good idea to mix authentication and access control because such mixing is expedient -- products support revocation of authentication credentials but do not widely support access control. You further argue that the PKIX path validation algorithm should be modified to officially sanction the merging of authentication and access control. I argue that such merging (done unofficially) is a bad idea from a security point of view, and it would be an even worse idea to modify X.509 and PKIX to officially support non-CA-authorized CRL signers. > I'm always willing to consider other, alternative means of achieving > any particular objective, so long as they are reasonably well standardized > and widely implemented on commercial software packages. But if I were the > RP's organization, I would certainly NOT like to have to throw out all of > my browsers, my S/MIME software, etc., just to achieve this objective -- > that's a non-starter. I can think of three off the bat: 1) Request that the CA issue an "authorized revocation authority" (OCSP or ICRLA) certificate to your local status authority. This is expedient (in the pejorative sense) and the CA might refuse to do it, but it requires no undesirable changes to the text of X.509 or to products. 2) Stand up a CA which explicitly issues certificates according to local policies such as employment status, and then revokes those certificates according to the same criteria under which they were issued. This does no violence to the intent of X.509, and requires no changes to products. 3) Use a "trusted OCSP" responder and forget about CRLs. I think this option should be deprecated, but it is documented today in RFC 2560. 4) A fourth option, which of course requires better products, is to use a proper PMI. The PMI standards are there; it's up to product developers to determine if there is a market. I'm not persuaded by "well, products haven't seen fit to support authorization yet, so let's muck with the authentication standard to support coarse-grained (yes/no) bastardized privilege management." Regards, Dave Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id HAA07044 for ietf-pkix-bks; Wed, 30 May 2001 07:13:42 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA07035 for <ietf-pkix@imc.org>; Wed, 30 May 2001 07:13:36 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id KAA15318 for <ietf-pkix@imc.org>; Wed, 30 May 2001 10:13:32 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by stingray.missi.ncsc.mil with SMTP id KAA15314 for <ietf-pkix@imc.org>; Wed, 30 May 2001 10:13:32 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Wed, 30 May 2001 10:15:49 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id LQK7KMM6; Wed, 30 May 2001 10:16:50 -0400 Message-ID: <3B14FF3B.E5140CF6@missi.ncsc.mil> Date: Wed, 30 May 2001 10:10:03 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers References: <sb13c0b1.050@prv-mail20.provo.novell.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Bob Jueneman wrote: > > > > [dpk] ** No one but the issuer can revoke that issuer's certification. ** > > Well, that is precisely the disagreement, isn't it? Or let me clarify that > just a bit. What I care about is revoking the certificate itself. > Revoking the issuer's certification of that certificate is a slight, > but perhaps a significant nuance of difference. My statement was a bit terse, and I certainly see how it could be interpreted, not as intended, but as a stone-tablet pronouncement. The issuer has signed a statement binding name to key, and only the issuer, from the standpoint of Noah Webster (as opposed to the standpoint of Moses) is able to state that in the eyes of the issuer that binding is no longer in effect. There are three cases to consider: 1) The CA can revoke certificates using its own signing key directly, or indirectly by signing a cRLSign certificate, an Authorized OCSP responder certificate, or an EE cert with a CRLDP referring to an ICRLA. 2) A revocation authority could stand up on its own, with no blessing from a CA, but claim that it will faithfully reflect the CA's revocation status to the best of its ability. This is the Trusted OCSP responder model. 3) An authority stands up on its own with no CA blessing, and overtly claims that it will not reflect the CA's revocation status, but instead will reflect some local policy such as an employee's right to access company assets. By dictionary and common sense, #3 is not a "Certificate Revocation List", it is an "Access Control List". You and Tony argue that it is a good idea to mix authentication and access control because such mixing is expedient -- products support revocation of authentication credentials but do not widely support access control. You further argue that the PKIX path validation algorithm should be modified to officially sanction the merging of authentication and access control. I argue that such merging (done unofficially) is a bad idea from a security point of view, and it would be an even worse idea to modify X.509 and PKIX to officially support non-CA-authorized CRL signers. > I'm always willing to consider other, alternative means of achieving > any particular objective, so long as they are reasonably well standardized > and widely implemented on commercial software packages. But if I were the > RP's organization, I would certainly NOT like to have to throw out all of > my browsers, my S/MIME software, etc., just to achieve this objective -- > that's a non-starter. I can think of three off the bat: 1) Request that the CA issue an "authorized revocation authority" (OCSP or ICRLA) certificate to your local status authority. This is expedient (in the pejorative sense) and the CA might refuse to do it, but it requires no undesirable changes to the text of X.509 or to products. 2) Stand up a CA which explicitly issues certificates according to local policies such as employment status, and then revokes those certificates according to the same criteria under which they were issued. This does no violence to the intent of X.509, and requires no changes to products. 3) Use a "trusted OCSP" responder and forget about CRLs. I think this option should be deprecated, but it is documented today in RFC 2560. 4) A fourth option, which of course requires better products, is to use a proper PMI. The PMI standards are there; it's up to product developers to determine if there is a market. I'm not persuaded by "well, products haven't seen fit to support authorization yet, so let's muck with the authentication standard to support coarse-grained (yes/no) bastardized privilege management." Regards, Dave Received: by above.proper.com (8.9.3/8.9.3) id CAA15200 for ietf-pkix-bks; Wed, 30 May 2001 02:38:23 -0700 (PDT) Received: from mail1.gsi.gov.uk (mail.gsi.gov.uk [194.6.79.172]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA15195 for <ietf-pkix@imc.org>; Wed, 30 May 2001 02:38:17 -0700 (PDT) Received: from eliminator.cesg.gsi.gov.uk (mail2.cesg.gsi.gov.uk [51.64.33.243]) by mail1.gsi.gov.uk (BLOBBY/BLOBBY) with ESMTP id f4U9egQ16010 for <ietf-pkix@imc.org>; Wed, 30 May 2001 10:40:42 +0100 (BST) Received: by eliminator.cesg.gsi.gov.uk (CHOCCY/GINGER) id LAA20465; Wed, 30 May 2001 11:04:39 +0100 (GMT/BST) X-Received: suppressed X-Received: suppressed (id line) X-Received: suppressed X-Received: suppressed (id line) X-Received: suppressed (id line) X-Received: suppressed X-Received: suppressed X-Received: suppressed (id line) X-Received: suppressed X-Received: suppressed (id line) X-Received: suppressed X-Received: suppressed (id line) Message-Id: <sb14cdc4.096@cesg.gsi.gov.uk> X-Mailer: Novell GroupWise 5.5.4 Date: Wed, 30 May 2001 10:38:41 +0100 From: "Richard Lampard" <Richard.Lampard@cesg.gsi.gov.uk> To: <ietf-pkix@imc.org> Cc: "Andrew Watson" <Andrew.Watson@cesg.gsi.gov.uk> Subject: Algorithms in PKIX and S/MIME - query MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> We recently completed an interoperability trial looking at PKI and S/MIME v3 interoperability. If you're interested, the final report is available at: www.cesg.gov.uk/cloudcover/PKIdemonstrator.htm We are about to embark on a second phase, this time looking at S/MIME v3 encryption. We are keen to mirror current thinking on S/MIME algorithms, which I believe is: Signature generation: DSA or RSA may be implemented Signature processing: DSA and RSA must both be supported Key transport: RSA However, I also believe that PKIX thinking at the moment is that DSA is still the mandatory to implement algorithm for certificate and CRL signing. This leads to the awkward situation where an implementation, for example, only signs S/MIME messages using RSA, but has to sign its RSA transport keys using DSA. I can imagine other mismatches whereby the keys for one algorithm are signed by a different algorithm. This seems to stem from the fact that thinking on algorithms between PKIX and S/MIME is not yet aligned. I'd be very grateful for some advice on how we should play our second phase, and what we should be asking vendors to bring to the trial. Is it realistic to expect vendors to support both DSA and RSA, especially in their CAs? Many thanks Richard Richard Lampard CESG PO Box 144 Cheltenham Gloucestershire GL52 5UE Tel: +441242 221491 x4086 Fax: +441242 709113 ********************************************************************** This email and any files transmitted with it is intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@cesg.gsi.gov.uk. ********************************************************************** Received: by above.proper.com (8.9.3/8.9.3) id SAA01807 for ietf-pkix-bks; Tue, 29 May 2001 18:50:14 -0700 (PDT) Received: from tama3.tas.ntt.co.jp (tama3.tas.ntt.co.jp [192.68.248.40]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA01798 for <ietf-pkix@imc.org>; Tue, 29 May 2001 18:50:04 -0700 (PDT) Received: from nttmail.ecl.ntt.co.jp (nttmail.tas.ntt.co.jp [192.68.248.11]) by tama3.tas.ntt.co.jp (8.9.3+3.2W/3.7W/01/21/00) with ESMTP id KAA23320; Wed, 30 May 2001 10:49:45 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from dsa.isl.ntt.co.jp by nttmail.ecl.ntt.co.jp (8.9.3+3.2W/3.7W/03/21/01) with ESMTP id KAA27923; Wed, 30 May 2001 10:49:39 +0900 (JST) (envelope-from odahara@dsa.isl.ntt.co.jp) Received: from cats by dsa.isl.ntt.co.jp (8.9.3/isl-2.0) id KAA12569; Wed, 30 May 2001 10:49:21 +0900 (JST) Date: Wed, 30 May 2001 10:52:10 +0900 From: Hideyuki Odahara <odahara@dsa.isl.ntt.co.jp> To: stephen.farrell@baltimore.ie Subject: draft-ietf-pkix-ac509prof -> RFC? Cc: ietf-pkix@imc.org In-Reply-To: <3ADC3F64.895C47B0@baltimore.ie> References: <20010410173741.DB73.ODAHARA@dsa.isl.ntt.co.jp> <3ADC3F64.895C47B0@baltimore.ie> Message-Id: <20010530104344.4868.ODAHARA@dsa.isl.ntt.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.00.03 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Mr. Stephen Farrell Thank you for your reply the example of use of an attribute the other day. I would like you to teach about RFC-izing of draft-ietf-pkix-ac509prof today, and mail was given. While it is said that ac509prof has near RFC-izing, it is not RFC-ized easily. Now, would you the argument is progressing how much and teach [ when to RFC-be due to beized and ] this draft? Although humiliated a busy place, I ask of you well. thanks > > Slightly late response, but here it is... > > Syntactically, the access identity attribute can't have the authInfo > field present. This basically means that you should use the access > identity field if the relying party is willing to believe a straight > assertion from the AA about the holder's identity. In theory that > should be enough, but it turns out that there are many applications > which still require a username & password to identify/authenticate > a user, so the service auth info attribute allows support for such > applications. > > As an example of where this might apply, say you inegrate the AC > relying party code into a web server, with a set of web applications > being called from the web server. Now some of those applications > will simply accept a user identity passed from the web server, using > say the ssl client or holder field for identity, others will have their > own concept of usernames (so you can use the access identity for those), > but still others will have their own username/password handling (so > you can use service auth info and not bother the user with entry of > additional passwords). > > Hope this makes it clearer, > Stephen. > > Hideyuki Odahara wrote: > > > > Please teach me the difference of the use of > > "Service Authentication Infomation" and "Access Identity" > > in Attribute Certificate, and how to use the "Access Identity" > > attribute if you have any concrete example. > > > > It is described that "this is a different use to that intended > > for the svceAuthInfo attribute discribed in 4.4.1 above." at the > > page 19 in the internet-draft(draft-ietf-pkix-ac509prof). > > But there is no example what situation does it suit. > > > > thanks ---------- Hideyuki Odahara $B!'(B odahara@dsa.isl.ntt.co.jp Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id RAA27036 for ietf-pkix-bks; Tue, 29 May 2001 17:22:34 -0700 (PDT) Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA27027 for <ietf-pkix@imc.org>; Tue, 29 May 2001 17:22:28 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id RAA28770; Tue, 29 May 2001 17:22:01 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id RAA12899; Tue, 29 May 2001 17:22:00 -0700 (PDT) Message-Id: <4.3.2.7.2.20010529172159.00b13680@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 29 May 2001 17:29:07 -0700 To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: cA flag and CRL issuers (Addendum) Cc: "Bob Jueneman" <bjueneman@novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, (Some clarification added at the end.) I agree, "No one but the issuer can revoke that issuer's certification." But the organization that is my employer should be able to revoke my ability to use or trust that certificate. Moreover, they should be able to do so in a manner that is "global" to their body of employees, as easily as the CA itself might perform such a revocation. It should NOT be required that each of 5000 employees "do something" via browser settings to effect the company's dictate for each such revocation (it could never happen in a timely or reliable manner.) Why, exactly, the PKIX validation algorithm becomes off-limits to this endeavor, I am not sure. I do not intend my comments to hold up PKIX acceptance. My comments address the general concern over the assumptions and direction of future work. Perhaps my concerns are misplaced, but a "very few" OS/browser vendors command the market, and having one's "root" certificate sitting warm and cozy in that environment is an enviable situation. I imagine that 99% of casual users are blissfully unaware of how any of this works, and those vendors that benefit from the existing arrangement have little motivation to really put users in the driver's seat, on the chance they may drive off in another trust direction. The user bought an OS, a browser, and have been quietly "opted-in" to a mysterious constellation of trust points, and indirectly trusted entities. An organization (corporate, government) must be the final authority of trust for its employees (and, I would argue, individual citizens be their own final authority unless they choose to delegate these trust decisions.) Software should make it easy for an organization to install their own self-signed root certificate, use their "Org-CA-Key" to "certify" the other CA root certificates as they choose, and indicate any revocation mechanism they see fit. This need "physically" impact the organization's N-thousand user systems only rarely, and thereafter the "standard PKI components" do their job as if nothing has changed. Only the "root" has shifted. Is there something inherently wrong with this vision? (Honest Question!) CLARIFICATION: I do understand why it "won't work" given the current profile dictates. Current mechanics aside, is there something "philosophically" wrong with this vision? The argument that "the user bought the OS, thus trust it, thus trust every (mostly hidden) thing it trusts in turn" disturbs me. I suppose an organization could supplant the root of trust, but it seems they must climb over a mountain range of trees and rocks to do it. (And given UCITA, it might even be illegal!) ___tony___ At 04:08 PM 5/29/01 -0400, David P. Kemp wrote: >A Relying Party has the ability to control which CAs it trusts to issue >certificates, and it also has the option of trusting public keys for which >no CA has issued a certificate. It likewise, as you say, has the option of >accepting a certification which has expired or been revoked by its issuer, >or refusing to accept, on a case-by-case basis, a certification which has >not expired or been revoked. > >But despite the fact that the Relying Party is always in control of what >that RP chooses to accept from others, RP applications need a specification >(the PKIX profile) that tells how to reliably determine what the issuer of >a certificate thinks about that certificate's current status. > >** No one but the issuer can revoke that issuer's certification. ** > >You may wish to use the X.509 CertificateList data structure to contain >some other authority's opinion of a certificate, or of the subject of >that certificate. That's fine, but you can't call it a CRL or process >it using the PKIX path validation algorithm. > >Dave > > > >Tony Bartoletti wrote: > > > > Bob, > > > > I echo your sentiments. > > > > A certificate is fundamentally a statement by something called a CA, that > > says, "We stand behind the associations embodied in this certificate until > > we say otherwise (or it expires naturally.)" > > > > The fact that they made such an assertion, one way or another, is just one > > piece of data in a relying party's particular trust model. The RP may > > either desire to "revoke trust" in that certificate, despite a CA's lack of > > revocation, or may have reason to wish to continue relying upon a > > certificate even though the issuing CA has revoked it. > > > > It is the Relying Party that Relies. All others are simply factors in the > > RP's trust calculation. > > > > And a rational PKI profile would recognize this fact and provide > > corresponding guidance so that end-user products support user ease and > > flexibility in local trust management. > > > > ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id RAA26187 for ietf-pkix-bks; Tue, 29 May 2001 17:02:33 -0700 (PDT) Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA26172 for <ietf-pkix@imc.org>; Tue, 29 May 2001 17:02:27 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id RAA26599; Tue, 29 May 2001 17:01:59 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id RAA05391; Tue, 29 May 2001 17:01:59 -0700 (PDT) Message-Id: <4.3.2.7.2.20010529161445.00b0fbf0@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 29 May 2001 17:09:05 -0700 To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: Re: cA flag and CRL issuers Cc: "Bob Jueneman" <bjueneman@novell.com> In-Reply-To: <3B1401B5.CAF25F9@missi.ncsc.mil> References: <4.3.2.7.2.20010529115907.00b09840@poptop.llnl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, I agree, "No one but the issuer can revoke that issuer's certification." But the organization that is my employer should be able to revoke my ability to use or trust that certificate. Moreover, they should be able to do so in a manner that is "global" to their body of employees, as easily as the CA itself might perform such a revocation. It should NOT be required that each of 5000 employees "do something" via browser settings to effect the company's dictate for each such revocation (it could never happen in a timely or reliable manner.) Why, exactly, the PKIX validation algorithm becomes off-limits to this endeavor, I am not sure. I do not intend my comments to hold up PKIX acceptance. My comments address the general concern over the assumptions and direction of future work. Perhaps my concerns are misplaced, but a "very few" OS/browser vendors command the market, and having one's "root" certificate sitting warm and cozy in that environment is an enviable situation. I imagine that 99% of casual users are blissfully unaware of how any of this works, and those vendors that benefit from the existing arrangement have little motivation to really put users in the driver's seat, on the chance they may drive off in another trust direction. The user bought an OS, a browser, and have been quietly "opted-in" to a mysterious constellation of trust points, and indirectly trusted entities. An organization (corporate, government) must be the final authority of trust for its employees (and, I would argue, individual citizens be their own final authority unless they choose to delegate these trust decisions.) Software should make it easy for an organization to install their own self-signed root certificate, use their "Org-CA-Key" to "certify" the other CA root certificates as they choose, and indicate any revocation mechanism they see fit. This need "physically" impact the organization's N-thousand user systems only rarely, and thereafter the "standard PKI components" do their job as if nothing has changed. Only the "root" has shifted. Is there something inherently wrong with this vision? (Honest Question!) ___tony___ At 04:08 PM 5/29/01 -0400, David P. Kemp wrote: >A Relying Party has the ability to control which CAs it trusts to issue >certificates, and it also has the option of trusting public keys for which >no CA has issued a certificate. It likewise, as you say, has the option of >accepting a certification which has expired or been revoked by its issuer, >or refusing to accept, on a case-by-case basis, a certification which has >not expired or been revoked. > >But despite the fact that the Relying Party is always in control of what >that RP chooses to accept from others, RP applications need a specification >(the PKIX profile) that tells how to reliably determine what the issuer of >a certificate thinks about that certificate's current status. > >** No one but the issuer can revoke that issuer's certification. ** > >You may wish to use the X.509 CertificateList data structure to contain >some other authority's opinion of a certificate, or of the subject of >that certificate. That's fine, but you can't call it a CRL or process >it using the PKIX path validation algorithm. > >Dave > > > >Tony Bartoletti wrote: > > > > Bob, > > > > I echo your sentiments. > > > > A certificate is fundamentally a statement by something called a CA, that > > says, "We stand behind the associations embodied in this certificate until > > we say otherwise (or it expires naturally.)" > > > > The fact that they made such an assertion, one way or another, is just one > > piece of data in a relying party's particular trust model. The RP may > > either desire to "revoke trust" in that certificate, despite a CA's lack of > > revocation, or may have reason to wish to continue relying upon a > > certificate even though the issuing CA has revoked it. > > > > It is the Relying Party that Relies. All others are simply factors in the > > RP's trust calculation. > > > > And a rational PKI profile would recognize this fact and provide > > corresponding guidance so that end-user products support user ease and > > flexibility in local trust management. > > > > ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: by above.proper.com (8.9.3/8.9.3) id PAA21032 for ietf-pkix-bks; Tue, 29 May 2001 15:39:05 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA21023 for <ietf-pkix@imc.org>; Tue, 29 May 2001 15:38:59 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4TMctu26288; Tue, 29 May 2001 15:38:55 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Housley, Russ" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Tue, 29 May 2001 15:38:20 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDEEGFCBAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-reply-to: <5.0.1.4.2.20010529172947.01dea008@exna07.securitydynamics.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I think so Russ. At a minimum we need to leave behind a highly visible and definitive OID structure. In my opinion PKIX isn't done until we document all that we've defined. Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com > -----Original Message----- > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > Sent: Tuesday, May 29, 2001 2:32 PM > To: Michael Myers > Cc: Russ Housley; ietf-pkix@imc.org > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > Mike: > > This seems like a reasonable thing to do as the PKIX WG is winding > down. Is there really any point in a document that documents the > current snapshot? > > Russ > > At 02:13 PM 5/29/2001 -0700, Michael Myers wrote: > >Russ, > > > >Good to hear of this. Thanks. Any chance for an Informational > >I-D laying out the OID structure? I'm willing to help. > > > >Mi Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA16303 for ietf-pkix-bks; Tue, 29 May 2001 14:33:46 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA16288; Tue, 29 May 2001 14:33:39 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 29 May 2001 21:33:00 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA11822; Tue, 29 May 2001 17:33:41 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <LR8TB1XF>; Tue, 29 May 2001 17:33:41 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.100.22.73]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8TB1XC; Tue, 29 May 2001 17:33:36 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Michael Myers <myers@coastside.net> Cc: Russ Housley <ietf-pkix-oid-reg@imc.org>, ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010529172947.01dea008@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 29 May 2001 17:32:03 -0400 Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list In-Reply-To: <EOEGJNFMMIBDKGFONJJDEEGBCBAA.myers@coastside.net> References: <5.0.1.4.2.20010529155436.01e34008@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Mike: This seems like a reasonable thing to do as the PKIX WG is winding down. Is there really any point in a document that documents the current snapshot? Russ At 02:13 PM 5/29/2001 -0700, Michael Myers wrote: >Russ, > >Good to hear of this. Thanks. Any chance for an Informational I-D laying >out the OID structure? I'm willing to help. > >Mike > > > >Michael Myers >t: +415.819.1362 >e: mailto:mike@traceroutesecurity.com >w: http://www.traceroutesecurity.com > > > -----Original Message----- > > From: Russ Housley [mailto:ietf-pkix-oid-reg@imc.org] > > Sent: Tuesday, May 29, 2001 1:05 PM > > To: myers@coastside.net; mike@traceroutesecurity.com > > Cc: ietf-pkix@imc.org > > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > > > > Mike: > > > > Temporal Data Authority (TDA) has disappeared from the TSP > > document. So, no > > OID is needed for it, and it can be re-assigned. We got luckly this time, > > so I did the reassignment. > > > > id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } > > > > Please help avoid future collisions! In the future, any PKIX document > > editor that needs an OID, please send mail to > > ietf-pkix-oid-reg@imc.org to > > request it. Do not make a guess at the value that might be assigned! > > > > Regards, > > Russ > > > > > >From: "Michael Myers" <myers@coastside.net> > > > >To: <pgut001@cs.auckland.ac.nz>, <ietf-pkix@imc.org>, > > > > <jjacoby@rsasecurity.com>, <myers@coastside.net> > > > >Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > >Date: Fri, 18 May 2001 13:01:16 -0700 > > > >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) > > > >Importance: Normal > > > >Sender: owner-ietf-pkix@mail.imc.org > > > >List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> > > > >List-ID: <ietf-pkix.imc.org> > > > >List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > > > >List-ID: <ietf-pkix.imc.org> > > > > > > > > > > > >On Saturday, May 19, 2001, at the inspiring hour of 3:30 AM, > > Peter Gutman > > > >advised: > > > > > > > > > Given that there are already certs (and lots of software) > > > > > out there which use the current OID, wouldn't it be better > > > > > to relocate temporalDataAuthority (what is that anyway? > > > > > Does anyone use it? It looks like an oddly-named TSA OID). > > > > > > > > > > (Given that the OCSP OID is already in active use, I suspect > > > > > {id-kp 9} will remain "the OCSP OID" even if it's officially > > > > > reassigned, this my comment that it's going to be easier for > > > > > Mohammed to go to the mountain). > > > > > > > > > > Peter. > > > > > > > >Peter, > > > > > > > >Certainly a more pragmatic approach. As a consequence I've > > spent some time > > > >today searching across the various current and historical IETF work > > products > > > >to do kind of an environmental impact assessment of simply > > re-labelling > > > >{id-kp 9} from "id-kp-temporalDataAuthority" to "id-kp-OCSPSigning". > > > > > > > >As it turns out, the notion of a Temporal Data Authority (TDA) and a > > > >corresponding {id-kp 9} definition was introduced at least by > > > > > >http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-pkix-time-stamp-02. > > txt. > > > >However, by the -14 edition the concept went away: > > > >http://www.ietf.org/internet-drafts/draft-ietf-pkix-time-stamp-14.txt. > > > > > > > >So the path seems clear to redefine {id-kp 9} as > > id-kp-OCSPSigning with no > > > >impact to timestamping implementors. Doing so would benefit > > standing OCSP > > > >implementations but does not excuse the OCSP authors, myself > > included, from > > > >a swift kick in the butt for failing to coordinate across the > > WG on this > > > >point. > > > > > > > >Incidentally, it might be useful to produce the relevant OID > > list into a > > > >PKIX work product so that once PKIX wraps clues are left > > behind how the > > > >pieces are supposed to bolt together. > > > > > > > >Mike > > > > > > > > > > > >Michael Myers > > > >t: +415.819.1362 > > > >e: mailto:mike@traceroutesecurity.com > > > >w: http://www.traceroutesecurity.com > > Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA16150 for ietf-pkix-bks; Tue, 29 May 2001 14:31:38 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA16126 for <ietf-pkix@imc.org>; Tue, 29 May 2001 14:31:31 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Tue, 29 May 2001 15:30:57 -0600 Message-Id: <sb13c0b1.048@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Tue, 29 May 2001 15:31:12 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <ietf-pkix@imc.org>, <dpkemp@missi.ncsc.mil> Cc: <azb@llnl.gov>, <peterw@valicert.com> Subject: Re: cA flag and CRL issuers Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id OAA16128 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> David, Please see my comments in-line. > >>>> "David P. Kemp" <dpkemp@missi.ncsc.mil> 05/29/01 02:08PM >>> >A Relying Party has the ability to control which CAs it trusts to issue >certificates, and it also has the option of trusting public keys for which >no CA has issued a certificate. It likewise, as you say, has the option of >accepting a certification which has expired or been revoked by its issuer, >or refusing to accept, on a case-by-case basis, a certification which has >not expired or been revoked. OK, so we are at least agreed in principle regarding the question of managing trust from the RP's perspective. > >But despite the fact that the Relying Party is always in control of what >that RP chooses to accept from others, RP applications need a specification >(the PKIX profile) that tells how to reliably determine what the issuer of >a certificate thinks about that certificate's current status. I would certainly agree that what the issuer thinks is at least relevant. And if the issuer says that it is revoked for cause (as opposed to merely expired, or perhaps a trivial address update), then if I were the RP or the determining organization, I would certainly think long an hard before continuing to trust it. However, the CA should not have an equal vote in the matter if the CA knows of no reason why the certificate should not be trusted but the RP does, (or for that matter even some other credible party, such as a state registration agency or licensing authority, as provided for under a number of state and foreign country's laws.) > >** No one but the issuer can revoke that issuer's certification. ** Well, that is precisely the disagreement, isn't it? Or let me clarify that just a bit. What I care about is revoking the certificate itself. Revoking the issuer's certification of that certificate is a slight, but perhaps a significant nuance of difference. > >You may wish to use the X.509 CertificateList data structure to contain >some other authority's opinion of a certificate, or of the subject of >that certificate. That's fine, but you can't call it a CRL or process >it using the PKIX path validation algorithm. And just why not? Did I miss that particular tablet of stone somewhere? I thought that was what we were debating. I'm always willing to consider other, alternative means of achieving any particular objective, so long as they are reasonably well standardized and widely implemented on commercial software packages. But if I were the RP's organization, I would certainly NOT like to have to throw out all of my browsers, my S/MIME software, etc., just to achieve this objective -- that's a non-starter. As someone else said, I don't care whether we call this a CRL, or an RPCRL, or a french fry, so long as it works. But saying ipso facto that this mechanism cannot be processed using the {PKIX path validation algorithm would seem to be jumping to a conclusion, since that was the question at hand. In particular, merely putting a certificate in some kind of a blackballed data structure, as I think you are proposing (I'm putting words in your mouth, so correct me if I am wrong), would probably NOT be sufficient, and especially from a nonrepudiation standpoint, because as I understand it those certificate structures would not be cryptographically bound to a reliable source. And even though it would be the RP's organization that would presumably post this particular french fry, it still seems worth providing a nonrepudiable binding mechanism. So from the standpoint of minimizing development cost and maximizing interoperability, processing a local revocation of a certificate via the PKIX path validation algorithm is PRECISELY what I would like to do. Bob Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA14809 for ietf-pkix-bks; Tue, 29 May 2001 14:14:39 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA14756; Tue, 29 May 2001 14:14:16 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4TLEIu20428; Tue, 29 May 2001 14:14:18 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Russ Housley" <ietf-pkix-oid-reg@imc.org> Cc: <ietf-pkix@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Tue, 29 May 2001 14:13:42 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDEEGBCBAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-reply-to: <5.0.1.4.2.20010529155436.01e34008@exna07.securitydynamics.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Russ, Good to hear of this. Thanks. Any chance for an Informational I-D laying out the OID structure? I'm willing to help. Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com > -----Original Message----- > From: Russ Housley [mailto:ietf-pkix-oid-reg@imc.org] > Sent: Tuesday, May 29, 2001 1:05 PM > To: myers@coastside.net; mike@traceroutesecurity.com > Cc: ietf-pkix@imc.org > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > Mike: > > Temporal Data Authority (TDA) has disappeared from the TSP > document. So, no > OID is needed for it, and it can be re-assigned. We got luckly this time, > so I did the reassignment. > > id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } > > Please help avoid future collisions! In the future, any PKIX document > editor that needs an OID, please send mail to > ietf-pkix-oid-reg@imc.org to > request it. Do not make a guess at the value that might be assigned! > > Regards, > Russ > > > >From: "Michael Myers" <myers@coastside.net> > > >To: <pgut001@cs.auckland.ac.nz>, <ietf-pkix@imc.org>, > > > <jjacoby@rsasecurity.com>, <myers@coastside.net> > > >Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > >Date: Fri, 18 May 2001 13:01:16 -0700 > > >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) > > >Importance: Normal > > >Sender: owner-ietf-pkix@mail.imc.org > > >List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> > > >List-ID: <ietf-pkix.imc.org> > > >List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> > > >List-ID: <ietf-pkix.imc.org> > > > > > > > > >On Saturday, May 19, 2001, at the inspiring hour of 3:30 AM, > Peter Gutman > > >advised: > > > > > > > Given that there are already certs (and lots of software) > > > > out there which use the current OID, wouldn't it be better > > > > to relocate temporalDataAuthority (what is that anyway? > > > > Does anyone use it? It looks like an oddly-named TSA OID). > > > > > > > > (Given that the OCSP OID is already in active use, I suspect > > > > {id-kp 9} will remain "the OCSP OID" even if it's officially > > > > reassigned, this my comment that it's going to be easier for > > > > Mohammed to go to the mountain). > > > > > > > > Peter. > > > > > >Peter, > > > > > >Certainly a more pragmatic approach. As a consequence I've > spent some time > > >today searching across the various current and historical IETF work > products > > >to do kind of an environmental impact assessment of simply > re-labelling > > >{id-kp 9} from "id-kp-temporalDataAuthority" to "id-kp-OCSPSigning". > > > > > >As it turns out, the notion of a Temporal Data Authority (TDA) and a > > >corresponding {id-kp 9} definition was introduced at least by > > > >http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-pkix-time-stamp-02. > txt. > > >However, by the -14 edition the concept went away: > > >http://www.ietf.org/internet-drafts/draft-ietf-pkix-time-stamp-14.txt. > > > > > >So the path seems clear to redefine {id-kp 9} as > id-kp-OCSPSigning with no > > >impact to timestamping implementors. Doing so would benefit > standing OCSP > > >implementations but does not excuse the OCSP authors, myself > included, from > > >a swift kick in the butt for failing to coordinate across the > WG on this > > >point. > > > > > >Incidentally, it might be useful to produce the relevant OID > list into a > > >PKIX work product so that once PKIX wraps clues are left > behind how the > > >pieces are supposed to bolt together. > > > > > >Mike > > > > > > > > >Michael Myers > > >t: +415.819.1362 > > >e: mailto:mike@traceroutesecurity.com > > >w: http://www.traceroutesecurity.com > Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA10892 for ietf-pkix-bks; Tue, 29 May 2001 13:31:23 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA10877 for <ietf-pkix@imc.org>; Tue, 29 May 2001 13:31:15 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GE400K016CMOI@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 29 May 2001 13:31:35 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GE400JN76CMW3@ext-mail.valicert.com>; Tue, 29 May 2001 13:31:34 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26T3B4>; Tue, 29 May 2001 13:28:44 -0700 Content-return: allowed Date: Tue, 29 May 2001 13:28:40 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: cA flag and CRL issuers To: "'Tony Bartoletti'" <azb@llnl.gov>, Bob Jueneman <bjueneman@novell.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01F4A1FE@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Importance: low X-Priority: 5 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Tony and Bob: Based on elements of my doctoral investigations in 1992/3, in 1997 I penned chapter 12 "secure electronic commerce" of a book I co-authored with others: "Digital Certificates". That chapter expounds a doctrine of relying-party trust; my aim was to make readers think about the design options when profiling; PKIX provided little rationalization for its design decisions, and has always lacked sensitivity to commercial credentialing practices. You can read about similar issues in Tom Austin's book on PKI, in my view. These profiling themes contrast markedly with the scholarly doctrine reflected in the books of Housley, Adams, etc., which would have you believe that Internet PKI was (a) a single camp of thought reflected in PKIX docs, and (b) you, the Internet end-consumer, are, quite properly, just a robotic subscriber. The main reason I left (1997-style) verisign for valicert was because the latter's business model (1998) focussed on a (modernised) method for bridging the competing goals of mandatory and discretionary security policy enforcement. given hindsight I'd now write the afore-mentioned chapter quite differently, for a 2002 audience given actual infrastructure deployment events since 1998. The current issues of CA bit (like the NR bit) are the manifestation of the quite principled but very different security policy philosophies present within our user and design communities, in my view. Despite my reservations, I do think we need to finish 2459+ Final Call, and respect the hard work that the tightly-nit PKIX author and advisor group have put in. Im not sure its the standard that reflects the WG, or the needs of the Internet enviroment. But, it does act as the snapshot lynchpin, that makes the document set reasonably consistent and coherent, for this point in time. We should ensure we consolidate this fine technical achievement, even if security policy matters will need further standardization at another time, or in another forum that cares less about trusted keys and more about trusted interworking. Postcript: It will be interesting to see what the authors in http://www.amazon.com/exec/obidos/ASIN/0850926602/qid=991167837/sr=1-3/ref=s c_b_3/107-6570836-8267712 have to say on infrastructure thenes, as reflection of a large (US) govt's position when delivering services via the Internet. -----Original Message----- From: Tony Bartoletti [mailto:azb@llnl.gov] Sent: Tuesday, May 29, 2001 12:14 PM To: Bob Jueneman; myers@coastside.net Cc: ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers Bob, I echo your sentiments. A certificate is fundamentally a statement by something called a CA, that says, "We stand behind the associations embodied in this certificate until we say otherwise (or it expires naturally.)" The fact that they made such an assertion, one way or another, is just one piece of data in a relying party's particular trust model. The RP may either desire to "revoke trust" in that certificate, despite a CA's lack of revocation, or may have reason to wish to continue relying upon a certificate even though the issuing CA has revoked it. It is the Relying Party that Relies. All others are simply factors in the RP's trust calculation. And a rational PKI profile would recognize this fact and provide corresponding guidance so that end-user products support user ease and flexibility in local trust management. ___tony___ At 11:28 AM 5/29/01 -0600, Bob Jueneman wrote: >Michael, > >I commented on this earlier, but no one picked up on it. Maybe it got >lost in the noise. > >Generally, I would agree with you. However, the entire purpose of PKI is >to serve the needs of the relying party, first and foremost. And since >the most cases the relying party is a member of an organization that may >wish to impose some collective rules for processing certificates, I >believe that necessitates the ability to have the option for LOCAL control >over CRLs and OCSP responses. > >Since in the general the subscriber or issuing CA may not even know who >the relying parties may be, this means in particular that it is NOT always >possible, nor desirable to require that the source of a CRL must >necessarily be named in advance, for example in a CRLDistributionPoint, or >signed or otherwise anointed by the CA, for that would turn the relying >party trust model on its head. > >So I would rephrase your requirement to state that the provenance of a >certificate, including its current validity and trust status or lack >thereof, must link back in a technical fashion to a trust root installed >in the relying party's software. Assuming that the CA's, AA's, etc., root >is installed the RP software, your requirement is a proper subset of what >I am proposing. > >"Is there anyone else thinking same way, or am I unique in this perspective?" > >Bob > >Robert R. Jueneman >Security Architect > >Novell, Inc -- the leading provider of Net services software > > > > >>> "Michael Myers" <myers@coastside.net> 05/29/01 11:07AM >>> >All, > >Regarding this thread, it seems to me that whether setting the cA bit for PK >certs, establishing algorithmic logic regarding naming or authorizations, >maybe in the long run inventing a cA bit equivalent for ACs or whatever >other technical mechanism we may devise, there exists a meta-requirement >that the provenance of a digital credential MUST link back in a technical >fashion to the source of its original issuance. Is anyone else thinking the >same way or am I unique in this perspective? > >Mike > > >Michael Myers >t: +415.819.1362 >e: mailto:mike@traceroutesecurity.com >w: http://www.traceroutesecurity.com Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: by above.proper.com (8.9.3/8.9.3) id NAA09389 for ietf-pkix-bks; Tue, 29 May 2001 13:11:56 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA09381 for <ietf-pkix@imc.org>; Tue, 29 May 2001 13:11:50 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id QAA29075 for <ietf-pkix@imc.org>; Tue, 29 May 2001 16:11:46 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by stingray.missi.ncsc.mil with SMTP id QAA29071 for <ietf-pkix@imc.org>; Tue, 29 May 2001 16:11:46 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Tue, 29 May 2001 16:14:06 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id LQK7KKMF; Tue, 29 May 2001 16:15:04 -0400 Message-ID: <3B1401B5.CAF25F9@missi.ncsc.mil> Date: Tue, 29 May 2001 16:08:21 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers References: <4.3.2.7.2.20010529115907.00b09840@poptop.llnl.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> A Relying Party has the ability to control which CAs it trusts to issue certificates, and it also has the option of trusting public keys for which no CA has issued a certificate. It likewise, as you say, has the option of accepting a certification which has expired or been revoked by its issuer, or refusing to accept, on a case-by-case basis, a certification which has not expired or been revoked. But despite the fact that the Relying Party is always in control of what that RP chooses to accept from others, RP applications need a specification (the PKIX profile) that tells how to reliably determine what the issuer of a certificate thinks about that certificate's current status. ** No one but the issuer can revoke that issuer's certification. ** You may wish to use the X.509 CertificateList data structure to contain some other authority's opinion of a certificate, or of the subject of that certificate. That's fine, but you can't call it a CRL or process it using the PKIX path validation algorithm. Dave Tony Bartoletti wrote: > > Bob, > > I echo your sentiments. > > A certificate is fundamentally a statement by something called a CA, that > says, "We stand behind the associations embodied in this certificate until > we say otherwise (or it expires naturally.)" > > The fact that they made such an assertion, one way or another, is just one > piece of data in a relying party's particular trust model. The RP may > either desire to "revoke trust" in that certificate, despite a CA's lack of > revocation, or may have reason to wish to continue relying upon a > certificate even though the issuing CA has revoked it. > > It is the Relying Party that Relies. All others are simply factors in the > RP's trust calculation. > > And a rational PKI profile would recognize this fact and provide > corresponding guidance so that end-user products support user ease and > flexibility in local trust management. > > ___tony___ Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id MAA06032 for ietf-pkix-bks; Tue, 29 May 2001 12:07:30 -0700 (PDT) Received: from smtp-1.llnl.gov (smtp-1.llnl.gov [128.115.250.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA06027 for <ietf-pkix@imc.org>; Tue, 29 May 2001 12:07:24 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-1.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id MAA08720; Tue, 29 May 2001 12:06:55 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id MAA19475; Tue, 29 May 2001 12:06:56 -0700 (PDT) Message-Id: <4.3.2.7.2.20010529115907.00b09840@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 29 May 2001 12:14:03 -0700 To: "Bob Jueneman" <bjueneman@novell.com>, <myers@coastside.net> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: cA flag and CRL issuers Cc: <ietf-pkix@imc.org> In-Reply-To: <sb1387e9.084@prv-mail20.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Bob, I echo your sentiments. A certificate is fundamentally a statement by something called a CA, that says, "We stand behind the associations embodied in this certificate until we say otherwise (or it expires naturally.)" The fact that they made such an assertion, one way or another, is just one piece of data in a relying party's particular trust model. The RP may either desire to "revoke trust" in that certificate, despite a CA's lack of revocation, or may have reason to wish to continue relying upon a certificate even though the issuing CA has revoked it. It is the Relying Party that Relies. All others are simply factors in the RP's trust calculation. And a rational PKI profile would recognize this fact and provide corresponding guidance so that end-user products support user ease and flexibility in local trust management. ___tony___ At 11:28 AM 5/29/01 -0600, Bob Jueneman wrote: >Michael, > >I commented on this earlier, but no one picked up on it. Maybe it got >lost in the noise. > >Generally, I would agree with you. However, the entire purpose of PKI is >to serve the needs of the relying party, first and foremost. And since >the most cases the relying party is a member of an organization that may >wish to impose some collective rules for processing certificates, I >believe that necessitates the ability to have the option for LOCAL control >over CRLs and OCSP responses. > >Since in the general the subscriber or issuing CA may not even know who >the relying parties may be, this means in particular that it is NOT always >possible, nor desirable to require that the source of a CRL must >necessarily be named in advance, for example in a CRLDistributionPoint, or >signed or otherwise anointed by the CA, for that would turn the relying >party trust model on its head. > >So I would rephrase your requirement to state that the provenance of a >certificate, including its current validity and trust status or lack >thereof, must link back in a technical fashion to a trust root installed >in the relying party's software. Assuming that the CA's, AA's, etc., root >is installed the RP software, your requirement is a proper subset of what >I am proposing. > >"Is there anyone else thinking same way, or am I unique in this perspective?" > >Bob > >Robert R. Jueneman >Security Architect > >Novell, Inc -- the leading provider of Net services software > > > > >>> "Michael Myers" <myers@coastside.net> 05/29/01 11:07AM >>> >All, > >Regarding this thread, it seems to me that whether setting the cA bit for PK >certs, establishing algorithmic logic regarding naming or authorizations, >maybe in the long run inventing a cA bit equivalent for ACs or whatever >other technical mechanism we may devise, there exists a meta-requirement >that the provenance of a digital credential MUST link back in a technical >fashion to the source of its original issuance. Is anyone else thinking the >same way or am I unique in this perspective? > >Mike > > >Michael Myers >t: +415.819.1362 >e: mailto:mike@traceroutesecurity.com >w: http://www.traceroutesecurity.com Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: by above.proper.com (8.9.3/8.9.3) id KAA02018 for ietf-pkix-bks; Tue, 29 May 2001 10:29:26 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA02010 for <ietf-pkix@imc.org>; Tue, 29 May 2001 10:29:20 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Tue, 29 May 2001 11:28:41 -0600 Message-Id: <sb1387e9.084@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Tue, 29 May 2001 11:28:59 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <myers@coastside.net> Cc: <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA02012 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Michael, I commented on this earlier, but no one picked up on it. Maybe it got lost in the noise. Generally, I would agree with you. However, the entire purpose of PKI is to serve the needs of the relying party, first and foremost. And since the most cases the relying party is a member of an organization that may wish to impose some collective rules for processing certificates, I believe that necessitates the ability to have the option for LOCAL control over CRLs and OCSP responses. Since in the general the subscriber or issuing CA may not even know who the relying parties may be, this means in particular that it is NOT always possible, nor desirable to require that the source of a CRL must necessarily be named in advance, for example in a CRLDistributionPoint, or signed or otherwise anointed by the CA, for that would turn the relying party trust model on its head. So I would rephrase your requirement to state that the provenance of a certificate, including its current validity and trust status or lack thereof, must link back in a technical fashion to a trust root installed in the relying party's software. Assuming that the CA's, AA's, etc., root is installed the RP software, your requirement is a proper subset of what I am proposing. "Is there anyone else thinking same way, or am I unique in this perspective?" Bob Robert R. Jueneman Security Architect Novell, Inc -- the leading provider of Net services software >>> "Michael Myers" <myers@coastside.net> 05/29/01 11:07AM >>> All, Regarding this thread, it seems to me that whether setting the cA bit for PK certs, establishing algorithmic logic regarding naming or authorizations, maybe in the long run inventing a cA bit equivalent for ACs or whatever other technical mechanism we may devise, there exists a meta-requirement that the provenance of a digital credential MUST link back in a technical fashion to the source of its original issuance. Is anyone else thinking the same way or am I unique in this perspective? Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com Received: by above.proper.com (8.9.3/8.9.3) id KAA00804 for ietf-pkix-bks; Tue, 29 May 2001 10:08:46 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA00792 for <ietf-pkix@imc.org>; Tue, 29 May 2001 10:08:41 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4TH8Hu03962; Tue, 29 May 2001 10:08:17 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers Date: Tue, 29 May 2001 10:07:44 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDKEFKCBAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-reply-to: <8D7EC1912E25D411A32100D0B76953978DEF38@scygmxs01.cygnacom.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> All, Regarding this thread, it seems to me that whether setting the cA bit for PK certs, establishing algorithmic logic regarding naming or authorizations, maybe in the long run inventing a cA bit equivalent for ACs or whatever other technical mechanism we may devise, there exists a meta-requirement that the provenance of a digital credential MUST link back in a technical fashion to the source of its original issuance. Is anyone else thinking the same way or am I unique in this perspective? Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id EAA03697 for ietf-pkix-bks; Tue, 29 May 2001 04:02:41 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA03686 for <ietf-pkix@imc.org>; Tue, 29 May 2001 04:02:35 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA28295; Tue, 29 May 2001 07:02:17 -0400 (EDT) Message-Id: <200105291102.HAA28295@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-time-stamp-15.txt Date: Tue, 29 May 2001 07:02:16 -0400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Internet X.509 Public Key Infrastructure Time Stamp Protocols (TSP) Author(s) : C. Adams, P. Cain, D. Pinkas, R. Zuccherato Filename : draft-ietf-pkix-time-stamp-15.txt Pages : 26 Date : 25-May-01 A time stamping service supports assertions of proof that a datum existed before a particular time. This document describes the format of a request sent to a Time Stamping Authority (TSA) and of the response that is returned. It also establishes several security- relevant requirements for TSA operation, with regards to processing requests to generate responses. A TSA may be operated as a Trusted Third Party (TTP) service, though other operational models may be appropriate, e.g. an organization might require a TSA for internal time stamping purposes. Non-repudiation services [ISONR] require the ability to establish the existence of data before specified times. This protocol may be used as a building block to support such services. An example of how to prove that a digital signature was generated during the validity period of a public key certificate is given in an annex. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-time-stamp-15.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-time-stamp-15.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-time-stamp-15.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010525125147.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-time-stamp-15.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-time-stamp-15.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010525125147.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id GAA01267 for ietf-pkix-bks; Fri, 25 May 2001 06:28:41 -0700 (PDT) Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA01256 for <ietf-pkix@imc.org>; Fri, 25 May 2001 06:28:35 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <LT4XFD89>; Fri, 25 May 2001 09:28:05 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DEF38@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil> Cc: ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers Date: Fri, 25 May 2001 09:18:30 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0E51D.30B1E0F0" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0E51D.30B1E0F0 Content-Type: text/plain; charset="iso-8859-1" Dave: My last response to Steve was a la yours, do not require generators to assert the basicConstraints either. -----Original Message----- From: David P. Kemp [mailto:dpkemp@missi.ncsc.mil] Sent: Friday, May 25, 2001 9:09 AM Cc: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers Carlin Covey wrote: > Some postings in this thread have attached significance to the fact that > X.509 does not discuss whether the CA bit should be set when cRLSign is true > but keyCertSign is false. I agree with you, Russ, that the discussion > should center on the level of flexibility and complexity that the PKIX > community want to embrace in its certificate and CRL profile, rather than > the nuances of text omissions in X.509. Yes. > I also agree that Sharon does a fine job in representing X.509's view. I > understand that she is on vacation at the moment. Yes! It is exceedingly rare to find in one person her level of technical understanding, fairness, and equanimity. Thank you, Sharon. > All that said, let me now second Santosh's proposal: "I vote for not > requiring the cA flag for CRL check and making appropriate changes to X.509 > and to PKIX to make it clear and consistent." - Santosh Chokhani, 24 May > 2001 Yes. However, for consistency you need a generation non-requirement in addition to Santosh's recipient non-requirement: I vote for not requiring the cA flag for CRL generation or checking and for making appropriate changes to X.509 and to PKIX to make them clear and consistent. > To streamline the algorithm a little further, I suggest that we ask X.509 to > allow the keyCertSign bit to be asserted in Attribute Authority > certificates, as well as CA certificates. As far as I can see, that would > make the CRL validation algorithm identical for AA-issued and CA-issued > CRL's. No. I support reserving the keyCertSign bit exclusively for use in certificates of issuers of (public-) key certificates. Regards, Dave ------_=_NextPart_001_01C0E51D.30B1E0F0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: cA flag and CRL issuers</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Dave:</FONT> </P> <P><FONT SIZE=2>My last response to Steve was a la yours, do not require generators to assert the basicConstraints either.</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: David P. Kemp [<A HREF="mailto:dpkemp@missi.ncsc.mil">mailto:dpkemp@missi.ncsc.mil</A>]</FONT> <BR><FONT SIZE=2>Sent: Friday, May 25, 2001 9:09 AM</FONT> <BR><FONT SIZE=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: Re: cA flag and CRL issuers</FONT> </P> <BR> <P><FONT SIZE=2>Carlin Covey wrote:</FONT> <BR><FONT SIZE=2>> Some postings in this thread have attached significance to the fact that</FONT> <BR><FONT SIZE=2>> X.509 does not discuss whether the CA bit should be set when cRLSign is true</FONT> <BR><FONT SIZE=2>> but keyCertSign is false. I agree with you, Russ, that the discussion</FONT> <BR><FONT SIZE=2>> should center on the level of flexibility and complexity that the PKIX</FONT> <BR><FONT SIZE=2>> community want to embrace in its certificate and CRL profile, rather than</FONT> <BR><FONT SIZE=2>> the nuances of text omissions in X.509.</FONT> </P> <P><FONT SIZE=2>Yes.</FONT> </P> <BR> <P><FONT SIZE=2>> I also agree that Sharon does a fine job in representing X.509's view. I</FONT> <BR><FONT SIZE=2>> understand that she is on vacation at the moment.</FONT> </P> <P><FONT SIZE=2>Yes! It is exceedingly rare to find in one person her level of technical</FONT> <BR><FONT SIZE=2>understanding, fairness, and equanimity. Thank you, Sharon. </FONT> </P> <BR> <P><FONT SIZE=2>> All that said, let me now second Santosh's proposal: "I vote for not</FONT> <BR><FONT SIZE=2>> requiring the cA flag for CRL check and making appropriate changes to X.509</FONT> <BR><FONT SIZE=2>> and to PKIX to make it clear and consistent." - Santosh Chokhani, 24 May</FONT> <BR><FONT SIZE=2>> 2001</FONT> </P> <P><FONT SIZE=2>Yes. However, for consistency you need a generation non-requirement</FONT> <BR><FONT SIZE=2>in addition to Santosh's recipient non-requirement: I vote for not</FONT> <BR><FONT SIZE=2>requiring the cA flag for CRL generation or checking and for making</FONT> <BR><FONT SIZE=2>appropriate changes to X.509 and to PKIX to make them clear and consistent.</FONT> </P> <BR> <P><FONT SIZE=2>> To streamline the algorithm a little further, I suggest that we ask X.509 to</FONT> <BR><FONT SIZE=2>> allow the keyCertSign bit to be asserted in Attribute Authority</FONT> <BR><FONT SIZE=2>> certificates, as well as CA certificates. As far as I can see, that would</FONT> <BR><FONT SIZE=2>> make the CRL validation algorithm identical for AA-issued and CA-issued</FONT> <BR><FONT SIZE=2>> CRL's.</FONT> </P> <P><FONT SIZE=2>No. I support reserving the keyCertSign bit exclusively for use in</FONT> <BR><FONT SIZE=2>certificates of issuers of (public-) key certificates.</FONT> </P> <BR> <P><FONT SIZE=2>Regards,</FONT> </P> <P><FONT SIZE=2>Dave</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0E51D.30B1E0F0-- Received: by above.proper.com (8.9.3/8.9.3) id GAA00119 for ietf-pkix-bks; Fri, 25 May 2001 06:13:38 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA00113 for <ietf-pkix@imc.org>; Fri, 25 May 2001 06:13:32 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id JAA08583 for <ietf-pkix@imc.org>; Fri, 25 May 2001 09:13:20 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by stingray.missi.ncsc.mil with SMTP id JAA08579 for <ietf-pkix@imc.org>; Fri, 25 May 2001 09:13:20 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Fri, 25 May 2001 09:15:56 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id LQK7K1AF; Fri, 25 May 2001 09:16:40 -0400 Message-ID: <3B0E597B.930577DF@missi.ncsc.mil> Date: Fri, 25 May 2001 09:09:15 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 CC: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers References: <KHEDLMGGCCGHDAAKNAFOKEFGCAAA.ccovey@cylink.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Carlin Covey wrote: > Some postings in this thread have attached significance to the fact that > X.509 does not discuss whether the CA bit should be set when cRLSign is true > but keyCertSign is false. I agree with you, Russ, that the discussion > should center on the level of flexibility and complexity that the PKIX > community want to embrace in its certificate and CRL profile, rather than > the nuances of text omissions in X.509. Yes. > I also agree that Sharon does a fine job in representing X.509's view. I > understand that she is on vacation at the moment. Yes! It is exceedingly rare to find in one person her level of technical understanding, fairness, and equanimity. Thank you, Sharon. > All that said, let me now second Santosh's proposal: "I vote for not > requiring the cA flag for CRL check and making appropriate changes to X.509 > and to PKIX to make it clear and consistent." - Santosh Chokhani, 24 May > 2001 Yes. However, for consistency you need a generation non-requirement in addition to Santosh's recipient non-requirement: I vote for not requiring the cA flag for CRL generation or checking and for making appropriate changes to X.509 and to PKIX to make them clear and consistent. > To streamline the algorithm a little further, I suggest that we ask X.509 to > allow the keyCertSign bit to be asserted in Attribute Authority > certificates, as well as CA certificates. As far as I can see, that would > make the CRL validation algorithm identical for AA-issued and CA-issued > CRL's. No. I support reserving the keyCertSign bit exclusively for use in certificates of issuers of (public-) key certificates. Regards, Dave Received: by above.proper.com (8.9.3/8.9.3) id EAA20045 for ietf-pkix-bks; Fri, 25 May 2001 04:00:05 -0700 (PDT) Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA20024 for <ietf-pkix@imc.org>; Fri, 25 May 2001 03:59:58 -0700 (PDT) Received: from ireserver.Ireland.Sun.COM ([129.156.220.7]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id EAA22612; Fri, 25 May 2001 04:59:55 -0600 (MDT) Received: from sun.com (boston [129.156.220.153]) by ireserver.Ireland.Sun.COM (8.8.8+Sun/8.8.8/ENSMAIL,v2.1p1) with ESMTP id LAA24950; Fri, 25 May 2001 11:59:55 +0100 (BST) Message-ID: <3B0E3B2B.475CCD8D@sun.com> Date: Fri, 25 May 2001 11:59:55 +0100 From: Sean Mullan <sean.mullan@sun.com> Organization: Sun Microsystems X-Mailer: Mozilla 4.76C-CCK-MCD Netscape [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org, pki-twg@nist.gov Subject: Java CertPath API now available in J2SE 1.4 beta Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I would like to bring to your attention for a moment the just-released J2SE (Java 2 Standard Edition) 1.4 Beta release: http://java.sun.com/j2se/1.4/index.html This includes the current version of the CertPath API and Reference Implementation. This is a proposed standard Java API for building and validating certification paths that is being developed using the Java Community Process. See http://java.sun.com/jcp/jsr/jsr_055_certp.html for the latest status. The CertPath API (developed as an extension of the java.security.cert package) includes classes for representing, building and validating certification paths. The API is very extensible. It allows you to plug in implementations of standard certification path algorithms, types and certificate repositories using the Java Cryptography Architecture. It also allows you to extend the PKIX validation algorithm by implementing callback classes to handle private extensions or an alternate revocation checking mechanism, for example. The reference implementation of the APIs included in the beta release includes an implementation of the PKIX certification path validation algorithm and also includes support for retrieving certificates and CRLs using LDAP (using the schema defined in RFC 2587) or a simpler Collection. Please see the beta release notes for a couple of known problems that will be addressed in the next update. Also, see the Programmer's Guide (http://java.sun.com/j2se/1.4/docs/guide/security/certpath/CertPathProgGuide.html) for an overview and examples of using the API. We hope you find these APIs to be well designed and flexible. Please submit any feedback to the "certpath-experts-lead@ireland.sun.com" or "java-security@sun.com" aliases. Thanks, Sean Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id SAA18401 for ietf-pkix-bks; Thu, 24 May 2001 18:13:08 -0700 (PDT) Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA18395 for <ietf-pkix@imc.org>; Thu, 24 May 2001 18:13:02 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id LQQYJXAA; Thu, 24 May 2001 18:06:40 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers Date: Thu, 24 May 2001 18:12:42 -0700 Message-ID: <KHEDLMGGCCGHDAAKNAFOKEFGCAAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <5.0.1.4.2.20010524155539.01ddb838@exna07.securitydynamics.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Thanks for answering my questions, Russ. Socrates must have been better at the method than I am. ;>) Let me try a more straightforward approach. Some postings in this thread have stated that only CA's can issue CRL's. 'Tain't true. As Russ says, Attribute Authorities can also issue CRL's. Some postings in this thread have attached significance to the fact that X.509 does not discuss whether the CA bit should be set when cRLSign is true but keyCertSign is false. I agree with you, Russ, that the discussion should center on the level of flexibility and complexity that the PKIX community want to embrace in its certificate and CRL profile, rather than the nuances of text omissions in X.509. I also agree that Sharon does a fine job in representing X.509's view. I understand that she is on vacation at the moment. All that said, let me now second Santosh's proposal: "I vote for not requiring the cA flag for CRL check and making appropriate changes to X.509 and to PKIX to make it clear and consistent." - Santosh Chokhani, 24 May 2001 My rationale is this: Attribute Authorities can issue CRL's. Attribute Authority certificates will not have the CA bit set. So if we don't adopt Santosh's proposal, the validation algorithm for CRL's will check for the CA bit in the CRL issuer's certificate if the CRL issuer is a CA, but will not check for the CA bit if the issuer is an Attribute Authority. This doesn't appear to add anything to the security, since having the CA bit set doesn't mean that the CA is authoritative for status of the certificates on the CRL. In both the CRL-issuer-is-CA case and the CRL-issuer-is-AA case the validation algorithm must ensure that the CRL issuer is either the issuer of the certificates on the CRL, or is a delegate of the issuer of the certificates on the CRL. So why bother checking the CA bit? To streamline the algorithm a little further, I suggest that we ask X.509 to allow the keyCertSign bit to be asserted in Attribute Authority certificates, as well as CA certificates. As far as I can see, that would make the CRL validation algorithm identical for AA-issued and CA-issued CRL's. "The bit keyCertSign is for use in CA-certificates only." - X.509 Ed. 4 v8, section 8.2.2.3 "Key usage extension" Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Housley, Russ Sent: Thursday, May 24, 2001 1:04 PM To: Carlin Covey Cc: ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers Carlin: >1) If only a CA can issue CRLs, and an Attribute Authority is not >a CA, then who is going to revoke an AA's Attribute Certificates? CAs issue public key certificates and they may issue CRLs associated with those public key certificates. AAs issue attribute certificates and they may issue CRLs associated with those attribute certificates. >2) Perhaps there is no great significance to the fact that X.509 >does not mention the CA bit in connection with verifying signatures >over CRLs. It may simply reflect the earlier historical reality. >Once upon a time only the certificate issuer's certificate could >be used to verify the signature over the corresponding CRL. With X.509v3 certificates, we get increased flexibility and complexity. I hope this thread is about the level of flexibility and complexity that we want to embrace in the Internet profile of X.509v3. In many cases, we have reduced flexibility in order to achieve greater interoperability and simplicity. >3) Why don't we just ask the good folks in the X.509 working group >what the current text in X.509 section 8.4.2.1 "Basic constraints extension" >is intended to mean with respect to CA bit and CRL signing? I think that Sharon has done a fine job in patiently representing the views as the editor of X.509. Editors often represent and write the view of the overall group, even when they personally disagree with a particular detail. I applaud her efforts. Russ Received: by above.proper.com (8.9.3/8.9.3) id PAA06786 for ietf-pkix-bks; Thu, 24 May 2001 15:01:35 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA06782 for <ietf-pkix@imc.org>; Thu, 24 May 2001 15:01:30 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDV00401170YD@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 24 May 2001 15:01:49 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDV00474170LT@ext-mail.valicert.com>; Thu, 24 May 2001 15:01:48 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26TD44>; Thu, 24 May 2001 14:59:11 -0700 Content-return: allowed Date: Thu, 24 May 2001 14:59:02 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: cA flag and CRL issuers To: "'Tony Bartoletti'" <azb@llnl.gov>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01F4A1EC@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> "And does an AA have ability to enforce this delegation (via key usage flags, etc) in parallel to the mechanisms afforded a PKC-CA?" PMI AAs have a properly designed set of delegation techniques to accomplish this and other uses of delegation that control privileges; this set contrasts markedly with the proposed kludges for PKI entities. The functions of AA-based delegation are properly modelled as privileges, specified for us to use, and our implementable. They do not rely upon misuing (or even require the existance of) of PKI extension fields to enforce the Housley "authority policy" [X.509], say, between an issuing authority and a CRL issuer. X.509 certainly does not require that a CRL Issuer be issued a PKI cert by the CA with whom it cooperates in the matter of communicating revocation notices, or require that the authority that does issue indirect CRLs be in the same certification/policy domain as the cert issuing authority. Indeed, I dont know how anyone can read X.509 and claim that it mandates or even describes a delegation model between CAs and CRL Issuers. It specifically states that "authority policy" [X.509] deals with these kind of matters, particularly when there are multiple CRL Issuers for a given CA. The PKI work in X.509 simply does not require nor does it describe the use of delegation as an enforcement technique, and it does not mandate/hint/intend any particular authority policy. If PKIX authors want to mandate an authority policy (why? I understand why MISSI users would want a uniform policy, but why so constrain the Internet PKI?) then they should do it properly using the techniques provided. Use PMI delegation privileges, using the delegation model in 15.5, constraining the certificate policy oids in the CRL Issuers EE cert so relying parties can use conventional cert path processing to enforce the CAs authority policy over the CRL Issuers. This way (15.5.2.3), bridge models, hierarhical models and cross-certification models all still work; hierarchical PKIs can still use CRL issuers in bridge models, etc, by using policy mapping, path processing enforcement, etc. Peter. Received: by above.proper.com (8.9.3/8.9.3) id OAA05172 for ietf-pkix-bks; Thu, 24 May 2001 14:20:22 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA05168 for <ietf-pkix@imc.org>; Thu, 24 May 2001 14:20:16 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 May 2001 21:19:43 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA07884 for <ietf-pkix@imc.org>; Thu, 24 May 2001 17:20:18 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <LR8TAA4C>; Thu, 24 May 2001 17:20:18 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.65]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8TAAT0; Thu, 24 May 2001 17:20:15 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010524155539.01ddb838@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 24 May 2001 16:03:50 -0400 Subject: RE: cA flag and CRL issuers In-Reply-To: <KHEDLMGGCCGHDAAKNAFOCEENCAAA.ccovey@cylink.com> References: <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Carlin: >1) If only a CA can issue CRLs, and an Attribute Authority is not >a CA, then who is going to revoke an AA's Attribute Certificates? CAs issue public key certificates and they may issue CRLs associated with those public key certificates. AAs issue attribute certificates and they may issue CRLs associated with those attribute certificates. >2) Perhaps there is no great significance to the fact that X.509 >does not mention the CA bit in connection with verifying signatures >over CRLs. It may simply reflect the earlier historical reality. >Once upon a time only the certificate issuer's certificate could >be used to verify the signature over the corresponding CRL. With X.509v3 certificates, we get increased flexibility and complexity. I hope this thread is about the level of flexibility and complexity that we want to embrace in the Internet profile of X.509v3. In many cases, we have reduced flexibility in order to achieve greater interoperability and simplicity. >3) Why don't we just ask the good folks in the X.509 working group >what the current text in X.509 section 8.4.2.1 "Basic constraints extension" >is intended to mean with respect to CA bit and CRL signing? I think that Sharon has done a fine job in patiently representing the views as the editor of X.509. Editors often represent and write the view of the overall group, even when they personally disagree with a particular detail. I applaud her efforts. Russ Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA04485 for ietf-pkix-bks; Thu, 24 May 2001 14:11:22 -0700 (PDT) Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA04458 for <ietf-pkix@imc.org>; Thu, 24 May 2001 14:11:11 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <LRSZVKDM>; Thu, 24 May 2001 17:10:43 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DEEFA@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: cA Flag -- cRLSign Date: Thu, 24 May 2001 17:01:09 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0E494.A80E5C20" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0E494.A80E5C20 Content-Type: text/plain; charset="iso-8859-1" Steve: I vote for not requiring the cA flag for CRL check and making appropriate changes to X.509 and to PKIX to make it clear and consistent -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Tuesday, May 22, 2001 8:13 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: Re: cA Flag -- cRLSign At 2:55 PM -0400 5/18/01, Santosh Chokhani wrote: Steve: I have a compromise proposal in this area. As Russ Housley says: In the interest of interoperability, the generator should be strict and processor should be forgiving (assuming no security) is compromised. I would say let us do the following: 1. A PKIX compliant CA must assert basicConstraints with cA set to TRUE if cRLSign bit is set, and 2. A PKIX compliant relying party client must check cRLSign flag in the keyUsage extension, if keyUsage extension is present, when using the public key of the subject to verify a signature on the CRL. However, if the keyUsage extension is absent, basicConstraints must be present with cA = TRUE I think it confusing for a standard to encourage asymmetric behavior for CAs vs. clients. It also removes a big part of the motivation for CAs to set the flag according to the standard. As I said earlier, if there is consensus to remove the need for cA to be asserted in certs associated with CRL validation, then we can make that explicit in the standard, but we just have to "buy in" to making the other changes to clarify this, and to name a role for entities who sign CRLs but who are not CAs. Steve ------_=_NextPart_001_01C0E494.A80E5C20 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>Re: cA Flag -- cRLSign</TITLE> <STYLE type=text/css>BLOCKQUOTE { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } DL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } UL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } OL { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } LI { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px } </STYLE> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=732390921-24052001>Steve:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=732390921-24052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=732390921-24052001>I vote for not requiring the cA flag for CRL check and making appropriate changes to X.509 and to PKIX to make it clear and consistent</SPAN></FONT></DIV> <DIV> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Stephen Kent [mailto:kent@bbn.com]<BR><B>Sent:</B> Tuesday, May 22, 2001 8:13 AM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> Re: cA Flag -- cRLSign<BR><BR></FONT></DIV> <DIV>At 2:55 PM -0400 5/18/01, Santosh Chokhani wrote:</DIV> <BLOCKQUOTE cite type="cite"><FONT face=Arial size=-1>Steve:</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT face=Arial size=-1>I have a compromise proposal in this area. As Russ Housley says: In the interest of interoperability, the generator should be strict and processor should be forgiving (assuming no security) is compromised.</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT face=Arial size=-1>I would say let us do the following:</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT face=Arial size=-1>1. A PKIX compliant CA must assert basicConstraints with cA set to TRUE if cRLSign bit is set, and</FONT><BR></BLOCKQUOTE> <BLOCKQUOTE cite type="cite"><FONT face=Arial size=-1>2. A PKIX compliant relying party client must check cRLSign flag in the keyUsage extension, if keyUsage extension is present, when using the public key of the subject to verify a signature on the CRL. However, if the keyUsage extension is absent, basicConstraints must be present with cA = TRUE</FONT></BLOCKQUOTE> <DIV><BR></DIV> <DIV>I think it confusing for a standard to encourage asymmetric behavior for CAs vs. clients. It also removes a big part of the motivation for CAs to set the flag according to the standard.</DIV> <DIV><BR></DIV> <DIV>As I said earlier, if there is consensus to remove the need for cA to be asserted in certs associated with CRL validation, then we can make that explicit in the standard, but we just have to "buy in" to making the other changes to clarify this, and to name a role for entities who sign CRLs but who are not CAs.</DIV> <DIV><BR></DIV> <DIV>Steve</DIV></BODY></HTML> ------_=_NextPart_001_01C0E494.A80E5C20-- Received: by above.proper.com (8.9.3/8.9.3) id NAA01618 for ietf-pkix-bks; Thu, 24 May 2001 13:39:02 -0700 (PDT) Received: from smtp-1.llnl.gov (smtp-1.llnl.gov [128.115.250.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA01610 for <ietf-pkix@imc.org>; Thu, 24 May 2001 13:38:57 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-1.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id NAA05306 for <ietf-pkix@imc.org>; Thu, 24 May 2001 13:38:29 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id NAA19422 for <ietf-pkix@imc.org>; Thu, 24 May 2001 13:38:29 -0700 (PDT) Message-Id: <4.3.2.7.2.20010524133231.00c3a790@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 24 May 2001 13:44:33 -0700 To: ietf-pkix@imc.org From: Tony Bartoletti <azb@llnl.gov> Subject: RE: cA flag and CRL issuers In-Reply-To: <5.0.1.4.2.20010524155009.01ddc1f8@exna07.securitydynamics. com> References: <899128A30EEDD1118FC900A0C9C74A34BA97F0@BIGBIRD> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> At 03:53 PM 5/24/01 -0400, Housley, Russ wrote: >It has never been my intent to add any new entities to the Internet PKI >model. The CA is responsible for maintaining revocation status >information about the certificates that it issues. The indirect CRL >mechanism allows the CA to delegate the issuing of CRLs that cover all or >some portion of those certificates to another CA. We still call it a CA >even if it never issues any certificates, only CRLs. > >Russ Since the designation "CA" is specifically a PKC-CA (correct me otherwise,) your statement does not address AAs. In parallel logic, would it be correct to say when an Attribute Authority delegates the issue of "Attribute CRLs" to another party, that other party is thus to be called an AA, even though it may not issue attribute certificates? And does an AA have ability to enforce this delegation (via key usage flags, etc) in parallel to the mechanisms afforded a PKC-CA? ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: by above.proper.com (8.9.3/8.9.3) id MAA28849 for ietf-pkix-bks; Thu, 24 May 2001 12:54:51 -0700 (PDT) Received: from gonzo.aus.rsa.com (mail.rsasecurity.com.au [203.46.112.10]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA28837 for <ietf-pkix@imc.org>; Thu, 24 May 2001 12:54:43 -0700 (PDT) Received: from checkpoint.local.aus.rsa.com by gonzo.aus.rsa.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 24 May 2001 19:51:12 UT Received: (private information removed) Received: (private information removed) Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.109]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LR8S00C3; Thu, 24 May 2001 15:54:01 -0400 Message-Id: <5.0.1.4.2.20010524155009.01ddc1f8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 24 May 2001 15:53:57 -0400 To: ietf-pkix@imc.org From: "Housley, Russ" <rhousley@rsasecurity.com> Subject: RE: cA flag and CRL issuers In-Reply-To: <899128A30EEDD1118FC900A0C9C74A34BA97F0@BIGBIRD> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> It has never been my intent to add any new entities to the Internet PKI model. The CA is responsible for maintaining revocation status information about the certificates that it issues. The indirect CRL mechanism allows the CA to delegate the issuing of CRLs that cover all or some portion of those certificates to another CA. We still call it a CA even if it never issues any certificates, only CRLs. Russ Received: by above.proper.com (8.9.3/8.9.3) id KAA24444 for ietf-pkix-bks; Thu, 24 May 2001 10:51:40 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA24426 for <ietf-pkix@imc.org>; Thu, 24 May 2001 10:51:27 -0700 (PDT) Received: from [128.33.4.247] (bbnt-dhcp004-247.bbn.com [128.33.4.247]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA23238; Thu, 24 May 2001 13:51:23 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <p05010401b73008647c40@[128.33.4.247]> In-Reply-To: <3B092C0E.8053C731@missi.ncsc.mil> References: <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> <p05010406b72760acb0bf@[128.33.238.68]> <200105161648.JAA13461@above.proper.com> <p05010403b7288eeda3d6@[128.33.238.22]> <3B092C0E.8053C731@missi.ncsc.mil> Date: Tue, 22 May 2001 08:25:36 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, >Hi Steve, > >I certainly agree that the intent of X.509, from v1 to the present, was >that a CA entity is the ultimate and sole authority for revoking the >certificates that it issues. > >However, Tim has proposed changing the text of PKIX to require the cA >flag to be set in every certificate whose subject is a CA entity. >Such a change is unnecessary. > >The question is: > > * When a CA entity uses one public key to sign certificates > * and a different public key to sign CRLs, must the cA flag be set > * in the certificate containing the public key used to sign CRLs? > >I say no. David Cooper, Santosh, Sharon, Denis, Tom, and others >can answer this question explicitly for themselves; I will refrain >from interpreting their words. > This is a big part of the question at hand, but not the whole question. If we do agree that the cA flag need not be set in a cert used by a CA who signs a CRL, then what about a non-CA entity that signs a CRL? What do we call it? Also, it might be clear that the entity signing the CRL was a CA (w/o the cA flag set), because the entity has the same name as the CA who signed the certs in question, i.e., we're dealing with a self-issued cert. But, what if the name is different? In that latter case, we need to make an explicit statement about the role of the entity in question, starting with naming that role. I agree that a very broad interpretation of the requirement to set the cA flag runs into problems, but so do the key usage bits in some contexts. For example, if a CA signs a cert request message in CMP, requesting a cross-cert from another CA, isn't this use of the CA private key for POP a contradiction of the key usage bits in the self-signed cert issued by the CA to itself? Steve Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA24441 for ietf-pkix-bks; Thu, 24 May 2001 10:51:37 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA24429 for <ietf-pkix@imc.org>; Thu, 24 May 2001 10:51:30 -0700 (PDT) Received: from [128.33.4.247] (bbnt-dhcp004-247.bbn.com [128.33.4.247]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id NAA23233; Thu, 24 May 2001 13:51:22 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com (Unverified) Message-Id: <p05010400b7300788484d@[128.33.4.247]> In-Reply-To: <8D7EC1912E25D411A32100D0B76953978DECCC@scygmxs01.cygnacom.com> References: <8D7EC1912E25D411A32100D0B76953978DECCC@scygmxs01.cygnacom.com> Date: Tue, 22 May 2001 08:12:54 -0400 To: Santosh Chokhani <chokhani@cygnacom.com> From: Stephen Kent <kent@bbn.com> Subject: Re: cA Flag -- cRLSign Cc: ietf-pkix@imc.org Content-Type: multipart/alternative; boundary="============_-1221395796==_ma============" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> --============_-1221395796==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 2:55 PM -0400 5/18/01, Santosh Chokhani wrote: >Steve: > >I have a compromise proposal in this area. As Russ Housley says: In >the interest of interoperability, the generator should be strict and >processor should be forgiving (assuming no security) is compromised. > >I would say let us do the following: > >1. A PKIX compliant CA must assert basicConstraints with cA set to >TRUE if cRLSign bit is set, and > >2. A PKIX compliant relying party client must check cRLSign flag in >the keyUsage extension, if keyUsage extension is present, when using >the public key of the subject to verify a signature on the CRL. >However, if the keyUsage extension is absent, basicConstraints must >be present with cA = TRUE I think it confusing for a standard to encourage asymmetric behavior for CAs vs. clients. It also removes a big part of the motivation for CAs to set the flag according to the standard. As I said earlier, if there is consensus to remove the need for cA to be asserted in certs associated with CRL validation, then we can make that explicit in the standard, but we just have to "buy in" to making the other changes to clarify this, and to name a role for entities who sign CRLs but who are not CAs. Steve --============_-1221395796==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { margin-top: 0 ; margin-bottom: 0 } --></style><title>Re: cA Flag -- cRLSign</title></head><body> <div>At 2:55 PM -0400 5/18/01, Santosh Chokhani wrote:</div> <blockquote type="cite" cite><font face="Arial" size="-1">Steve:</font><br> </blockquote> <blockquote type="cite" cite><font face="Arial" size="-1">I have a compromise proposal in this area. As Russ Housley says: In the interest of interoperability, the generator should be strict and processor should be forgiving (assuming no security) is compromised.</font><br> </blockquote> <blockquote type="cite" cite><font face="Arial" size="-1">I would say let us do the following:</font><br> </blockquote> <blockquote type="cite" cite><font face="Arial" size="-1">1. A PKIX compliant CA must assert basicConstraints with cA set to TRUE if cRLSign bit is set, and</font><br> </blockquote> <blockquote type="cite" cite><font face="Arial" size="-1">2. A PKIX compliant relying party client must check cRLSign flag in the keyUsage extension, if keyUsage extension is present, when using the public key of the subject to verify a signature on the CRL. However, if the keyUsage extension is absent, basicConstraints must be present with cA = TRUE</font></blockquote> <div><br></div> <div>I think it confusing for a standard to encourage asymmetric behavior for CAs vs. clients. It also removes a big part of the motivation for CAs to set the flag according to the standard.</div> <div><br></div> <div>As I said earlier, if there is consensus to remove the need for cA to be asserted in certs associated with CRL validation, then we can make that explicit in the standard, but we just have to "buy in" to making the other changes to clarify this, and to name a role for entities who sign CRLs but who are not CAs.</div> <div><br></div> <div>Steve</div> </body> </html> --============_-1221395796==_ma============-- Received: by above.proper.com (8.9.3/8.9.3) id EAA24223 for ietf-pkix-bks; Thu, 24 May 2001 04:02:10 -0700 (PDT) Received: from ietf.org (odin.ietf.org [132.151.1.176]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA24216 for <ietf-pkix@imc.org>; Thu, 24 May 2001 04:02:05 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA10400; Thu, 24 May 2001 07:01:48 -0400 (EDT) Message-Id: <200105241101.HAA10400@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: IETF-Announce: ; Cc: ietf-pkix@imc.org From: Internet-Drafts@ietf.org Reply-to: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-pkix-cmp-transport-protocols-04.txt Date: Thu, 24 May 2001 07:01:48 -0400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF. Title : Transport Protocols for CMP Author(s) : A. Kapoor, R. Tschalar Filename : draft-ietf-pkix-cmp-transport-protocols-04.txt Pages : Date : 23-May-01 This document describes how to layer Certificate Management Protocols [CMP] over various transport protocols. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-pkix-cmp-transport-protocols-04.txt Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-pkix-cmp-transport-protocols-04.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-pkix-cmp-transport-protocols-04.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <20010523114128.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-pkix-cmp-transport-protocols-04.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-pkix-cmp-transport-protocols-04.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <20010523114128.I-D@ietf.org> --OtherAccess-- --NextPart-- Received: by above.proper.com (8.9.3/8.9.3) id LAA09790 for ietf-pkix-bks; Wed, 23 May 2001 11:47:37 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA09785 for <ietf-pkix@imc.org>; Wed, 23 May 2001 11:47:31 -0700 (PDT) Received: from emss03g01.ems.lmco.com (emss03g01.ems.lmco.com [141.240.4.144]) by mailgw2a.lmco.com (8.8.8/8.8.8) with ESMTP id OAA18853; Wed, 23 May 2001 14:47:31 -0400 (EDT) Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-32 #38888) id <0GDS00J01XDXY6@lmco.com>; Wed, 23 May 2001 14:44:21 -0400 (EDT) Received: from emss03i00.ems.lmco.com ([141.240.31.211]) by lmco.com (PMDF V5.2-32 #38888) with ESMTP id <0GDS00FPMXDTXK@lmco.com>; Wed, 23 May 2001 14:44:17 -0400 (EDT) Received: by emss03i00.orl.lmco.com with Internet Mail Service (5.5.2653.19) id <L1PFLMRQ>; Wed, 23 May 2001 14:44:22 -0400 Content-return: allowed Date: Wed, 23 May 2001 14:44:19 -0400 From: "Slone, Skip" <skip.slone@lmco.com> Subject: RE: X.509 Certificate schema in LDAPv3 To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>, ietf-pkix@imc.org Message-id: <B23207A86E7BD411A7000008C7E6693C77FAF0@emss03m03.orl.lmco.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-type: text/plain Content-transfer-encoding: 7BIT Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Kurt, Could you please clarify what you mean by "As much of this schema is broken ... " and "... the X.509 certificate schema is known to be broken in LDAPv3 ... ?" In my capacity as the US Defect Editor for X.500, no one has EVER brought any broken schema elements in the 3rd edition to my attention. -- Skip Slone -----Original Message----- From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] Sent: Wednesday, May 23, 2001 9:07 AM To: ietf-pkix@imc.org Subject: X.509 Certificate schema in LDAPv3 LDAPbis is currently revising the LDAPv3 for publication as a Draft Standard. One of the significant issues in which we are addressing is LDAP's relationship to X.500. The consensus of the WG has determined it best that LDAPv3 only reference the one edition of X.500 and not both the 2nd and 3rd editions as the Proposed Standard did. The consensus of the LDAPbis WG is to only reference the 2nd edition as this is what the protocol itself depends on, and to drop the few schema elements from the "core" document which are dependent on the 3rd edition. As much of this schema is broken anyways, this seems like the most reasonable solution. The most significant impact of this change is that the X.509 certificate schema would be dropped from the "core" documents and, hopefully, picked up in a separate document. I note that the X.509 certificate schema is known to be broken in LDAPv3, in particular the attributes are missing key matching rules. I understand that PKIX is working on an PKI profile for LDAPv3 which includes additional X.509 certificate schema. I would suggest that this work be expanded to include new specification of the RFC 2252/2256 certificate schema elements. -- Kurt Received: by above.proper.com (8.9.3/8.9.3) id JAA05279 for ietf-pkix-bks; Wed, 23 May 2001 09:58:25 -0700 (PDT) Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA05260 for <ietf-pkix@imc.org>; Wed, 23 May 2001 09:58:18 -0700 (PDT) Received: from salford.ac.uk ([62.252.104.40]) by mta01-svc.ntlworld.com (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP id <20010523165819.WQUO283.mta01-svc.ntlworld.com@salford.ac.uk>; Wed, 23 May 2001 17:58:19 +0100 Message-ID: <3B0BED75.248B9E6A@salford.ac.uk> Date: Wed, 23 May 2001 18:03:49 +0100 From: David Chadwick <d.w.chadwick@salford.ac.uk> Organization: University of Salford X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> CC: ietf-pkix@imc.org Subject: Re: X.509 Certificate schema in LDAPv3 References: <5.1.0.14.0.20010523075142.00ad21f0@127.0.0.1> Content-Type: multipart/mixed; boundary="------------B613F78E952BCF903C22DD10" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This is a multi-part message in MIME format. --------------B613F78E952BCF903C22DD10 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Kurt I am happy to include the schema definitions in the PKIX LDAP Schema document. David "Kurt D. Zeilenga" wrote: > > LDAPbis is currently revising the LDAPv3 for publication > as a Draft Standard. One of the significant issues in > which we are addressing is LDAP's relationship to X.500. > The consensus of the WG has determined it best that LDAPv3 > only reference the one edition of X.500 and not both the > 2nd and 3rd editions as the Proposed Standard did. The > consensus of the LDAPbis WG is to only reference the 2nd > edition as this is what the protocol itself depends on, > and to drop the few schema elements from the "core" document > which are dependent on the 3rd edition. As much of this > schema is broken anyways, this seems like the most reasonable > solution. > > The most significant impact of this change is that the > X.509 certificate schema would be dropped from the "core" > documents and, hopefully, picked up in a separate document. > I note that the X.509 certificate schema is known to be > broken in LDAPv3, in particular the attributes are missing > key matching rules. > > I understand that PKIX is working on an PKI profile for > LDAPv3 which includes additional X.509 certificate schema. > I would suggest that this work be expanded to include > new specification of the RFC 2252/2256 certificate schema > elements. > > -- Kurt -- ***************************************************************** David Chadwick, BSc PhD Post: IS Institute, University of Salford, Salford M5 4WT Tel: +44 161 295 5351 Fax +44 161 745 8169 *NEW* Mobile: +44 77 96 44 7184 *NEW* Email: D.W.Chadwick@salford.ac.uk Home Page: http://www.salford.ac.uk/its024/chadwick.htm Research Projects: http://sec.isi.salford.ac.uk Understanding X.500: http://www.salford.ac.uk/its024/X500.htm X.500/LDAP Seminars: http://www.salford.ac.uk/its024/seminars.htm Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 ***************************************************************** --------------B613F78E952BCF903C22DD10 Content-Type: text/x-vcard; charset=us-ascii; name="d.w.chadwick.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for David Chadwick Content-Disposition: attachment; filename="d.w.chadwick.vcf" begin:vcard n:Chadwick;David tel;cell:+44 77 96 44 7184 tel;fax:+44 1484 532930 tel;home:+44 1484 352238 tel;work:+44 161 295 5351 x-mozilla-html:FALSE adr:;;;;;; version:2.1 email;internet:d.w.chadwick@salford.ac.uk x-mozilla-cpt:;11160 fn:David Chadwick end:vcard --------------B613F78E952BCF903C22DD10-- Received: by above.proper.com (8.9.3/8.9.3) id GAA17691 for ietf-pkix-bks; Wed, 23 May 2001 06:10:14 -0700 (PDT) Received: from pretender.boolean.net (root@router.boolean.net [198.144.206.49]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA17674 for <ietf-pkix@imc.org>; Wed, 23 May 2001 06:10:02 -0700 (PDT) Received: from gypsy.OpenLDAP.org (root@router.boolean.net [198.144.206.49]) by pretender.boolean.net (8.11.3/8.11.1/Boolean/Hub) with ESMTP id f4ND7Sp58338 for <ietf-pkix@imc.org>; Wed, 23 May 2001 13:07:28 GMT (envelope-from Kurt@OpenLDAP.org) Message-Id: <5.1.0.14.0.20010523075142.00ad21f0@127.0.0.1> X-Sender: guru@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 23 May 2001 08:06:54 -0500 To: ietf-pkix@imc.org From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Subject: X.509 Certificate schema in LDAPv3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> LDAPbis is currently revising the LDAPv3 for publication as a Draft Standard. One of the significant issues in which we are addressing is LDAP's relationship to X.500. The consensus of the WG has determined it best that LDAPv3 only reference the one edition of X.500 and not both the 2nd and 3rd editions as the Proposed Standard did. The consensus of the LDAPbis WG is to only reference the 2nd edition as this is what the protocol itself depends on, and to drop the few schema elements from the "core" document which are dependent on the 3rd edition. As much of this schema is broken anyways, this seems like the most reasonable solution. The most significant impact of this change is that the X.509 certificate schema would be dropped from the "core" documents and, hopefully, picked up in a separate document. I note that the X.509 certificate schema is known to be broken in LDAPv3, in particular the attributes are missing key matching rules. I understand that PKIX is working on an PKI profile for LDAPv3 which includes additional X.509 certificate schema. I would suggest that this work be expanded to include new specification of the RFC 2252/2256 certificate schema elements. -- Kurt Received: by above.proper.com (8.9.3/8.9.3) id FAA16729 for ietf-pkix-bks; Wed, 23 May 2001 05:54:59 -0700 (PDT) Received: from pretender.boolean.net (root@router.boolean.net [198.144.206.49]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA16724 for <ietf-pkix@imc.org>; Wed, 23 May 2001 05:54:53 -0700 (PDT) Received: from gypsy.OpenLDAP.org (root@router.boolean.net [198.144.206.49]) by pretender.boolean.net (8.11.3/8.11.1/Boolean/Hub) with ESMTP id f4NCqDp58268 for <ietf-pkix@imc.org>; Wed, 23 May 2001 12:52:14 GMT (envelope-from Kurt@OpenLDAP.org) Message-Id: <5.1.0.14.0.20010523075135.00adf6f0@127.0.0.1> X-Sender: guru@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 23 May 2001 07:51:40 -0500 To: ietf-pkix@imc.org From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> Subject: LDAP DN format and short names Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> There are numerous differences between the LDAPv2 and LDAPv3 DN specification. I discuss some of these differences in the draft-zeilenga-ldapbis-vd-00.txt. Anyways, these differences are quite moot as LDAPv2 should soon be moved to historical status (once LDAPv3 progresses to Draft Standard status). RFC 2253 was fairly clear as how to generate a string representation of an X.500(93) distinguished name. The most glaring problem was rather unclear as to which table of short names it was referring to in Section 2.3. The RFC 2253 editor stated that the 2.3 table is the table and not an example of table. This makes sense given the objectives of the I-D to produce an unambiguous string representation. However, as many implementations used other tables, LDAPbis determined it was inappropriate to mandate use of this table and arrived, after extended discussion but strong consensus, at the text you now find in draft-ietf-ldapbis-dn-05.txt. I note that this I-D has just completed an LDAPbis WG Last Call. We have a couple of clarifying comments to make and an implementation report to complete, but it's basically ready to be progressed. If you have issues which have not been addressed (see archives), you are encouraged to raise them now on the LDAPbis mailing list. Kurt Received: by above.proper.com (8.9.3/8.9.3) id DAA06395 for ietf-pkix-bks; Wed, 23 May 2001 03:49:49 -0700 (PDT) Received: from karon.dynas.se (karon.dynas.se [192.71.43.4]) by above.proper.com (8.9.3/8.9.3) with SMTP id DAA06378 for <ietf-pkix@imc.org>; Wed, 23 May 2001 03:49:42 -0700 (PDT) Received: (qmail 3124 invoked from network); 23 May 2001 10:49:36 -0000 Received: from spirit.sto.dynas.se (HELO spirit.dynas.se) (172.16.1.10) by 172.16.1.1 with SMTP; 23 May 2001 10:49:36 -0000 Received: (qmail 14054 invoked from network); 23 May 2001 10:49:35 -0000 Received: from unknown (HELO localhost.localdomain) (172.16.13.115) by spirit.dynas.se with SMTP; 23 May 2001 10:49:35 -0000 To: ietf-pkix@imc.org Subject: pkix operational protocols: dns From: Simon Josefsson <sjosefsson@rsasecurity.com> Date: 23 May 2001 12:49:31 +0200 Message-ID: <m3heyc1gsk.fsf@localhost.localdomain> Lines: 20 User-Agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.0.102 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Folks, I'd like to point your attention to http://www.ietf.org/internet-drafts/draft-josefsson-pkix-dns-00.txt for a suggestion on how DNS could be used within PKIX to locate, retrieve and publish certificates. As always, feedback appreciated. /Simon Abstract The protocol conventions described in this document satisfy some of the operational requirements of the Internet Public Key Infrastructure (PKI). This document specifies the conventions for using the Domain Name System (DNS) to obtain certificates and certificate revocation lists (CRLs) from PKI repositories. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA07146 for ietf-pkix-bks; Tue, 22 May 2001 14:30:26 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA07122 for <ietf-pkix@imc.org>; Tue, 22 May 2001 14:30:17 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id RAA00921 for <ietf-pkix@imc.org>; Tue, 22 May 2001 17:30:03 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by stingray.missi.ncsc.mil with SMTP id RAA00917 for <ietf-pkix@imc.org>; Tue, 22 May 2001 17:30:03 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Tue, 22 May 2001 17:32:49 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JSFMCMAM; Tue, 22 May 2001 17:33:19 -0400 Message-ID: <3B0AD99D.CB1E8EF@missi.ncsc.mil> Date: Tue, 22 May 2001 17:26:53 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) References: <4.2.2.20010521171648.00b3ec00@email.nist.gov> <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> <3B0A6B11.575696@missi.ncsc.mil> <007701c0e2e6$d782c180$6401a8c0@hwrd1.md.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> > AWA: Let's accept your premise - that not only CA's can sign CRLs. I can > actually live with this, if it reflects the wishes of this group. However, > if that's the consensus, then offspring-of-2459 is going to require heavy > editing. I took a quick 10-minute scan through > <draft-ietf-pkix-new-part1-06.txt>, and identified the following areas which > must be changed, at a minimum: ... Al, Like David Cooper, I don't particularly care what you call entities that can sign CRLs - it could be "CA or AA", "Authority", or "Revocation Authority". Cleaning up the text is a good idea, but it's not what I'm focused on. The MUST requirements for generating and receiving applications are what I care about. Those requirements should be as minimal as possible without adversely affecting security. In particular, a new requirement that links the cA flag in basic constraints with the type of certificate contained in the CRL is simultaneously baroque and incomplete. > My personal bottom line is this: the document says explicitly in numerous > places that only CA's issue CRLs. Now, if we're going to change that, we're > going to change the entire document so that it consistently covers those > entities that can sign CRLs. I really do not want to be a party to some > semantic game (it took me 10 tries to find a phrase as inoffensive as > "semantic game" to use here :-) where we leave all the ancillary text the > way it is, and then say but no, really, non-CAs can sign CRLs, too. > > And I would object also to a game where we declared a "CA" to be anybody who > had a cert with keyUsage = cRLSign, regardless of the value of > basicConstraints. (i.e., just because it doesn't have the CA bit set doesn't > mean it's not a CA.) That just strikes me as a lazy way of getting around a > problem, not a fix to the problem. Fine. Your problem is getting the document to define "what do we call the entities that sign CRLs", and I agree that there is a painful way and a lazy way to fix it. I agree that the lazy way won't work, because an AA must be able to revoke ACs without being called a "CA". I don't particularly object to leaving the ancilliary text the way it is, and then say once "The authority to revoke any certificate rests with the issuer of that certificate. CRLs can be signed by CAs, AAs, or their authorized agents." My problem is an application has a certificate X. X could be anything; it could belong to an EE, a CA, or an AA, and it could be a public key certificate or an attribute certificate. The application also has a CRL signed by public key Y, and a certificate for public key Y with cRLSign asserted. The application needs to decide if the CRL is valid and applies to certificate X. My position is that the application does not need to even look at the basic constraints extension in the certificate for Y to determine whether the CRL applies to certificate X. > > The answer is (c): Only the issuer of a certificate (CA or AA) is > responsible > > for signing the CRLs that apply to that certificate. That responsibility > > can be exercised directly by using the same public key to sign the cert > > and CRL, or indirectly by issuing a cRLSign certificate for the public > > key used to sign the CRL. > > AWA: And how exactly do you identify that separate certificate which is > authorized to sign CRLs? > > > The cA bit tells you nothing about who is entitled to revoke a > > certificate: VeriSign can't revoke Cybertrust certificates > > even though it is a CA. > > AWA: True, but irrelevant. It is relevant because it demonstrates that the cA flag in basic constraints is not sufficient to determine whether a CRL Z applies to certificate X. I don't need to specify the exact algorithm for identifying the CRL Z (signed by Y) which applies to certificate X, or for identifying the certificate for public key Y. All I need to do is demonstrate that the cA flag in the certificate for public key Y is irrelevant to that algorithm. The entity that signed the certificate for public key Y has set the cRLSign bit. There is no reason to either require or prohibit it from also setting the cA flag in that certificate, and there is no reason for an application to look at the cA flag in that certificate when applying the CRL. > >Using the cA bit in the rules for > > CRL processing adds no value, it adds only needless confusion. > > AWA: Leaving the document the way it is does not solve the problem, > it only causes needless confusion!!!! These two statements are both true, but they refer to different problems. They are somewhat synergistic in that if you don't try to differentiate and name all the kinds of entities that can sign CRLs, then you don't need to assign meanings to those names. IMO, "Revocation Authority", defined as the subject of a certificate which has cRLSign asserted, is the only name we need to clean up the document. Dave Received: by above.proper.com (8.9.3/8.9.3) id MAA28574 for ietf-pkix-bks; Tue, 22 May 2001 12:12:56 -0700 (PDT) Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA28566 for <ietf-pkix@imc.org>; Tue, 22 May 2001 12:12:50 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KVA709SH; Tue, 22 May 2001 12:06:34 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <ietf-pkix@imc.org> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Date: Tue, 22 May 2001 12:12:59 -0700 Message-ID: <KHEDLMGGCCGHDAAKNAFOCEENCAAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I've been following this thread with some interest, and I thought I'd interject a few observations: 1) If only a CA can issue CRLs, and an Attribute Authority is not a CA, then who is going to revoke an AA's Attribute Certificates? 2) Perhaps there is no great significance to the fact that X.509 does not mention the CA bit in connection with verifying signatures over CRLs. It may simply reflect the earlier historical reality. Once upon a time only the certificate issuer's certificate could be used to verify the signature over the corresponding CRL. 3) Why don't we just ask the good folks in the X.509 working group what the current text in X.509 section 8.4.2.1 "Basic constraints extension" is intended to mean with respect to CA bit and CRL signing? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA25582 for ietf-pkix-bks; Tue, 22 May 2001 10:41:17 -0700 (PDT) Received: from femail14.sdc1.sfba.home.com (femail14.sdc1.sfba.home.com [24.0.95.141]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA25574 for <ietf-pkix@imc.org>; Tue, 22 May 2001 10:41:11 -0700 (PDT) Received: from cc787228a ([24.180.131.6]) by femail14.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010522174113.EBXF12893.femail14.sdc1.sfba.home.com@cc787228a>; Tue, 22 May 2001 10:41:13 -0700 Message-ID: <007701c0e2e6$d782c180$6401a8c0@hwrd1.md.home.com> From: "Al Arsenault" <awa1@home.com> To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, <ietf-pkix@imc.org> References: <4.2.2.20010521171648.00b3ec00@email.nist.gov> <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> <3B0A6B11.575696@missi.ncsc.mil> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Date: Tue, 22 May 2001 13:44:24 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, ----- Original Message ----- From: "David P. Kemp" <dpkemp@missi.ncsc.mil> To: <ietf-pkix@imc.org> Sent: Tuesday, May 22, 2001 9:35 AM Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) > Al, > > The problem with (a) is that *not* only CAs can sign CRLs. The discussion > has lasted so long because of a proposal to expand the description of > the keyUsage extension from one sentence to six. > Tim proposed a rule whereby cRLSign could be used to verify CRLs containing > PK certificates ONLY if cA is true, and cRLSign could be used to verify > CRLs containing Attribute Certificates ONLY if cA is false. > AWA: Let's accept your premise - that not only CA's can sign CRLs. I can actually live with this, if it reflects the wishes of this group. However, if that's the consensus, then offspring-of-2459 is going to require heavy editing. I took a quick 10-minute scan through <draft-ietf-pkix-new-part1-06.txt>, and identified the following areas which must be changed, at a minimum: - Section 3.3 - revocation - which says CA's issue CRLs. It will have to describe other entities that can sign CRLs. Section 4.2.1.3, p. 30: Obviously, the section on the keyUsage extension will have to be cleaned up. Basically, all of Section 5 will have to be rewritten. It currently imposes requirements only on CA's who issue CRLs. There are no requirements imposed on other, non-CA entities who sign CRLs. For example, the intro to Section 5; the second paragraph of Section 5.1.1.3., etc. My personal bottom line is this: the document says explicitly in numerous places that only CA's issue CRLs. Now, if we're going to change that, we're going to change the entire document so that it consistently covers those entities that can sign CRLs. I really do not want to be a party to some semantic game (it took me 10 tries to find a phrase as inoffensive as "semantic game" to use here :-) where we leave all the ancillary text the way it is, and then say but no, really, non-CAs can sign CRLs, too. And I would object also to a game where we declared a "CA" to be anybody who had a cert with keyUsage = cRLSign, regardless of the value of basicConstraints. (i.e., just because it doesn't have the CA bit set doesn't mean it's not a CA.) That just strikes me as a lazy way of getting around a problem, not a fix to the problem. > There are two problems with this - 1) it is unnecessarily complex: keyUsage > and issuer name or CRLDP are sufficient to link the issuer of a certificate > with the CRL which can revoke it, and 2) it needlessly prohibits a CA from > issuing attribute certificates. (The AC profile currently does prohibit > CAs from being AAs, but if we want that prohibition, it should be an > explicit statement in the AC profile, not a side effect of processing > rules for the keyUsage and basicConstraints extensions.) > > The answer is (c): Only the issuer of a certificate (CA or AA) is responsible > for signing the CRLs that apply to that certificate. That responsibility > can be exercised directly by using the same public key to sign the cert > and CRL, or indirectly by issuing a cRLSign certificate for the public > key used to sign the CRL. > AWA: And how exactly do you identify that separate certificate which is authorized to sign CRLs? > The cA bit tells you nothing about who is entitled to revoke a > certificate: VeriSign can't revoke Cybertrust certificates > even though it is a CA. AWA: True, but irrelevant. >Using the cA bit in the rules for > CRL processing adds no value, it adds only needless confusion. > AWA: Leaving the document the way it is does not solve the problem, it only causes needless confusion!!!! Al Arsenault Chief Security Architect Diversinet Corp. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA23433 for ietf-pkix-bks; Tue, 22 May 2001 10:03:17 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA23425 for <ietf-pkix@imc.org>; Tue, 22 May 2001 10:03:11 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA01093 for <ietf-pkix@imc.org>; Tue, 22 May 2001 13:03:02 -0400 (EDT) Message-Id: <4.2.2.20010522124249.00b37bc0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 22 May 2001 13:01:53 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <3B0A6B11.575696@missi.ncsc.mil> References: <4.2.2.20010521171648.00b3ec00@email.nist.gov> <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I really don't think the issue of whether a non-CA can issue a CRL is important. We all agree that it is permissible for an entity that does not issue certificates to issue CRLs . I personally don't care if such an entity is called a certification authority, a revocation authority, or a french fry. However, if we do decide that only CAs can issue CRLs, then the definition of CA should be changed, since X.509 currently defines a CA as an entity that issues public key certificates. (X.509 similarly defines an authority as an entity that issues either public key or attribute certificates). If we decide that non-CAs can issue certificates, then it appears that some of the text needs to be cleaned up to make that clear. What I consider to be far more important than the name we assign to a CRL issuing entity are the certificate generation and processing rules. Here I believe the standard is quite clear. X.509 states that: The cA component [of basicConstraints] indicates if the certified public key may be used to verify certificate signatures. There is nothing in the description of the cA component that even suggests that this field indicates whether the certificate subject is a CA. Certainly, the subject must be a CA if cA is set to TRUE, since by definition an entity that signs public key certificates is a CA. However, it is possible for a CA to be the subject of a certificate in which the subject public key is not intended to be used to verify signatures on certificates. It could be that the subject public key is only to be used to verify signatures on S/MIME messages or CRLs. In such a case, the subject of the certificate would be a CA, but cA would be set to FALSE. It may be useful to agree on a term for entities that issue CRLs but not certificates, if this would help to make the overview material in the standards more clear. However, there is no reason that the outcome of such a decision should have any effect on either the certificate generation or certificate processing rules. The value of the cA bit in basicConstraints is determined by keyUsage, not by the type of entity that the certificate subject is. As has already been stated several times, there are no security issues here. It is simply a matter of ensuring that the certificate generation and processing rules are clear and consistent. Dave At 09:35 AM 5/22/01 -0400, David P. Kemp wrote: >Al, > >The problem with (a) is that *not* only CAs can sign CRLs. The discussion >has lasted so long because of a proposal to expand the description of >the keyUsage extension from one sentence to six. >Tim proposed a rule whereby cRLSign could be used to verify CRLs containing >PK certificates ONLY if cA is true, and cRLSign could be used to verify >CRLs containing Attribute Certificates ONLY if cA is false. > >There are two problems with this - 1) it is unnecessarily complex: keyUsage >and issuer name or CRLDP are sufficient to link the issuer of a certificate >with the CRL which can revoke it, and 2) it needlessly prohibits a CA from >issuing attribute certificates. (The AC profile currently does prohibit >CAs from being AAs, but if we want that prohibition, it should be an >explicit statement in the AC profile, not a side effect of processing >rules for the keyUsage and basicConstraints extensions.) > >The answer is (c): Only the issuer of a certificate (CA or AA) is responsible >for signing the CRLs that apply to that certificate. That responsibility >can be exercised directly by using the same public key to sign the cert >and CRL, or indirectly by issuing a cRLSign certificate for the public >key used to sign the CRL. > >The cA bit tells you nothing about who is entitled to revoke a >certificate: VeriSign can't revoke Cybertrust certificates >even though it is a CA. Using the cA bit in the rules for >CRL processing adds no value, it adds only needless confusion. > >Dave > > > > >Al Arsenault wrote: > > > > Okay, I think that we've reached consensus that the text in the current > > documents (X.509 and offspring-of-2459) is wrong. It's inconsistent, as > > cited by Dave Cooper below. > > > > Now, what's the best way to fix it? > > > > Do we: > > > > (a) decide that only CA's can sign CRLs; that CA's are determined by the > > value of the basicConstraints extension; that CA's who sign CRLs but not > > certificates need not have the keyCertSign bit set in KU, and that that > > section 8.4.2.1 in X.509 and corresponding text in offspring-of-2459 needs > > to be fixed? > > > > (b) decide that non-CA's of some stripe can sign CRLs, and fix all of > > the text in X.509 and offspring-of-2459 that needs to be fixed? > > > > (c) something else? > > > > Clearly, leaving the text in the documents as it stands now is unacceptable; > > I think we all agree that it's wrong. > > > > So, what will it be? > > > > Personally, if we were voting, I'd vote for (a) above, but that's just my > > preference and there's probably some hanging chads around here... > > > > Al Arsenault > > Chief Security Architect > > Diversinet Corp. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id HAA11109 for ietf-pkix-bks; Tue, 22 May 2001 07:37:00 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA11093 for <ietf-pkix@imc.org>; Tue, 22 May 2001 07:36:54 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Tue, 22 May 2001 08:36:19 -0600 Message-Id: <sb0a2503.061@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Tue, 22 May 2001 08:36:29 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <hal.lockhart@entegrity.com>, <awa1@home.com>, <david.cooper@nist.gov> Cc: <ietf-pkix@imc.org> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_53096F73.95F4040D" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=_53096F73.95F4040D Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Al, I've only been skimming the arguments on this topic, but I believe there = is significant merit in allowing local control over CRLs, e.g., by the = relying party's organization, who may be in a better position to know = whether or not to TRUST a certificate, for all that implies, than the CA = that originally issued it. This local control option should not necessaril= y force the CRL issuer to be a CA, and even if they were one, they would = not necessarily have issued the certificate in question. Obviously, allowing some organization other than the issuing CA to publish = CRLs could raise some havoc if the trust relationships were not properly = managed. But I believe that that can be accomplished by proper management = of the trusted root of that CRL issuer within the relying party software. The same philosophy, of allowing local control of trust on behalf of the = relying party's organization, would also apply to OCSP, of course. So I would vote for option B. Bob Robert R. Jueneman Security Architect Novell, Inc -- the leading provider of Net services software >>> "Al Arsenault" <awa1@home.com> 05/21/01 07:52PM >>> Okay, I think that we've reached consensus that the text in the current documents (X.509 and offspring-of-2459) is wrong. It's inconsistent, as cited by Dave Cooper below. Now, what's the best way to fix it? Do we: (a) decide that only CA's can sign CRLs; that CA's are determined by = the value of the basicConstraints extension; that CA's who sign CRLs but not certificates need not have the keyCertSign bit set in KU, and that that section 8.4.2.1 in X.509 and corresponding text in offspring-of-2459 needs to be fixed? (b) decide that non-CA's of some stripe can sign CRLs, and fix all of the text in X.509 and offspring-of-2459 that needs to be fixed? (c) something else? Clearly, leaving the text in the documents as it stands now is unacceptable= ; I think we all agree that it's wrong. So, what will it be? Personally, if we were voting, I'd vote for (a) above, but that's just my preference and there's probably some hanging chads around here... Al Arsenault Chief Security Architect Diversinet Corp. ----- Original Message ----- From: "David A. Cooper" <david.cooper@nist.gov> To: "Hal Lockhart" <hal.lockhart@entegrity.com> Cc: <ietf-pkix@imc.org> Sent: Monday, May 21, 2001 6:25 PM Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) > Hal, > > I believe the debate really stems from different ways of determining the meaning of the cA field in basicConstraints. I believe the meaning of the field should be taken from section of the document that describes the basicConstraints extension (section 8.4.2.1 in X.509 4th edition). This section states: > > The cA component indicates if the certified public key may be used to verify certificate signatures > > This text clearly supports the position of David Kemp and I (and = others). > > I do not know the basis for argument that the cA field should be set to TRUE if the subject public key may only be used to sign CRLs, but my best guess is that the argument is as follows: > > 1) The introductory (and other) material in the document states that only CAs can issue CRLs > > 3) Since there is a requirement that only CAs can issue CRLs, there must be some way for > relying parties to verify that the signer of a CRL is a CA. > > 2) In the basicConstraints extension, there is a field of type boolean named cA. Based on the > name of this field, this bit must be an indicator of = whether the subject of the certificate is > is CA. (As I stated above, this is only my guess at the reasoning. Given that in order to > conclude that this is the proper interpretation of the bit one must ignore the text that explicitly > describes the meaning of the bit, it is possible that I am misinterpreting the argument.) > > 4) Since the cA field indicates whether the subject is a CA and the signer of a CRL must be a > CA, the cA field must be set to TRUE if the subject public key is to be used to sign CRLs. > > > > I think we are all willing to accept the notion that only CAs can issue CRLs. However, that simply means that > > 1) A certificate may only contain a keyUsage extension with the cRLSign bit set, if the subject of > the certificate is a CA. > > 2) If a certificate contains a cRLDistributionPoints extension and the cRLIssuer field is present, > the entity named in the cRLIssuer field must be a CA. > > However, the cA field in basicConstraints should only be set if the subject public key may be used to verify signatures on certificates. The text in the standard clearly states that this is a meaning of the bit. Perhaps naming the field "cA" has led to some confusion, with some people assigning semantics to the field based on the name. But the semantics of = the cA field in basic constraints must be based on the stated description of = the field ("The cA component indicates if the certified public key may be used to verify certificate signatures"), not on the field's name. > > Dave > > At 12:52 PM 5/21/01 -0400, Hal Lockhart wrote: > >David P. Kemp wrote: > > > I certainly agree that the intent of X.509, from v1 to the > > > present, was > > > that a CA entity is the ultimate and sole authority for revoking the > > > certificates that it issues. > > > >I think that at least part of this debate stems from different views of > >exactly what constitutes an "entity". I believe the following are = implied in > >messages from different people: > > > >1. a key > >2. a DN > >3. a legally constituted organization > > > >Hal > > --=_53096F73.95F4040D Content-Type: text/plain Content-Disposition: attachment; filename="Bob Jueneman.vcf" BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Bob Jueneman TEL;WORK:01-801/861-7387 ORG:Novell Inc. -- the leading provider of Net services software;DS eBusiness Solutions TEL;PREF;FAX:01-801/861-2522 EMAIL;WORK;PREF;NGW:BJUENEMAN@novell.com N:Jueneman;Bob TITLE:Consultant Engineer ADR;INTL;WORK;PARCEL;POSTAL:;;Novell, Inc.\n1800 South Novell Place\n;Provo;Utah;84606;USA LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A= Novell, Inc.=0A= 1800 South Novell Place=0A= =0A= Provo, Utah 84606=0A= USA LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Bob Jueneman=0A= Novell, Inc.=0A= 1800 South Novell Place=0A= =0A= Provo, Utah 84606 END:VCARD BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Robert R. Jueneman TEL;WORK:01-801/861-7387 ORG:Novell, Inc.;DS eBusiness Solutions TEL;PREF;FAX:01-801/861-2522 EMAIL;WORK;PREF;NGW:BJUENEMAN@novell.com N:Jueneman;Bob TITLE:Consultant Engineer ADR;INTL;WORK;PARCEL;POSTAL:;PRV-F331;122 E. 1700 South;Provo;Utah;84606;USA LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A= PRV-F331=0A= 122 E. 1700 South=0A= Provo, Utah 84606=0A= USA LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Robert R. Jueneman=0A= PRV-F331=0A= 122 E. 1700 South=0A= Provo, Utah 84606 TEL;HOME:1-801-765-4378 TEL;CELL:1-801-361-1410 TEL;PREF:1-801-861-7387, 1-800-453-1267 END:VCARD --=_53096F73.95F4040D-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id GAA06784 for ietf-pkix-bks; Tue, 22 May 2001 06:38:37 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA06780 for <ietf-pkix@imc.org>; Tue, 22 May 2001 06:38:31 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id JAA14597 for <ietf-pkix@imc.org>; Tue, 22 May 2001 09:38:15 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by stingray.missi.ncsc.mil with SMTP id JAA14593 for <ietf-pkix@imc.org>; Tue, 22 May 2001 09:38:15 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Tue, 22 May 2001 09:41:02 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JSFMCJ8L; Tue, 22 May 2001 09:41:35 -0400 Message-ID: <3B0A6B11.575696@missi.ncsc.mil> Date: Tue, 22 May 2001 09:35:13 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) References: <4.2.2.20010521171648.00b3ec00@email.nist.gov> <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Al, The problem with (a) is that *not* only CAs can sign CRLs. The discussion has lasted so long because of a proposal to expand the description of the keyUsage extension from one sentence to six. Tim proposed a rule whereby cRLSign could be used to verify CRLs containing PK certificates ONLY if cA is true, and cRLSign could be used to verify CRLs containing Attribute Certificates ONLY if cA is false. There are two problems with this - 1) it is unnecessarily complex: keyUsage and issuer name or CRLDP are sufficient to link the issuer of a certificate with the CRL which can revoke it, and 2) it needlessly prohibits a CA from issuing attribute certificates. (The AC profile currently does prohibit CAs from being AAs, but if we want that prohibition, it should be an explicit statement in the AC profile, not a side effect of processing rules for the keyUsage and basicConstraints extensions.) The answer is (c): Only the issuer of a certificate (CA or AA) is responsible for signing the CRLs that apply to that certificate. That responsibility can be exercised directly by using the same public key to sign the cert and CRL, or indirectly by issuing a cRLSign certificate for the public key used to sign the CRL. The cA bit tells you nothing about who is entitled to revoke a certificate: VeriSign can't revoke Cybertrust certificates even though it is a CA. Using the cA bit in the rules for CRL processing adds no value, it adds only needless confusion. Dave Al Arsenault wrote: > > Okay, I think that we've reached consensus that the text in the current > documents (X.509 and offspring-of-2459) is wrong. It's inconsistent, as > cited by Dave Cooper below. > > Now, what's the best way to fix it? > > Do we: > > (a) decide that only CA's can sign CRLs; that CA's are determined by the > value of the basicConstraints extension; that CA's who sign CRLs but not > certificates need not have the keyCertSign bit set in KU, and that that > section 8.4.2.1 in X.509 and corresponding text in offspring-of-2459 needs > to be fixed? > > (b) decide that non-CA's of some stripe can sign CRLs, and fix all of > the text in X.509 and offspring-of-2459 that needs to be fixed? > > (c) something else? > > Clearly, leaving the text in the documents as it stands now is unacceptable; > I think we all agree that it's wrong. > > So, what will it be? > > Personally, if we were voting, I'd vote for (a) above, but that's just my > preference and there's probably some hanging chads around here... > > Al Arsenault > Chief Security Architect > Diversinet Corp. Received: by above.proper.com (8.9.3/8.9.3) id UAA11545 for ietf-pkix-bks; Mon, 21 May 2001 20:07:22 -0700 (PDT) Received: from aspams52.ca.com (aspams52.cai.com [155.35.248.76]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA11536 for <ietf-pkix@imc.org>; Mon, 21 May 2001 20:07:16 -0700 (PDT) Received: by aspams52.ca.com with Internet Mail Service (5.5.2650.21) id <LKWHNTPP>; Tue, 22 May 2001 13:06:45 +1000 Message-ID: <A7E3A4B51615D511BCB6009027D0D18CD6AB89@aspams01.ca.com> From: "Ramsay, Ron" <Ron.Ramsay@ca.com> To: ietf-pkix@imc.org Subject: RE: C=country; just a convention? Date: Tue, 22 May 2001 13:06:51 +1000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> X.500 uses object identifiers, not strings. Therefore, there is no 'normative' definition of the attribute names. LDAP generally uses string names for attributes. The names reflect those used in the X500 documents. Many definitions are given in RFC 2256. Ron -----Original Message----- From: Vivian Cancio [mailto:vcancio@redcreek.com] Sent: Tuesday, 22 May 2001 8:18 To: 'thayes@netscape.com'; 'Frank Balluffi' Cc: ietf-pkix@imc.org Subject: RE: C=country; just a convention? Terry Hayes wrote: > RFC 2252 itself references X.520, so it may > be intended that attribute type strings from that document > should apply. In the X.500, X.509, X.520 and others, I couldn't find a 'normative' section specifying the use of these short names, they are only used in examples. Frank Balluffi wrote: > RFC 2253 is the most up-to-date standard for the string > representation of a distinguished name, which defines > ST for stateOrProvinceName and STREET for streetAddress. > <snip> > I would go with RFC 2253. Hmm ... it's really not 'defined' ... RFC 2253 reads (and exactly quote below) ... "As an example, strings for a few of the attribute types frequently seen in RDNs include: String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName <snip> This is not normative, and are included as examples, and although it references X500, they are also used in examples in those series of documents. Thanks. I appreciate all the feedback! We need to be careful about making any assumptions with these short names as there seems to be no normative text defining them. Is there a need to recommend a standard way of using these short names (where discrepancy exist)? Vivian Vivian Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id SAA08239 for ietf-pkix-bks; Mon, 21 May 2001 18:49:15 -0700 (PDT) Received: from femail14.sdc1.sfba.home.com (femail14.sdc1.sfba.home.com [24.0.95.141]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA08235 for <ietf-pkix@imc.org>; Mon, 21 May 2001 18:49:09 -0700 (PDT) Received: from cc787228a ([24.180.131.6]) by femail14.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010522014907.HKID12893.femail14.sdc1.sfba.home.com@cc787228a>; Mon, 21 May 2001 18:49:07 -0700 Message-ID: <002e01c0e261$d5c5f7c0$6401a8c0@hwrd1.md.home.com> From: "Al Arsenault" <awa1@home.com> To: "Hal Lockhart" <hal.lockhart@entegrity.com>, "David A. Cooper" <david.cooper@nist.gov> Cc: <ietf-pkix@imc.org> References: <4.2.2.20010521171648.00b3ec00@email.nist.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Date: Mon, 21 May 2001 21:52:18 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Okay, I think that we've reached consensus that the text in the current documents (X.509 and offspring-of-2459) is wrong. It's inconsistent, as cited by Dave Cooper below. Now, what's the best way to fix it? Do we: (a) decide that only CA's can sign CRLs; that CA's are determined by the value of the basicConstraints extension; that CA's who sign CRLs but not certificates need not have the keyCertSign bit set in KU, and that that section 8.4.2.1 in X.509 and corresponding text in offspring-of-2459 needs to be fixed? (b) decide that non-CA's of some stripe can sign CRLs, and fix all of the text in X.509 and offspring-of-2459 that needs to be fixed? (c) something else? Clearly, leaving the text in the documents as it stands now is unacceptable; I think we all agree that it's wrong. So, what will it be? Personally, if we were voting, I'd vote for (a) above, but that's just my preference and there's probably some hanging chads around here... Al Arsenault Chief Security Architect Diversinet Corp. ----- Original Message ----- From: "David A. Cooper" <david.cooper@nist.gov> To: "Hal Lockhart" <hal.lockhart@entegrity.com> Cc: <ietf-pkix@imc.org> Sent: Monday, May 21, 2001 6:25 PM Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) > Hal, > > I believe the debate really stems from different ways of determining the meaning of the cA field in basicConstraints. I believe the meaning of the field should be taken from section of the document that describes the basicConstraints extension (section 8.4.2.1 in X.509 4th edition). This section states: > > The cA component indicates if the certified public key may be used to verify certificate signatures > > This text clearly supports the position of David Kemp and I (and others). > > I do not know the basis for argument that the cA field should be set to TRUE if the subject public key may only be used to sign CRLs, but my best guess is that the argument is as follows: > > 1) The introductory (and other) material in the document states that only CAs can issue CRLs > > 3) Since there is a requirement that only CAs can issue CRLs, there must be some way for > relying parties to verify that the signer of a CRL is a CA. > > 2) In the basicConstraints extension, there is a field of type boolean named cA. Based on the > name of this field, this bit must be an indicator of whether the subject of the certificate is > is CA. (As I stated above, this is only my guess at the reasoning. Given that in order to > conclude that this is the proper interpretation of the bit one must ignore the text that explicitly > describes the meaning of the bit, it is possible that I am misinterpreting the argument.) > > 4) Since the cA field indicates whether the subject is a CA and the signer of a CRL must be a > CA, the cA field must be set to TRUE if the subject public key is to be used to sign CRLs. > > > > I think we are all willing to accept the notion that only CAs can issue CRLs. However, that simply means that > > 1) A certificate may only contain a keyUsage extension with the cRLSign bit set, if the subject of > the certificate is a CA. > > 2) If a certificate contains a cRLDistributionPoints extension and the cRLIssuer field is present, > the entity named in the cRLIssuer field must be a CA. > > However, the cA field in basicConstraints should only be set if the subject public key may be used to verify signatures on certificates. The text in the standard clearly states that this is a meaning of the bit. Perhaps naming the field "cA" has led to some confusion, with some people assigning semantics to the field based on the name. But the semantics of the cA field in basic constraints must be based on the stated description of the field ("The cA component indicates if the certified public key may be used to verify certificate signatures"), not on the field's name. > > Dave > > At 12:52 PM 5/21/01 -0400, Hal Lockhart wrote: > >David P. Kemp wrote: > > > I certainly agree that the intent of X.509, from v1 to the > > > present, was > > > that a CA entity is the ultimate and sole authority for revoking the > > > certificates that it issues. > > > >I think that at least part of this debate stems from different views of > >exactly what constitutes an "entity". I believe the following are implied in > >messages from different people: > > > >1. a key > >2. a DN > >3. a legally constituted organization > > > >Hal > > Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id PAA28692 for ietf-pkix-bks; Mon, 21 May 2001 15:27:44 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA28687 for <ietf-pkix@imc.org>; Mon, 21 May 2001 15:27:37 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id SAA00316; Mon, 21 May 2001 18:27:38 -0400 (EDT) Message-Id: <4.2.2.20010521171648.00b3ec00@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 21 May 2001 18:25:42 -0400 To: Hal Lockhart <hal.lockhart@entegrity.com> From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org In-Reply-To: <899128A30EEDD1118FC900A0C9C74A34BA97FD@BIGBIRD> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Hal, I believe the debate really stems from different ways of determining the meaning of the cA field in basicConstraints. I believe the meaning of the field should be taken from section of the document that describes the basicConstraints extension (section 8.4.2.1 in X.509 4th edition). This section states: The cA component indicates if the certified public key may be used to verify certificate signatures This text clearly supports the position of David Kemp and I (and others). I do not know the basis for argument that the cA field should be set to TRUE if the subject public key may only be used to sign CRLs, but my best guess is that the argument is as follows: 1) The introductory (and other) material in the document states that only CAs can issue CRLs 3) Since there is a requirement that only CAs can issue CRLs, there must be some way for relying parties to verify that the signer of a CRL is a CA. 2) In the basicConstraints extension, there is a field of type boolean named cA. Based on the name of this field, this bit must be an indicator of whether the subject of the certificate is is CA. (As I stated above, this is only my guess at the reasoning. Given that in order to conclude that this is the proper interpretation of the bit one must ignore the text that explicitly describes the meaning of the bit, it is possible that I am misinterpreting the argument.) 4) Since the cA field indicates whether the subject is a CA and the signer of a CRL must be a CA, the cA field must be set to TRUE if the subject public key is to be used to sign CRLs. I think we are all willing to accept the notion that only CAs can issue CRLs. However, that simply means that 1) A certificate may only contain a keyUsage extension with the cRLSign bit set, if the subject of the certificate is a CA. 2) If a certificate contains a cRLDistributionPoints extension and the cRLIssuer field is present, the entity named in the cRLIssuer field must be a CA. However, the cA field in basicConstraints should only be set if the subject public key may be used to verify signatures on certificates. The text in the standard clearly states that this is a meaning of the bit. Perhaps naming the field "cA" has led to some confusion, with some people assigning semantics to the field based on the name. But the semantics of the cA field in basic constraints must be based on the stated description of the field ("The cA component indicates if the certified public key may be used to verify certificate signatures"), not on the field's name. Dave At 12:52 PM 5/21/01 -0400, Hal Lockhart wrote: >David P. Kemp wrote: > > I certainly agree that the intent of X.509, from v1 to the > > present, was > > that a CA entity is the ultimate and sole authority for revoking the > > certificates that it issues. > >I think that at least part of this debate stems from different views of >exactly what constitutes an "entity". I believe the following are implied in >messages from different people: > >1. a key >2. a DN >3. a legally constituted organization > >Hal Received: by above.proper.com (8.9.3/8.9.3) id PAA27249 for ietf-pkix-bks; Mon, 21 May 2001 15:18:24 -0700 (PDT) Received: from exchange.redcreek.com (mail.redcreek.com [209.125.38.15]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA27229 for <ietf-pkix@imc.org>; Mon, 21 May 2001 15:18:18 -0700 (PDT) Received: by mail.redcreek.com with Internet Mail Service (5.5.2653.19) id <JHZ8B952>; Mon, 21 May 2001 15:18:18 -0700 Message-ID: <0AD8DC253EFDD311837300805F650DF219FB4B@mail.redcreek.com> From: Vivian Cancio <vcancio@redcreek.com> To: "'thayes@netscape.com'" <thayes@netscape.com>, "'Frank Balluffi'" <frankb@valicert.com> Cc: ietf-pkix@imc.org Subject: RE: C=country; just a convention? Date: Mon, 21 May 2001 15:18:17 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Terry Hayes wrote: > RFC 2252 itself references X.520, so it may > be intended that attribute type strings from that document > should apply. In the X.500, X.509, X.520 and others, I couldn't find a 'normative' section specifying the use of these short names, they are only used in examples. Frank Balluffi wrote: > RFC 2253 is the most up-to-date standard for the string > representation of a distinguished name, which defines > ST for stateOrProvinceName and STREET for streetAddress. > <snip> > I would go with RFC 2253. Hmm ... it's really not 'defined' ... RFC 2253 reads (and exactly quote below) ... "As an example, strings for a few of the attribute types frequently seen in RDNs include: String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName <snip> This is not normative, and are included as examples, and although it references X500, they are also used in examples in those series of documents. Thanks. I appreciate all the feedback! We need to be careful about making any assumptions with these short names as there seems to be no normative text defining them. Is there a need to recommend a standard way of using these short names (where discrepancy exist)? Vivian Vivian Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA26057 for ietf-pkix-bks; Mon, 21 May 2001 14:57:08 -0700 (PDT) Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA26052 for <ietf-pkix@imc.org>; Mon, 21 May 2001 14:57:01 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id RAA322376; Mon, 21 May 2001 17:54:25 -0400 Received: from d01mlc96.pok.ibm.com (d01mlc96.pok.ibm.com [9.117.250.33]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id RAA96040; Mon, 21 May 2001 17:50:40 -0400 To: Peter Williams <peterw@valicert.com> Cc: ietf-pkix@imc.org, kurt@openldap.org Subject: RE: C=country; just a convention? X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 From: "Timothy Hahn" <hahnt@us.ibm.com> Message-ID: <OF536A5E01.14A258FF-ON85256A53.0077EE8E@pok.ibm.com> Date: Mon, 21 May 2001 17:56:00 -0400 X-MIMETrack: Serialize by Router on D01MLC96/01/M/IBM(Release 5.0.7 SPR #MIAS4UTJ8H &S/390 SPR #JHEG4V8UT5|April 5, 2001) at 05/21/2001 05:56:01 PM, Serialize complete at 05/21/2001 05:56:01 PM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 00783D7E85256A53_=" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This is a multipart message in MIME format. --=_alternative 00783D7E85256A53_= Content-Type: text/plain; charset="us-ascii" Peter, The Internet Draft is written with those words to ensure that string forms are consistently interpreted. For attributes that do not appear in "the table", it is possible that the non-OID form of the attribute type name could be different between different servers. The Internet Draft also makes the usage of the "short attribute names" more explicit than the prior RFC. Kurt Zeilenga is the author of the Internet Draft and can provide more details regarding the intent. Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT) phone: 607.752.6388 tie-line: 8/852.6388 fax: 607.752.3681 Peter Williams <peterw@valicert.com> 05/21/2001 05:36 PM To: "'Timothy Hahn'" <hahnt@us.ibm.com>, ietf-pkix@imc.org cc: Subject: RE: C=country; just a convention? The way your bis reference text on AttributeType encoding is phrased suggests that it is INCORRECT to use country=GB; one MUST use c=GB. The specification also suggests, strongly, that using the name of the ASN.1 type for the string-name of the AttributeType is WRONG. Unless the type is one of those listed in the table of 2.3; one MUST use the dotted-decimal form. PKIX may want to provide specification advice, on all this. -----Original Message----- From: Timothy Hahn [mailto:hahnt@us.ibm.com] Sent: Monday, May 21, 2001 1:23 PM To: ietf-pkix@imc.org Subject: Re: C=country; just a convention? Hi all, FWIW, the most up-to-date information regarding string forms of distinguished names, as prescribed by LDAP-related documents can be found in: "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", Kurt Zeilenga, 04/30/2001. (19892 bytes) (http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-dn-05.txt) The X.500 Directory uses distinguished names as the primary keys to entries in the directory. Distinguished Names are encoded in ASN.1 in the X.500 Directory protocols. In the Lightweight Directory Access Protocol, a string representation of distinguished names is transferred. This specification defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name. Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT) phone: 607.752.6388 tie-line: 8/852.6388 fax: 607.752.3681 thayes@netscape.com (Terry Hayes) Sent by: owner-ietf-pkix@mail.imc.org 05/21/2001 02:47 PM To: Vivian Cancio <vcancio@redcreek.com> cc: "'Frank Balluffi'" <frankb@valicert.com>, ietf-pkix@imc.org Subject: Re: C=country; just a convention? I believe the string representation of a Distinguished Name (DN) that we are discussing is defined by the LDAP RFCs, not by X.500 or PKIX . As such we should expect that the LDAP RFC would give some indication as to the proper form of the attribute type. Looking in RFC 2253, we find the following statement: "If the AttributeType is in a published table of attribute types associated with LDAP [4], then the type name string from that table is used, otherwise it is encoded as the dotted-decimal encoding of the AttributeType's OBJECT IDENTIFIER." The reference "LDAP [4]" is for RFC 2252. However I don't see a table of values in that document. RFC 2252 itself references X.520, so it may be intended that attribute type strings from that document should apply. Terry Hayes Vivian Cancio wrote: >Frank Balluffi said: > >>As I recall LDAP does transmit the string representation of a >>Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the >>wire in anOCTET STRING (or LDAPString). >> > >It may not work if "stateOrProvinceName" is ever one of the fields >transmitted between vendors. See the discrepancies from the feedback. I have >concluded that there's no specification defining a formal standard for these >short names. Any expected interoperability over the wire must rely on the >OID (which was the intention in the first place?). > >I guess the users reading displayed certificates using this terminology must >be clever and deduct based on the information on the right of the "=", or >vendors should provide "legends" defining their use. > >Here is one example of discrepancy: >In X.520: >s stateOrProvinceName > >In Peter's list: >sp stateOrProvinceName >st streetAddress >s surname > >In RFC 2253 >st stateOrProvinceName > > >Vivian > > >>-----Original Message----- >>From: Frank Balluffi [mailto:frankb@valicert.com] >>Sent: Friday, May 18, 2001 6:42 PM >>To: Vivian Cancio >>Cc: ietf-pkix@imc.org >>Subject: RE: C=country; just a convention? >> >> >>Vivian Cancio said: >> >>>I'm assuming that since it doesn't go "on the wire" it is somewhat >>>irrelevant? >>> >>As I recall LDAP does transmit the string representation of a >>Name (e.g., >>"CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an >>OCTET STRING (or >>LDAPString). You can even roll your own AttributeTypeAndValues using >>period-delimited attribute types and hexadecimal attribute values. For >>example >> >>1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] >> >>Frank >> --=_alternative 00783D7E85256A53_= Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">Peter,</font> <br> <br><font size=2 face="sans-serif">The Internet Draft is written with those words to ensure that string forms are consistently interpreted. For attributes that do not appear in "the table", it is possible that the non-OID form of the attribute type name could be different between different servers.</font> <br> <br><font size=2 face="sans-serif">The Internet Draft also makes the usage of the "short attribute names" more explicit than the prior RFC.</font> <br> <br><font size=2 face="sans-serif">Kurt Zeilenga is the author of the Internet Draft and can provide more details regarding the intent.<br> </font> <br><font size=2 face="sans-serif">Regards,<br> Tim Hahn<br> <br> Internet: hahnt@us.ibm.com<br> Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)<br> phone: 607.752.6388 tie-line: 8/852.6388<br> fax: 607.752.3681<br> </font> <br> <br> <br> <table width=100%> <tr valign=top> <td> <td><font size=1 face="sans-serif"><b>Peter Williams <peterw@valicert.com></b></font> <p><font size=1 face="sans-serif">05/21/2001 05:36 PM</font> <br> <td><font size=1 face="Arial"> </font> <br><font size=1 face="sans-serif"> To: "'Timothy Hahn'" <hahnt@us.ibm.com>, ietf-pkix@imc.org</font> <br><font size=1 face="sans-serif"> cc: </font> <br><font size=1 face="sans-serif"> Subject: RE: C=country; just a convention?</font> <br> <br><font size=1 face="Arial"> </font></table> <br> <br><font size=2 face="Courier New">The way your bis reference text on AttributeType encoding is phrased<br> suggests <br> that it is INCORRECT to use country=GB; one MUST use c=GB.<br> <br> The specification also suggests, strongly, that using the name of the<br> ASN.1 type for the string-name of the AttributeType is WRONG. Unless<br> the type is one of those listed in the table of 2.3; one MUST use the <br> dotted-decimal form.<br> <br> PKIX may want to provide specification advice, on all this.<br> <br> -----Original Message-----<br> From: Timothy Hahn [mailto:hahnt@us.ibm.com]<br> Sent: Monday, May 21, 2001 1:23 PM<br> To: ietf-pkix@imc.org<br> Subject: Re: C=country; just a convention?<br> <br> <br> <br> Hi all, <br> <br> FWIW, the most up-to-date information regarding string forms of<br> distinguished names, as prescribed by LDAP-related documents can be found<br> in: <br> <br> "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of<br> Distinguished Names", Kurt Zeilenga, 04/30/2001. (19892 bytes) <br> (http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-dn-05.txt) <br> The X.500 Directory uses distinguished names as the primary keys to<br> entries in the directory. Distinguished Names are encoded in ASN.1 in the<br> X.500 <br> Directory protocols. In the Lightweight Directory Access Protocol, a<br> string representation of distinguished names is transferred. This<br> specification defines the <br> string format for representing names, which is designed to give a clean<br> representation of commonly used distinguished names, while being able to <br> represent any distinguished name. <br> <br> Regards,<br> Tim Hahn<br> <br> Internet: hahnt@us.ibm.com<br> Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)<br> phone: 607.752.6388 tie-line: 8/852.6388<br> fax: 607.752.3681<br> <br> <br> <br> thayes@netscape.com (Terry Hayes) <br> Sent by: owner-ietf-pkix@mail.imc.org <br> 05/21/2001 02:47 PM <br> <br> To: Vivian Cancio <vcancio@redcreek.com> <br> cc: "'Frank Balluffi'" <frankb@valicert.com>,<br> ietf-pkix@imc.org <br> Subject: Re: C=country; just a convention? <br> <br> <br> <br> <br> I believe the string representation of a Distinguished Name (DN) that we <br> are discussing is defined by the LDAP RFCs, not by X.500 or PKIX . As <br> such we should expect that the LDAP RFC would give some indication as to <br> the proper form of the attribute type. Looking in RFC 2253, we find the <br> following statement:<br> <br> "If the AttributeType is in a published table of attribute types <br> associated with LDAP [4], then the type name string from that table is <br> used, otherwise it is encoded as the dotted-decimal encoding of the <br> AttributeType's OBJECT IDENTIFIER."<br> <br> The reference "LDAP [4]" is for RFC 2252. However I don't see a table <br> of values in that document. RFC 2252 itself references X.520, so it may <br> be intended that attribute type strings from that document should apply.<br> </font> <br><font size=2 face="Courier New">Terry Hayes<br> <br> Vivian Cancio wrote:<br> <br> >Frank Balluffi said:<br> ><br> >>As I recall LDAP does transmit the string representation of a <br> >>Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the <br> >>wire in anOCTET STRING (or LDAPString).<br> >><br> ><br> >It may not work if "stateOrProvinceName" is ever one of the fields<br> >transmitted between vendors. See the discrepancies from the feedback. I<br> have<br> >concluded that there's no specification defining a formal standard for<br> these<br> >short names. Any expected interoperability over the wire must rely on the<br> >OID (which was the intention in the first place?).<br> ><br> >I guess the users reading displayed certificates using this terminology<br> must<br> >be clever and deduct based on the information on the right of the "=", or<br> >vendors should provide "legends" defining their use.<br> ><br> >Here is one example of discrepancy:<br> >In X.520:<br> >s stateOrProvinceName<br> ><br> >In Peter's list:<br> >sp stateOrProvinceName<br> >st streetAddress<br> >s surname<br> ><br> >In RFC 2253<br> >st stateOrProvinceName<br> ><br> ><br> >Vivian<br> ><br> ><br> >>-----Original Message-----<br> >>From: Frank Balluffi [mailto:frankb@valicert.com]<br> >>Sent: Friday, May 18, 2001 6:42 PM<br> >>To: Vivian Cancio<br> >>Cc: ietf-pkix@imc.org<br> >>Subject: RE: C=country; just a convention?<br> >><br> >><br> >>Vivian Cancio said:<br> >><br> >>>I'm assuming that since it doesn't go "on the wire" it is somewhat<br> >>>irrelevant?<br> >>><br> >>As I recall LDAP does transmit the string representation of a <br> >>Name (e.g.,<br> >>"CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an <br> >>OCTET STRING (or<br> >>LDAPString). You can even roll your own AttributeTypeAndValues using<br> >>period-delimited attribute types and hexadecimal attribute values. For<br> >>example<br> >><br> >>1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.]<br> >><br> >>Frank<br> >><br> </font> <br> <br> --=_alternative 00783D7E85256A53_=-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA25532 for ietf-pkix-bks; Mon, 21 May 2001 14:38:31 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA25523 for <ietf-pkix@imc.org>; Mon, 21 May 2001 14:38:24 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDP00901G4IS5@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 21 May 2001 14:38:42 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDP0093QG4HPP@ext-mail.valicert.com>; Mon, 21 May 2001 14:38:41 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26SW7M>; Mon, 21 May 2001 14:36:12 -0700 Content-return: allowed Date: Mon, 21 May 2001 14:36:02 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: C=country; just a convention? To: "'Timothy Hahn'" <hahnt@us.ibm.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01F4A1D1@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> The way your bis reference text on AttributeType encoding is phrased suggests that it is INCORRECT to use country=GB; one MUST use c=GB. The specification also suggests, strongly, that using the name of the ASN.1 type for the string-name of the AttributeType is WRONG. Unless the type is one of those listed in the table of 2.3; one MUST use the dotted-decimal form. PKIX may want to provide specification advice, on all this. -----Original Message----- From: Timothy Hahn [mailto:hahnt@us.ibm.com] Sent: Monday, May 21, 2001 1:23 PM To: ietf-pkix@imc.org Subject: Re: C=country; just a convention? Hi all, FWIW, the most up-to-date information regarding string forms of distinguished names, as prescribed by LDAP-related documents can be found in: "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", Kurt Zeilenga, 04/30/2001. (19892 bytes) (http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-dn-05.txt) The X.500 Directory uses distinguished names as the primary keys to entries in the directory. Distinguished Names are encoded in ASN.1 in the X.500 Directory protocols. In the Lightweight Directory Access Protocol, a string representation of distinguished names is transferred. This specification defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name. Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT) phone: 607.752.6388 tie-line: 8/852.6388 fax: 607.752.3681 thayes@netscape.com (Terry Hayes) Sent by: owner-ietf-pkix@mail.imc.org 05/21/2001 02:47 PM To: Vivian Cancio <vcancio@redcreek.com> cc: "'Frank Balluffi'" <frankb@valicert.com>, ietf-pkix@imc.org Subject: Re: C=country; just a convention? I believe the string representation of a Distinguished Name (DN) that we are discussing is defined by the LDAP RFCs, not by X.500 or PKIX . As such we should expect that the LDAP RFC would give some indication as to the proper form of the attribute type. Looking in RFC 2253, we find the following statement: "If the AttributeType is in a published table of attribute types associated with LDAP [4], then the type name string from that table is used, otherwise it is encoded as the dotted-decimal encoding of the AttributeType's OBJECT IDENTIFIER." The reference "LDAP [4]" is for RFC 2252. However I don't see a table of values in that document. RFC 2252 itself references X.520, so it may be intended that attribute type strings from that document should apply. Terry Hayes Vivian Cancio wrote: >Frank Balluffi said: > >>As I recall LDAP does transmit the string representation of a >>Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the >>wire in anOCTET STRING (or LDAPString). >> > >It may not work if "stateOrProvinceName" is ever one of the fields >transmitted between vendors. See the discrepancies from the feedback. I have >concluded that there's no specification defining a formal standard for these >short names. Any expected interoperability over the wire must rely on the >OID (which was the intention in the first place?). > >I guess the users reading displayed certificates using this terminology must >be clever and deduct based on the information on the right of the "=", or >vendors should provide "legends" defining their use. > >Here is one example of discrepancy: >In X.520: >s stateOrProvinceName > >In Peter's list: >sp stateOrProvinceName >st streetAddress >s surname > >In RFC 2253 >st stateOrProvinceName > > >Vivian > > >>-----Original Message----- >>From: Frank Balluffi [mailto:frankb@valicert.com] >>Sent: Friday, May 18, 2001 6:42 PM >>To: Vivian Cancio >>Cc: ietf-pkix@imc.org >>Subject: RE: C=country; just a convention? >> >> >>Vivian Cancio said: >> >>>I'm assuming that since it doesn't go "on the wire" it is somewhat >>>irrelevant? >>> >>As I recall LDAP does transmit the string representation of a >>Name (e.g., >>"CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an >>OCTET STRING (or >>LDAPString). You can even roll your own AttributeTypeAndValues using >>period-delimited attribute types and hexadecimal attribute values. For >>example >> >>1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] >> >>Frank >> Received: by above.proper.com (8.9.3/8.9.3) id NAA20207 for ietf-pkix-bks; Mon, 21 May 2001 13:26:56 -0700 (PDT) Received: from prv-mail20.provo.novell.com (prv-mail20.provo.novell.com [137.65.81.122]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA20194 for <ietf-pkix@imc.org>; Mon, 21 May 2001 13:26:49 -0700 (PDT) Received: from INET-PRV-MTA by prv-mail20.provo.novell.com with Novell_GroupWise; Mon, 21 May 2001 14:26:15 -0600 Message-Id: <sb092587.052@prv-mail20.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 6.0 Date: Mon, 21 May 2001 14:25:51 -0600 From: "Bob Jueneman" <bjueneman@novell.com> To: <pgut001@cs.auckland.ac.nz>, <pgut001@cs.auckland.ac.nz>, <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org>, <vcancio@redcreek.com> Subject: RE: C=country; just a convention? Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA20196 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> My very vague recollection is that these "business card abbreviations" were originally defined in X.400?? Bob >>> Peter Gutmann <pgut001@cs.auckland.ac.nz> 05/22/01 08:08AM >>> "Housley, Russ" <rhousley@rsasecurity.com> writes: >The table in RFC 2253 has a few discrepancies with your table. Yes I know, I took the ones which are in common use. RFC 2253 has its definitions for things like street addresses and state or province, but other places define them differently, and it appears that people are using the definitions given in other places. "But it izz written!" bellowed Beelzebub. "But it might be written differently somewhere else" said Crowley. "Where you can't read it". "In bigger letters" said Aziraphale. "Underlined" Crowley added. "Twice" suggested Aziraphale. -- Neil Gaiman and Terry Pratchett, "Good Omens" Peter. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA20095 for ietf-pkix-bks; Mon, 21 May 2001 13:23:33 -0700 (PDT) Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA20091 for <ietf-pkix@imc.org>; Mon, 21 May 2001 13:23:26 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id QAA549514 for <ietf-pkix@imc.org>; Mon, 21 May 2001 16:21:12 -0400 Received: from d01mlc96.pok.ibm.com (d01mlc96.pok.ibm.com [9.117.250.33]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id QAA19352 for <ietf-pkix@imc.org>; Mon, 21 May 2001 16:17:26 -0400 To: ietf-pkix@imc.org Subject: Re: C=country; just a convention? X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 From: "Timothy Hahn" <hahnt@us.ibm.com> Message-ID: <OF9B63B84C.3723FF1B-ON85256A53.006F1E40@pok.ibm.com> Date: Mon, 21 May 2001 16:22:44 -0400 X-MIMETrack: Serialize by Router on D01MLC96/01/M/IBM(Release 5.0.7 SPR #MIAS4UTJ8H &S/390 SPR #JHEG4V8UT5|April 5, 2001) at 05/21/2001 04:22:48 PM, Serialize complete at 05/21/2001 04:22:48 PM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 006F59B985256A53_=" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This is a multipart message in MIME format. --=_alternative 006F59B985256A53_= Content-Type: text/plain; charset="us-ascii" Hi all, FWIW, the most up-to-date information regarding string forms of distinguished names, as prescribed by LDAP-related documents can be found in: "Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", Kurt Zeilenga, 04/30/2001. (19892 bytes) (http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-dn-05.txt) The X.500 Directory uses distinguished names as the primary keys to entries in the directory. Distinguished Names are encoded in ASN.1 in the X.500 Directory protocols. In the Lightweight Directory Access Protocol, a string representation of distinguished names is transferred. This specification defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name. Regards, Tim Hahn Internet: hahnt@us.ibm.com Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT) phone: 607.752.6388 tie-line: 8/852.6388 fax: 607.752.3681 thayes@netscape.com (Terry Hayes) Sent by: owner-ietf-pkix@mail.imc.org 05/21/2001 02:47 PM To: Vivian Cancio <vcancio@redcreek.com> cc: "'Frank Balluffi'" <frankb@valicert.com>, ietf-pkix@imc.org Subject: Re: C=country; just a convention? I believe the string representation of a Distinguished Name (DN) that we are discussing is defined by the LDAP RFCs, not by X.500 or PKIX . As such we should expect that the LDAP RFC would give some indication as to the proper form of the attribute type. Looking in RFC 2253, we find the following statement: "If the AttributeType is in a published table of attribute types associated with LDAP [4], then the type name string from that table is used, otherwise it is encoded as the dotted-decimal encoding of the AttributeType's OBJECT IDENTIFIER." The reference "LDAP [4]" is for RFC 2252. However I don't see a table of values in that document. RFC 2252 itself references X.520, so it may be intended that attribute type strings from that document should apply. Terry Hayes Vivian Cancio wrote: >Frank Balluffi said: > >>As I recall LDAP does transmit the string representation of a >>Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the >>wire in anOCTET STRING (or LDAPString). >> > >It may not work if "stateOrProvinceName" is ever one of the fields >transmitted between vendors. See the discrepancies from the feedback. I have >concluded that there's no specification defining a formal standard for these >short names. Any expected interoperability over the wire must rely on the >OID (which was the intention in the first place?). > >I guess the users reading displayed certificates using this terminology must >be clever and deduct based on the information on the right of the "=", or >vendors should provide "legends" defining their use. > >Here is one example of discrepancy: >In X.520: >s stateOrProvinceName > >In Peter's list: >sp stateOrProvinceName >st streetAddress >s surname > >In RFC 2253 >st stateOrProvinceName > > >Vivian > > >>-----Original Message----- >>From: Frank Balluffi [mailto:frankb@valicert.com] >>Sent: Friday, May 18, 2001 6:42 PM >>To: Vivian Cancio >>Cc: ietf-pkix@imc.org >>Subject: RE: C=country; just a convention? >> >> >>Vivian Cancio said: >> >>>I'm assuming that since it doesn't go "on the wire" it is somewhat >>>irrelevant? >>> >>As I recall LDAP does transmit the string representation of a >>Name (e.g., >>"CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an >>OCTET STRING (or >>LDAPString). You can even roll your own AttributeTypeAndValues using >>period-delimited attribute types and hexadecimal attribute values. For >>example >> >>1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] >> >>Frank >> --=_alternative 006F59B985256A53_= Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">Hi all,</font> <br> <br><font size=2 face="sans-serif">FWIW, the most up-to-date information regarding string forms of distinguished names, as prescribed by LDAP-related documents can be found in:</font> <br> <br><font size=2 face="sans-serif">"Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names", Kurt Zeilenga, 04/30/2001. (19892 bytes)</font> <br><font size=2 face="sans-serif">(http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-dn-05.txt)</font> <br><font size=2 face="sans-serif"> The X.500 Directory uses distinguished names as the primary keys to entries in the directory. Distinguished Names are encoded in ASN.1 in the X.500</font> <br><font size=2 face="sans-serif"> Directory protocols. In the Lightweight Directory Access Protocol, a string representation of distinguished names is transferred. This specification defines the</font> <br><font size=2 face="sans-serif"> string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to</font> <br><font size=2 face="sans-serif"> represent any distinguished name. <br> </font> <br><font size=2 face="sans-serif">Regards,<br> Tim Hahn<br> <br> Internet: hahnt@us.ibm.com<br> Internal: Timothy Hahn/Endicott/IBM@IBMUS or IBMUSM00(HAHNT)<br> phone: 607.752.6388 tie-line: 8/852.6388<br> fax: 607.752.3681<br> </font> <br> <br> <br> <table width=100%> <tr valign=top> <td> <td><font size=1 face="sans-serif"><b>thayes@netscape.com (Terry Hayes)</b></font> <br><font size=1 face="sans-serif">Sent by: owner-ietf-pkix@mail.imc.org</font> <p><font size=1 face="sans-serif">05/21/2001 02:47 PM</font> <br> <td><font size=1 face="Arial"> </font> <br><font size=1 face="sans-serif"> To: Vivian Cancio <vcancio@redcreek.com></font> <br><font size=1 face="sans-serif"> cc: "'Frank Balluffi'" <frankb@valicert.com>, ietf-pkix@imc.org</font> <br><font size=1 face="sans-serif"> Subject: Re: C=country; just a convention?</font> <br> <br><font size=1 face="Arial"> </font></table> <br> <br><font size=2 face="Courier New">I believe the string representation of a Distinguished Name (DN) that we <br> are discussing is defined by the LDAP RFCs, not by X.500 or PKIX . As <br> such we should expect that the LDAP RFC would give some indication as to <br> the proper form of the attribute type. Looking in RFC 2253, we find the <br> following statement:<br> <br> "If the AttributeType is in a published table of attribute types <br> associated with LDAP [4], then the type name string from that table is <br> used, otherwise it is encoded as the dotted-decimal encoding of the <br> AttributeType's OBJECT IDENTIFIER."<br> <br> The reference "LDAP [4]" is for RFC 2252. However I don't see a table <br> of values in that document. RFC 2252 itself references X.520, so it may <br> be intended that attribute type strings from that document should apply.<br> <br> Terry Hayes<br> <br> Vivian Cancio wrote:<br> <br> >Frank Balluffi said:<br> ><br> >>As I recall LDAP does transmit the string representation of a <br> >>Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the <br> >>wire in anOCTET STRING (or LDAPString).<br> >><br> ><br> >It may not work if "stateOrProvinceName" is ever one of the fields<br> >transmitted between vendors. See the discrepancies from the feedback. I have<br> >concluded that there's no specification defining a formal standard for these<br> >short names. Any expected interoperability over the wire must rely on the<br> >OID (which was the intention in the first place?).<br> ><br> >I guess the users reading displayed certificates using this terminology must<br> >be clever and deduct based on the information on the right of the "=", or<br> >vendors should provide "legends" defining their use.<br> ><br> >Here is one example of discrepancy:<br> >In X.520:<br> >s stateOrProvinceName<br> ><br> >In Peter's list:<br> >sp stateOrProvinceName<br> >st streetAddress<br> >s surname<br> ><br> >In RFC 2253<br> >st stateOrProvinceName<br> ><br> ><br> >Vivian<br> ><br> ><br> >>-----Original Message-----<br> >>From: Frank Balluffi [mailto:frankb@valicert.com]<br> >>Sent: Friday, May 18, 2001 6:42 PM<br> >>To: Vivian Cancio<br> >>Cc: ietf-pkix@imc.org<br> >>Subject: RE: C=country; just a convention?<br> >><br> >><br> >>Vivian Cancio said:<br> >><br> >>>I'm assuming that since it doesn't go "on the wire" it is somewhat<br> >>>irrelevant?<br> >>><br> >>As I recall LDAP does transmit the string representation of a <br> >>Name (e.g.,<br> >>"CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an <br> >>OCTET STRING (or<br> >>LDAPString). You can even roll your own AttributeTypeAndValues using<br> >>period-delimited attribute types and hexadecimal attribute values. For<br> >>example<br> >><br> >>1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.]<br> >><br> >>Frank<br> >><br> <br> <br> <br> </font> <br> <br> --=_alternative 006F59B985256A53_=-- Received: by above.proper.com (8.9.3/8.9.3) id NAA19122 for ietf-pkix-bks; Mon, 21 May 2001 13:08:54 -0700 (PDT) Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA19109 for <ietf-pkix@imc.org>; Mon, 21 May 2001 13:08:48 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id IAA24449; Tue, 22 May 2001 08:08:47 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <99047572709647>; Tue, 22 May 2001 08:08:47 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: pgut001@cs.auckland.ac.nz, rhousley@rsasecurity.com Subject: RE: C=country; just a convention? Cc: ietf-pkix@imc.org, vcancio@redcreek.com Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Tue, 22 May 2001 08:08:47 (NZST) Message-ID: <99047572709647@kahu.cs.auckland.ac.nz> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> "Housley, Russ" <rhousley@rsasecurity.com> writes: >The table in RFC 2253 has a few discrepancies with your table. Yes I know, I took the ones which are in common use. RFC 2253 has its definitions for things like street addresses and state or province, but other places define them differently, and it appears that people are using the definitions given in other places. "But it izz written!" bellowed Beelzebub. "But it might be written differently somewhere else" said Crowley. "Where you can't read it". "In bigger letters" said Aziraphale. "Underlined" Crowley added. "Twice" suggested Aziraphale. -- Neil Gaiman and Terry Pratchett, "Good Omens" Peter. Received: by above.proper.com (8.9.3/8.9.3) id LAA15650 for ietf-pkix-bks; Mon, 21 May 2001 11:47:40 -0700 (PDT) Received: from netscape.com (r2d2.netscape.com [205.217.237.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA15646 for <ietf-pkix@imc.org>; Mon, 21 May 2001 11:47:34 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id f4LIl4n00619 for <ietf-pkix@imc.org>; Mon, 21 May 2001 11:47:05 -0700 (PDT) Received: from netscape.com ([192.18.121.215]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id GDP86H00.LA4; Mon, 21 May 2001 11:47:05 -0700 Message-ID: <3B0962A7.1040809@netscape.com> Date: Mon, 21 May 2001 11:47:03 -0700 From: thayes@netscape.com (Terry Hayes) User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9+) Gecko/20010326 X-Accept-Language: en MIME-Version: 1.0 To: Vivian Cancio <vcancio@redcreek.com> CC: "'Frank Balluffi'" <frankb@valicert.com>, ietf-pkix@imc.org Subject: Re: C=country; just a convention? References: <0AD8DC253EFDD311837300805F650DF219FB4A@mail.redcreek.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I believe the string representation of a Distinguished Name (DN) that we are discussing is defined by the LDAP RFCs, not by X.500 or PKIX . As such we should expect that the LDAP RFC would give some indication as to the proper form of the attribute type. Looking in RFC 2253, we find the following statement: "If the AttributeType is in a published table of attribute types associated with LDAP [4], then the type name string from that table is used, otherwise it is encoded as the dotted-decimal encoding of the AttributeType's OBJECT IDENTIFIER." The reference "LDAP [4]" is for RFC 2252. However I don't see a table of values in that document. RFC 2252 itself references X.520, so it may be intended that attribute type strings from that document should apply. Terry Hayes Vivian Cancio wrote: >Frank Balluffi said: > >>As I recall LDAP does transmit the string representation of a >>Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the >>wire in anOCTET STRING (or LDAPString). >> > >It may not work if "stateOrProvinceName" is ever one of the fields >transmitted between vendors. See the discrepancies from the feedback. I have >concluded that there's no specification defining a formal standard for these >short names. Any expected interoperability over the wire must rely on the >OID (which was the intention in the first place?). > >I guess the users reading displayed certificates using this terminology must >be clever and deduct based on the information on the right of the "=", or >vendors should provide "legends" defining their use. > >Here is one example of discrepancy: >In X.520: >s stateOrProvinceName > >In Peter's list: >sp stateOrProvinceName >st streetAddress >s surname > >In RFC 2253 >st stateOrProvinceName > > >Vivian > > >>-----Original Message----- >>From: Frank Balluffi [mailto:frankb@valicert.com] >>Sent: Friday, May 18, 2001 6:42 PM >>To: Vivian Cancio >>Cc: ietf-pkix@imc.org >>Subject: RE: C=country; just a convention? >> >> >>Vivian Cancio said: >> >>>I'm assuming that since it doesn't go "on the wire" it is somewhat >>>irrelevant? >>> >>As I recall LDAP does transmit the string representation of a >>Name (e.g., >>"CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an >>OCTET STRING (or >>LDAPString). You can even roll your own AttributeTypeAndValues using >>period-delimited attribute types and hexadecimal attribute values. For >>example >> >>1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] >> >>Frank >> Received: by above.proper.com (8.9.3/8.9.3) id LAA14715 for ietf-pkix-bks; Mon, 21 May 2001 11:08:30 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA14709 for <ietf-pkix@imc.org>; Mon, 21 May 2001 11:08:25 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDP008016EDDB@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 21 May 2001 11:08:37 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDP008666ED5U@ext-mail.valicert.com>; Mon, 21 May 2001 11:08:37 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26SV55>; Mon, 21 May 2001 11:06:08 -0700 Content-return: allowed Date: Mon, 21 May 2001 11:06:01 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: C=country; just a convention? To: "'Vivian Cancio'" <vcancio@redcreek.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014BACFA@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Vivian, RFC 2253 is the most up-to-date standard for the string representation of a distinguished name, which defines ST for stateOrProvinceName and STREET for streetAddress. X.520 does not define string representations -- it defines attributes in ASN.1. Peter's list is Peter's list :-). I would go with RFC 2253. Frank > -----Original Message----- > From: Vivian Cancio [mailto:vcancio@redcreek.com] > Sent: Monday, May 21, 2001 1:55 PM > To: 'Frank Balluffi' > Cc: ietf-pkix@imc.org > Subject: RE: C=country; just a convention? > > > Frank Balluffi said: > > > As I recall LDAP does transmit the string representation of a > > Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the > > wire in anOCTET STRING (or LDAPString). > > It may not work if "stateOrProvinceName" is ever one of the fields > transmitted between vendors. See the discrepancies from the > feedback. I have > concluded that there's no specification defining a formal > standard for these > short names. Any expected interoperability over the wire must > rely on the > OID (which was the intention in the first place?). > > I guess the users reading displayed certificates using this > terminology must > be clever and deduct based on the information on the right of > the "=", or > vendors should provide "legends" defining their use. > > Here is one example of discrepancy: > In X.520: > s stateOrProvinceName > > In Peter's list: > sp stateOrProvinceName > st streetAddress > s surname > > In RFC 2253 > st stateOrProvinceName > > > Vivian > > > > -----Original Message----- > > From: Frank Balluffi [mailto:frankb@valicert.com] > > Sent: Friday, May 18, 2001 6:42 PM > > To: Vivian Cancio > > Cc: ietf-pkix@imc.org > > Subject: RE: C=country; just a convention? > > > > > > Vivian Cancio said: > > > > > I'm assuming that since it doesn't go "on the wire" it is somewhat > > > irrelevant? > > > > As I recall LDAP does transmit the string representation of a > > Name (e.g., > > "CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an > > OCTET STRING (or > > LDAPString). You can even roll your own AttributeTypeAndValues using > > period-delimited attribute types and hexadecimal attribute > values. For > > example > > > > 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] > > > > Frank > > > Received: by above.proper.com (8.9.3/8.9.3) id KAA14072 for ietf-pkix-bks; Mon, 21 May 2001 10:55:24 -0700 (PDT) Received: from exchange.redcreek.com (mail.redcreek.com [209.125.38.15]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA14064 for <ietf-pkix@imc.org>; Mon, 21 May 2001 10:55:17 -0700 (PDT) Received: by mail.redcreek.com with Internet Mail Service (5.5.2653.19) id <JHZ8B91N>; Mon, 21 May 2001 10:55:16 -0700 Message-ID: <0AD8DC253EFDD311837300805F650DF219FB4A@mail.redcreek.com> From: Vivian Cancio <vcancio@redcreek.com> To: "'Frank Balluffi'" <frankb@valicert.com> Cc: ietf-pkix@imc.org Subject: RE: C=country; just a convention? Date: Mon, 21 May 2001 10:55:15 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Frank Balluffi said: > As I recall LDAP does transmit the string representation of a > Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the > wire in anOCTET STRING (or LDAPString). It may not work if "stateOrProvinceName" is ever one of the fields transmitted between vendors. See the discrepancies from the feedback. I have concluded that there's no specification defining a formal standard for these short names. Any expected interoperability over the wire must rely on the OID (which was the intention in the first place?). I guess the users reading displayed certificates using this terminology must be clever and deduct based on the information on the right of the "=", or vendors should provide "legends" defining their use. Here is one example of discrepancy: In X.520: s stateOrProvinceName In Peter's list: sp stateOrProvinceName st streetAddress s surname In RFC 2253 st stateOrProvinceName Vivian > -----Original Message----- > From: Frank Balluffi [mailto:frankb@valicert.com] > Sent: Friday, May 18, 2001 6:42 PM > To: Vivian Cancio > Cc: ietf-pkix@imc.org > Subject: RE: C=country; just a convention? > > > Vivian Cancio said: > > > I'm assuming that since it doesn't go "on the wire" it is somewhat > > irrelevant? > > As I recall LDAP does transmit the string representation of a > Name (e.g., > "CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an > OCTET STRING (or > LDAPString). You can even roll your own AttributeTypeAndValues using > period-delimited attribute types and hexadecimal attribute values. For > example > > 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] > > Frank > Received: by above.proper.com (8.9.3/8.9.3) id JAA10446 for ietf-pkix-bks; Mon, 21 May 2001 09:47:33 -0700 (PDT) Received: from indy.gradient.com (root@indy.gradient.com [192.92.110.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA10435 for <ietf-pkix@imc.org>; Mon, 21 May 2001 09:47:25 -0700 (PDT) Received: from bigbird.gradient.com (bigbird.gradient.com [192.92.110.50]) by indy.gradient.com (8.9.1a/8.9.1) with ESMTP id MAA19092; Mon, 21 May 2001 12:47:22 -0400 (EDT) Received: by BIGBIRD with Internet Mail Service (5.5.2650.10) id <LBJCTJBT>; Mon, 21 May 2001 12:52:17 -0400 Message-ID: <899128A30EEDD1118FC900A0C9C74A34BA97FD@BIGBIRD> From: Hal Lockhart <hal.lockhart@entegrity.com> To: "'David P. Kemp'" <dpkemp@missi.ncsc.mil>, Stephen Kent <kent@bbn.com> Cc: ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pki x-new-part1-06.txt comments) Date: Mon, 21 May 2001 12:52:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> David P. Kemp wrote: > I certainly agree that the intent of X.509, from v1 to the > present, was > that a CA entity is the ultimate and sole authority for revoking the > certificates that it issues. I think that at least part of this debate stems from different views of exactly what constitutes an "entity". I believe the following are implied in messages from different people: 1. a key 2. a DN 3. a legally constituted organization Hal Received: by above.proper.com (8.9.3/8.9.3) id IAA07243 for ietf-pkix-bks; Mon, 21 May 2001 08:52:55 -0700 (PDT) Received: from x007.klerer.net (ns.klerer.net [63.146.136.63]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA07235 for <ietf-pkix@imc.org>; Mon, 21 May 2001 08:52:48 -0700 (PDT) Received: from BOBT21 ([10.10.10.6]) by x007.klerer.net with Microsoft SMTPSVC(5.0.2195.1600); Mon, 21 May 2001 11:51:20 -0400 From: "Robert Klerer" <klerer@xhair.com> To: <ietf-pkix@imc.org> Subject: RE: C=country; just a convention? Date: Mon, 21 May 2001 11:52:49 -0400 Message-ID: <ADEAJLFMDMLGEEGGNMMMKELKCLAA.klerer@xhair.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <5.0.1.4.2.20010521084200.01d89988@exna07.securitydynamics.com> X-OriginalArrivalTime: 21 May 2001 15:51:20.0480 (UTC) FILETIME=[E110CA00:01C0E20D] Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> And also remember that the ASN.1 in the subjectDN is written so that any prefix is a valid entry in the directory (from x.501) -- which translates into c=us, o=My Company ,cn=me While LDAP traditionally presents the cn first in the textual representations and is generally considered the authoritative (since x.500 is silent on this issue) for the textual representation of DNs so the same name would be: cn=me,o=My Company,c=us :) Now which name will the api Certificate.SubjectDN().getName() return depends upon how carefully that particular implementation's authors read the standards that must be inferred. Also note that getName() returns a String representation and if anyone were to suggest that the ASN.1 is authoritative please respond with a "How come getName does not return the ASN.1 DER encoded in a byte[]?" ---- Peter: The table in RFC 2253 has a few discrepancies with your table. String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid Russ At 12:33 PM 5/19/2001 +0000, Peter Gutmann wrote: >Vivian Cancio <vcancio@redcreek.com> writes: > > >I noticed that RFC 1485 is not included in the RFC 2459 references and the > >table (in RFC 1485) is rather limited. > >The short forms of DN components is another one of these "hunt the thimble" >affairs which is even more fun than looking for OIDs. Here are the ones I've >found either in common use or at least defined in only one place (ie >they're at >least definitely (in)accurate): > >Label Component >bc businessCategory >c countryName >cn commonName >d description >dc domainComponent >email emailAddress (PKCS #9) >g givenName >i initials >isdn internationalISDNNumber >l locality >o organisationName >ou organisationalUnitName >s surname >sn serialNumber >sp stateOrProvinceName >st streetAddress >t title > >Peter. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id HAA04130 for ietf-pkix-bks; Mon, 21 May 2001 07:57:50 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA04110 for <ietf-pkix@imc.org>; Mon, 21 May 2001 07:57:42 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id KAA14878; Mon, 21 May 2001 10:57:25 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by stingray.missi.ncsc.mil with SMTP id KAA14872; Mon, 21 May 2001 10:57:23 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Mon, 21 May 2001 11:00:13 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JSFMCGBG; Mon, 21 May 2001 11:00:43 -0400 Message-ID: <3B092C0E.8053C731@missi.ncsc.mil> Date: Mon, 21 May 2001 10:54:06 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Kent <kent@bbn.com> CC: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) References: <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> <p05010406b72760acb0bf@[128.33.238.68]> <200105161648.JAA13461@above.proper.com> <p05010403b7288eeda3d6@[128.33.238.22]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Hi Steve, I certainly agree that the intent of X.509, from v1 to the present, was that a CA entity is the ultimate and sole authority for revoking the certificates that it issues. However, Tim has proposed changing the text of PKIX to require the cA flag to be set in every certificate whose subject is a CA entity. Such a change is unnecessary. The question is: * When a CA entity uses one public key to sign certificates * and a different public key to sign CRLs, must the cA flag be set * in the certificate containing the public key used to sign CRLs? I say no. David Cooper, Santosh, Sharon, Denis, Tom, and others can answer this question explicitly for themselves; I will refrain from interpreting their words. ---- A related discussion concerns the ability of a non-CA authority (an AA) to sign CRLs for the non-PKCs (ACs) that it issues. Since non-public-key X.509 certificates did not exist before v3, there is no historical author's intent concerning the issuance and revocation of such certificates. But it is no stretch of the imagination to believe that had the question been asked, the original authors would have said that the issuer of a non-PKC is the ultimate and sole authority for revoking that non-PKC. In both the PKC and non-PKC cases, the issuer of a certificate can designate or delegate a public key to be used for revoking that certificate by setting the cRLSign bit. The issuer's authority and ability to revoke does not depend on, or benefit from, the existence or state of the cA flag in the basic constraints extension. This related discussion of historical intent is interesting, but I am *not* calling for a straw poll to interpret historical intent, or to write new text to clarify historical intent. I posit that there is no need to change the text to require the cA bit to be set in certificates used to validate CRLs containing PKCs. The current text does not require the cA bit to be set, and there is no need to add such a requirement. Dave Stephen Kent wrote: > > Dave, > > We have a fundamental disagreement here. You have posited that there > is no need to change the text to make it clear that a non-CA entity > can sign CRLs. We have heard from Sharon, who clearly stated that the > intent of the authors of X.509 was to impose such a requirement, and > I think Tim said the same. Russ, I think may have concurred, even > though he now agrees with your reasoning about what is a reasonable > interpretation going forward. > > What we have here is analogous to a lawyer proposing an > interpretation of a law, but not being willing to examine the > legislative history. That's simply mot acceptable. I won't argue > whether it is appropriate to CHANGE to a scheme in which there is no > need to check the CA flag when validating the signature on a CRL. if > we have arrived at a consensus that this is OK, then fine. But, it is > clearly a change relative to the expressed intent of the authors of > previous versions of the standards and thus it merits an explicit > change to the text of the next rev of the standards. > > As per the message text cites you forwarded, I don't interpret any of > the quotes as supportive of your contention that there is no need to > change the text of these standards when if we drop the CA flag bit > requirement. Most of these messages are supportive of the change > (some are taken out of context and so it's hard to tell even if that > is the case). None of these addresses the issue you raise. > > So, no, I will not call for a poll on the question you pose because > it ignores the stated intent of the authors and flies in the face of > a reasonable interpretation of all preceding text by an intelligent > reader. One cannot vote to change history, and I will not conduct a > poll to determine if people want to change history. > > The only question o the table is whether we want to remove the > implied restriction that used to exist, and thus accept the editing > changes that it implies. > > Steve Received: by above.proper.com (8.9.3/8.9.3) id GAA27998 for ietf-pkix-bks; Mon, 21 May 2001 06:18:13 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA27989 for <ietf-pkix@imc.org>; Mon, 21 May 2001 06:18:06 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 21 May 2001 13:17:35 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA07405; Mon, 21 May 2001 09:18:06 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NZ0PQ>; Mon, 21 May 2001 09:18:05 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.118]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NZ0PM; Mon, 21 May 2001 09:18:02 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: pgut001@cs.auckland.ac.nz Cc: ietf-pkix@imc.org, vcancio@redcreek.com Message-Id: <5.0.1.4.2.20010521084200.01d89988@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 21 May 2001 08:46:34 -0400 Subject: RE: C=country; just a convention? In-Reply-To: <99023241500375@kahu.cs.auckland.ac.nz> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Peter: The table in RFC 2253 has a few discrepancies with your table. String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid Russ At 12:33 PM 5/19/2001 +0000, Peter Gutmann wrote: >Vivian Cancio <vcancio@redcreek.com> writes: > > >I noticed that RFC 1485 is not included in the RFC 2459 references and the > >table (in RFC 1485) is rather limited. > >The short forms of DN components is another one of these "hunt the thimble" >affairs which is even more fun than looking for OIDs. Here are the ones I've >found either in common use or at least defined in only one place (ie >they're at >least definitely (in)accurate): > >Label Component >bc businessCategory >c countryName >cn commonName >d description >dc domainComponent >email emailAddress (PKCS #9) >g givenName >i initials >isdn internationalISDNNumber >l locality >o organisationName >ou organisationalUnitName >s surname >sn serialNumber >sp stateOrProvinceName >st streetAddress >t title > >Peter. Received: by above.proper.com (8.9.3/8.9.3) id SAA21676 for ietf-pkix-bks; Fri, 18 May 2001 18:44:00 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA21672 for <ietf-pkix@imc.org>; Fri, 18 May 2001 18:43:55 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDK002017HL8K@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 18 May 2001 18:44:09 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDK001DO7HLZB@ext-mail.valicert.com>; Fri, 18 May 2001 18:44:09 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26SS14>; Fri, 18 May 2001 18:41:47 -0700 Content-return: allowed Date: Fri, 18 May 2001 18:41:46 -0700 From: Frank Balluffi <frankb@valicert.com> Subject: RE: C=country; just a convention? To: Vivian Cancio <vcancio@redcreek.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01D495DD@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Vivian Cancio said: > I'm assuming that since it doesn't go "on the wire" it is somewhat > irrelevant? As I recall LDAP does transmit the string representation of a Name (e.g., "CN=Steve Kille,O=Isode Limited,C=GB") over the wire in an OCTET STRING (or LDAPString). You can even roll your own AttributeTypeAndValues using period-delimited attribute types and hexadecimal attribute values. For example 1.3.6.1.4.1.1466.0=#04024869,O=Test,C=GB [From RFC 2253.] Frank Received: by above.proper.com (8.9.3/8.9.3) id RAA19345 for ietf-pkix-bks; Fri, 18 May 2001 17:49:08 -0700 (PDT) Received: from pigeon.verisign.com (pigeon.verisign.com [208.206.241.106]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA19324 for <ietf-pkix@imc.org>; Fri, 18 May 2001 17:49:01 -0700 (PDT) Received: from postal-gw1.verisign.com (verisign.com [63.104.27.101]) by pigeon.verisign.com (8.9.3/BCH1.7.1) with ESMTP id RAA28286; Fri, 18 May 2001 17:42:47 -0700 (PDT) Received: by postal-gw.verisign.com with Internet Mail Service (5.5.2653.19) id <KZSK9MDX>; Fri, 18 May 2001 17:49:01 -0700 Message-ID: <C713C1768C55D3119D200090277AEECA01AFA9E4@postal.verisign.com> From: Alex Deacon <alex@verisign.com> To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, ietf-pkix@imc.org, peterw@valicert.com, vcancio@redcreek.com Subject: RE: C=country; just a convention? Date: Fri, 18 May 2001 17:48:59 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> It may be also interesting to have a look at RFC 1778. In addition you should note that RFC 1485 and RFC 1779 have been obsoleted by RFC 2253. Alex > -----Original Message----- > From: pgut001@cs.auckland.ac.nz [mailto:pgut001@cs.auckland.ac.nz] > Sent: Saturday, May 19, 2001 5:34 AM > To: ietf-pkix@imc.org; peterw@valicert.com; vcancio@redcreek.com > Subject: RE: C=country; just a convention? > > > Vivian Cancio <vcancio@redcreek.com> writes: > > >I noticed that RFC 1485 is not included in the RFC 2459 > references and the > >table (in RFC 1485) is rather limited. > > The short forms of DN components is another one of these > "hunt the thimble" > affairs which is even more fun than looking for OIDs. Here > are the ones I've > found either in common use or at least defined in only one > place (ie they're at > least definitely (in)accurate): > > Label Component > bc businessCategory > c countryName > cn commonName > d description > dc domainComponent > email emailAddress (PKCS #9) > g givenName > i initials > isdn internationalISDNNumber > l locality > o organisationName > ou organisationalUnitName > s surname > sn serialNumber > sp stateOrProvinceName > st streetAddress > t title > > Peter. > Received: by above.proper.com (8.9.3/8.9.3) id RAA15513 for ietf-pkix-bks; Fri, 18 May 2001 17:33:42 -0700 (PDT) Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA15492 for <ietf-pkix@imc.org>; Fri, 18 May 2001 17:33:33 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id MAA03758; Sat, 19 May 2001 12:33:35 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <99023241500375>; Sat, 19 May 2001 12:33:35 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, peterw@valicert.com, vcancio@redcreek.com Subject: RE: C=country; just a convention? Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Sat, 19 May 2001 12:33:35 (NZST) Message-ID: <99023241500375@kahu.cs.auckland.ac.nz> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Vivian Cancio <vcancio@redcreek.com> writes: >I noticed that RFC 1485 is not included in the RFC 2459 references and the >table (in RFC 1485) is rather limited. The short forms of DN components is another one of these "hunt the thimble" affairs which is even more fun than looking for OIDs. Here are the ones I've found either in common use or at least defined in only one place (ie they're at least definitely (in)accurate): Label Component bc businessCategory c countryName cn commonName d description dc domainComponent email emailAddress (PKCS #9) g givenName i initials isdn internationalISDNNumber l locality o organisationName ou organisationalUnitName s surname sn serialNumber sp stateOrProvinceName st streetAddress t title Peter. Received: by above.proper.com (8.9.3/8.9.3) id QAA03747 for ietf-pkix-bks; Fri, 18 May 2001 16:34:50 -0700 (PDT) Received: from exchange.redcreek.com (mail.redcreek.com [209.125.38.15]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA03737 for <ietf-pkix@imc.org>; Fri, 18 May 2001 16:34:44 -0700 (PDT) Received: by mail.redcreek.com with Internet Mail Service (5.5.2653.19) id <JHZ8B6H6>; Fri, 18 May 2001 16:34:42 -0700 Message-ID: <0AD8DC253EFDD311837300805F650DF219FB49@mail.redcreek.com> From: Vivian Cancio <vcancio@redcreek.com> To: "'Peter Williams'" <peterw@valicert.com>, "'PKI List'" <ietf-pkix@imc.org> Subject: RE: C=country; just a convention? Date: Fri, 18 May 2001 16:34:40 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Thanks Peter, I noticed that RFC 1485 is not included in the RFC 2459 references and the table (in RFC 1485) is rather limited. Also it references "X.520 keys", but these are only examples in X.520, and the RFC incorrectly uses ST for State: Key Attribute (X.520 keys) ______________________________ CN CommonName L LocalityName ST StateOrProvinceName O OrganizationName OU OrganizationalUnitName C CountryName Table 1: Standardised Keywords The example in X.520 Section 5.3.3 State or Province Name - shows the "S=" and not "ST=". "An attribute value for State or Province Name is a string, e.g. S = "Ohio". stateOrProvinceName ATTRIBUTE ::= { SUBTYPE OF name WITH SYNTAX DirectoryString {ub-state-name} ID id-at-stateOrProvinceName } I'm assuming that since it doesn't go "on the wire" it is somewhat irrelevant? Vivian > -----Original Message----- > From: Peter Williams [mailto:peterw@valicert.com] > Sent: Friday, May 18, 2001 3:05 PM > To: Vivian Cancio; 'PKI List' > Subject: RE: C=country; just a convention? > > > > RFC 1485 > > > -----Original Message----- > From: Vivian Cancio [mailto:vcancio@redcreek.com] > Sent: Friday, May 18, 2001 2:18 PM > To: 'PKI List' > Subject: C=country; just a convention? > > > A simple question ... > Security applications which display certificate attributes use short > 'acronyms' to describe the parts of the "relative distinguish > name" such as > C=country, O=organization, S=state, etc. > > I'm aware of the OIDs for the ASN1 structures ... I haven't found a > description of this 'acronym' convention which is also used in X.5xx > examples. > > Is it just a de-facto convention or is it specified somewhere? > > I checked just about all the X.5xx documents and I couldn't > find even a > legend for the examples using this convention, ... although > it might be > specified in some of the many references. Can someone tell > me where they > are defined? > > Thanks, > Vivian > Received: by above.proper.com (8.9.3/8.9.3) id PAA27700 for ietf-pkix-bks; Fri, 18 May 2001 15:06:51 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA27681 for <ietf-pkix@imc.org>; Fri, 18 May 2001 15:06:44 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDJ00101XFPAI@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 18 May 2001 15:07:01 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDJ000F6XFPX1@ext-mail.valicert.com>; Fri, 18 May 2001 15:07:01 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26SRQX>; Fri, 18 May 2001 15:04:39 -0700 Content-return: allowed Date: Fri, 18 May 2001 15:04:38 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: C=country; just a convention? To: "'Vivian Cancio'" <vcancio@redcreek.com>, "'PKI List'" <ietf-pkix@imc.org> Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182CB8@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> RFC 1485 -----Original Message----- From: Vivian Cancio [mailto:vcancio@redcreek.com] Sent: Friday, May 18, 2001 2:18 PM To: 'PKI List' Subject: C=country; just a convention? A simple question ... Security applications which display certificate attributes use short 'acronyms' to describe the parts of the "relative distinguish name" such as C=country, O=organization, S=state, etc. I'm aware of the OIDs for the ASN1 structures ... I haven't found a description of this 'acronym' convention which is also used in X.5xx examples. Is it just a de-facto convention or is it specified somewhere? I checked just about all the X.5xx documents and I couldn't find even a legend for the examples using this convention, ... although it might be specified in some of the many references. Can someone tell me where they are defined? Thanks, Vivian Received: by above.proper.com (8.9.3/8.9.3) id OAA24766 for ietf-pkix-bks; Fri, 18 May 2001 14:18:20 -0700 (PDT) Received: from exchange.redcreek.com (mail.redcreek.com [209.125.38.15]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA24762 for <ietf-pkix@imc.org>; Fri, 18 May 2001 14:18:14 -0700 (PDT) Received: by mail.redcreek.com with Internet Mail Service (5.5.2653.19) id <JHZ8B58Y>; Fri, 18 May 2001 14:18:11 -0700 Message-ID: <0AD8DC253EFDD311837300805F650DF219FB47@mail.redcreek.com> From: Vivian Cancio <vcancio@redcreek.com> To: "'PKI List'" <ietf-pkix@imc.org> Subject: C=country; just a convention? Date: Fri, 18 May 2001 14:18:07 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> A simple question ... Security applications which display certificate attributes use short 'acronyms' to describe the parts of the "relative distinguish name" such as C=country, O=organization, S=state, etc. I'm aware of the OIDs for the ASN1 structures ... I haven't found a description of this 'acronym' convention which is also used in X.5xx examples. Is it just a de-facto convention or is it specified somewhere? I checked just about all the X.5xx documents and I couldn't find even a legend for the examples using this convention, ... although it might be specified in some of the many references. Can someone tell me where they are defined? Thanks, Vivian Received: by above.proper.com (8.9.3/8.9.3) id NAA18506 for ietf-pkix-bks; Fri, 18 May 2001 13:01:55 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA18488 for <ietf-pkix@imc.org>; Fri, 18 May 2001 13:01:49 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4IK1kj23042; Fri, 18 May 2001 13:01:46 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: <pgut001@cs.auckland.ac.nz>, <ietf-pkix@imc.org>, <jjacoby@rsasecurity.com>, <myers@coastside.net> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Fri, 18 May 2001 13:01:16 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDGEBJCBAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <99019981831092@kahu.cs.auckland.ac.nz> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> On Saturday, May 19, 2001, at the inspiring hour of 3:30 AM, Peter Gutman advised: > Given that there are already certs (and lots of software) > out there which use the current OID, wouldn't it be better > to relocate temporalDataAuthority (what is that anyway? > Does anyone use it? It looks like an oddly-named TSA OID). > > (Given that the OCSP OID is already in active use, I suspect > {id-kp 9} will remain "the OCSP OID" even if it's officially > reassigned, this my comment that it's going to be easier for > Mohammed to go to the mountain). > > Peter. Peter, Certainly a more pragmatic approach. As a consequence I've spent some time today searching across the various current and historical IETF work products to do kind of an environmental impact assessment of simply re-labelling {id-kp 9} from "id-kp-temporalDataAuthority" to "id-kp-OCSPSigning". As it turns out, the notion of a Temporal Data Authority (TDA) and a corresponding {id-kp 9} definition was introduced at least by http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-pkix-time-stamp-02.txt. However, by the -14 edition the concept went away: http://www.ietf.org/internet-drafts/draft-ietf-pkix-time-stamp-14.txt. So the path seems clear to redefine {id-kp 9} as id-kp-OCSPSigning with no impact to timestamping implementors. Doing so would benefit standing OCSP implementations but does not excuse the OCSP authors, myself included, from a swift kick in the butt for failing to coordinate across the WG on this point. Incidentally, it might be useful to produce the relevant OID list into a PKIX work product so that once PKIX wraps clues are left behind how the pieces are supposed to bolt together. Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com Received: by above.proper.com (8.9.3/8.9.3) id MAA15374 for ietf-pkix-bks; Fri, 18 May 2001 12:05:47 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA15359 for <ietf-pkix@imc.org>; Fri, 18 May 2001 12:05:41 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDJ00001P1Y56@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 18 May 2001 12:05:58 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDJ00NA2P1X0C@ext-mail.valicert.com>; Fri, 18 May 2001 12:05:58 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26SPTQ>; Fri, 18 May 2001 12:03:36 -0700 Content-return: allowed Date: Fri, 18 May 2001 12:03:35 -0700 From: Ryan Hurst <ryanh@valicert.com> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list To: "'Michael Myers'" <myers@coastside.net>, Jeff Jacoby <jjacoby@rsasecurity.com>, ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01EEDD44@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Michael -- A number of existing OCSP client and server implementations (CA, ValiCert, Kyberpass, etc) already use id-kp-OCSPSigning {id-kp 9} any changes to this would certainly break a number of production systems. I am unsure what the id-kp-temporalDataAuthority is used for or how broadly it is used but before we formally change id-kp-OCSPSigning we need to explore which will effect existing systems the least. Ryan M. Hurst Manager Solutions Engineering ValiCert, Inc. -----Original Message----- From: Michael Myers [mailto:myers@coastside.net] Sent: Thursday, May 17, 2001 5:56 PM To: Jeff Jacoby; ietf-pkix@imc.org Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Jeff, Thanks for the catch. Yes, clearly the OID {id-kp 9} was assigned to id-kp-temporalDataAuthority for EKU. In coordination with the PKIX OID Registrar and the IESG, we will correct this defect with the result of a new OID for id-kp-OCSPSigning for use in EKU. BTW, are you and/or your interoperability partners facing a need that depends upon this feature? Mike Received: by above.proper.com (8.9.3/8.9.3) id MAA15294 for ietf-pkix-bks; Fri, 18 May 2001 12:05:08 -0700 (PDT) Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA15275 for <ietf-pkix@imc.org>; Fri, 18 May 2001 12:05:01 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <LFHJ39YX>; Fri, 18 May 2001 15:04:29 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DECCC@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Steve Kent (E-mail)" <kent@bbn.com> Cc: "David Cooper (E-mail)" <david.cooper@nist.gov>, "David Kemp (E-mail)" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org Subject: cA Flag -- cRLSign Date: Fri, 18 May 2001 14:55:03 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0DFCC.0BFE1FE0" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0DFCC.0BFE1FE0 Content-Type: text/plain; charset="iso-8859-1" Steve: I have a compromise proposal in this area. As Russ Housley says: In the interest of interoperability, the generator should be strict and processor should be forgiving (assuming no security) is compromised. I would say let us do the following: 1. A PKIX compliant CA must assert basicConstraints with cA set to TRUE if cRLSign bit is set, and 2. A PKIX compliant relying party client must check cRLSign flag in the keyUsage extension, if keyUsage extension is present, when using the public key of the subject to verify a signature on the CRL. However, if the keyUsage extension is absent, basicConstraints must be present with cA = TRUE Santosh Chokhani CygnaCom Solutions, Inc. an Entrust Technologies company 7927 Jones Branch Drive, Suite 100 West McLean, VA 22102 chokhani@cygnacom.com; santosh.chokhani@entrust.com (703) 270-3520 (703) 848-0960 (fax) ------_=_NextPart_001_01C0DFCC.0BFE1FE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>cA Flag -- cRLSign</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Steve:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I have a compromise proposal in this = area. As Russ Housley says: In the interest of interoperability, = the generator should be strict and processor should be forgiving = (assuming no security) is compromised.</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">I would say let us do the = following:</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">1. A PKIX compliant CA must = assert basicConstraints with cA set to TRUE if cRLSign bit is set, = and</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">2. A PKIX compliant relying = party client must check cRLSign flag in the keyUsage extension, if = keyUsage extension is present, when using the public key of the subject = to verify a signature on the CRL. However, if the keyUsage = extension is absent, basicConstraints must be present with cA =3D = TRUE</FONT></P> <P><FONT SIZE=3D2 FACE=3D"Arial">Santosh Chokhani</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">CygnaCom Solutions, Inc.</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">an Entrust Technologies = company</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">7927 Jones Branch Drive, Suite 100 = West</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">McLean, VA 22102</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">chokhani@cygnacom.com; = santosh.chokhani@entrust.com</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">(703) 270-3520 (703) 848-0960 = (fax)</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0DFCC.0BFE1FE0-- Received: by above.proper.com (8.9.3/8.9.3) id LAA14482 for ietf-pkix-bks; Fri, 18 May 2001 11:41:34 -0700 (PDT) Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA14478 for <ietf-pkix@imc.org>; Fri, 18 May 2001 11:41:28 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GDJ00N01NXL29@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 18 May 2001 11:41:45 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GDJ00N2QNXL0C@ext-mail.valicert.com> for ietf-pkix@imc.org; Fri, 18 May 2001 11:41:45 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26SPPC>; Fri, 18 May 2001 11:39:23 -0700 Content-return: allowed Date: Fri, 18 May 2001 11:39:23 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list To: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8D94@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I agree (with Peter). Regards, Ambarish --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043 > -----Original Message----- > From: pgut001@cs.auckland.ac.nz [mailto:pgut001@cs.auckland.ac.nz] > Sent: Friday, May 18, 2001 8:30 PM > To: ietf-pkix@imc.org; jjacoby@rsasecurity.com; myers@coastside.net > Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list > > > "Michael Myers" <myers@coastside.net> writes: > > >Thanks for the catch. Yes, clearly the OID {id-kp 9} was > assigned to id-kp- > >temporalDataAuthority for EKU. In coordination with the > PKIX OID Registrar > >and the IESG, we will correct this defect with the result of > a new OID for id- > >kp-OCSPSigning for use in EKU. > > Given that there are already certs (and lots of software) out > there which use > the current OID, wouldn't it be better to relocate > temporalDataAuthority (what > is that anyway? Does anyone use it? It looks like an > oddly-named TSA OID). > > (Given that the OCSP OID is already in active use, I suspect > {id-kp 9} will > remain "the OCSP OID" even if it's officially reassigned, > this my comment > that it's going to be easier for Mohammed to go to the mountain). > > Peter. > Received: by above.proper.com (8.9.3/8.9.3) id KAA13368 for ietf-pkix-bks; Fri, 18 May 2001 10:50:11 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA13364 for <ietf-pkix@imc.org>; Fri, 18 May 2001 10:50:05 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 18 May 2001 17:49:38 UT Received: from tuna.rsa.com (tuna.rsa.com [10.80.211.153]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA25521; Fri, 18 May 2001 13:50:06 -0400 (EDT) Received: from rsasecurity.com ([10.81.217.242]) by tuna.rsa.com (8.8.8+Sun/8.8.8) with ESMTP id KAA19793; Fri, 18 May 2001 10:50:49 -0700 (PDT) Message-ID: <3B0560BB.C2E8FC6@rsasecurity.com> Date: Fri, 18 May 2001 10:49:47 -0700 From: Jeff Jacoby <jjacoby@rsasecurity.com> Organization: RSA Security, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Michael Myers <myers@coastside.net> CC: ietf-pkix@imc.org Subject: Re: Minor OID mistakes in OCSPv2 and the official OID list References: <EOEGJNFMMIBDKGFONJJDEEBACBAA.myers@coastside.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Mike, > Thanks for the catch. Yes, clearly the OID {id-kp 9} was assigned to > id-kp-temporalDataAuthority for EKU. In coordination with the PKIX OID > Registrar and the IESG, we will correct this defect with the result of a > new > OID for id-kp-OCSPSigning for use in EKU. If it's possible, I would prefer id-kp-OCSPSigning remain as {id-kp 9} and that id-kp-temporalDataAuthority (whatever that is) be {id-kp somethingelse} > BTW, are you and/or your interoperability partners facing a need that > depends upon this feature? We determine the response signer is an authorized signer (as opposed to a trusted signer) based on the presense of that OID (id-kp 9) in the response signer's cert. This significantly affects how our client validates the signer. I know of at least one VA vendor that, so far, has used {id-dp 9} so we would have to be able to handle 2 possible values if id-kp-OCSPSigning gets a new value. Jeff Received: by above.proper.com (8.9.3/8.9.3) id KAA11957 for ietf-pkix-bks; Fri, 18 May 2001 10:20:30 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA11947 for <ietf-pkix@imc.org>; Fri, 18 May 2001 10:20:23 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id TAA02302; Fri, 18 May 2001 19:20:18 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Fri, 18 May 2001 19:20:18 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id TAA18424; Fri, 18 May 2001 19:20:17 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id TAA03728; Fri, 18 May 2001 19:20:17 +0200 (MET DST) Date: Fri, 18 May 2001 19:20:17 +0200 (MET DST) Message-Id: <200105181720.TAA03728@emeriau.edelweb.fr> To: pgut001@cs.auckland.ac.nz Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Cc: ietf-pkix@imc.org Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> > Given that there are already certs (and lots of software) out there which use > the current OID, wouldn't it be better to relocate temporalDataAuthority (what > is that anyway? Does anyone use it? It looks like an oddly-named TSA OID). > I support Peter's view, the kp 9 is in a standards track RFC (2560), and the only definition of TDA is in an expired draft of timestamping, and this data is already obsolete. Also 2459 stops at kp 8 and even the new draft. C.4. Identification of the TDA The TDA MUST sign all temporal data tokens with a key reserved specifically for that purpose. The corresponding certificate MUST contain the extended key usage field extension as defined in [RFC2459] Section 4.2.1.14 with KeyPurposeID having value id-kp-temporalDataAuthority. This extension MUST be critical. id-kp-temporalDataAuthority OBJECT IDENTIFIER ::= {id-kp 9} -- Providing temporal data in support of time stamping services. Key -- usage bits that may be consistent: digitalSignature, -- nonRepudiation Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id KAA10742 for ietf-pkix-bks; Fri, 18 May 2001 10:00:00 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA10729 for <ietf-pkix@imc.org>; Fri, 18 May 2001 09:59:54 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id TAA22646; Fri, 18 May 2001 19:00:02 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA17306; Fri, 18 May 2001 18:59:19 +0200 Message-ID: <3B0554A9.95006C07@bull.net> Date: Fri, 18 May 2001 18:58:17 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> CC: ietf-pkix@imc.org Subject: Re: Strawman on Delta CRLs References: <NBEFIEBJJIPIFAAAIBFAIEIHCBAA.sarbari@electrosoft-inc.com> <200105161720.KAA16046@above.proper.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> David, I agree with Sabari, so I feel sorry to disagree with you. > Sarbari, > > The CRLs in the examples do not give contradictory results because CRLs > do *not* have a validity period, they have a validity instant. The text from X.509 (nor RFC 2459) does not say this. Now let us look what people do in practice. They want to make sure that a CRL is valid at the instant T. So any CRL where the following condition is met is a good CRL. thisUpdate < T < nextUpdate So if an emergency CRL is issued, two CRLs will meet the condition. For that reason it is dangerous to issue "emergency CRLs", that contain references to non repudiation certificates, as soon as there is a key compromise, because one party may get it, while the other may not. If, using a CRL mechanism, there is a need to advertise as early as possible a key compromise then delta CRLs should be used. Delta-CRLs can be issued much more frequently. If relying parties are informed that they MUST fetch delta CRLs, and if there is a denial of service attack on the delta CRLs, then relying parties must not accept the certificate: they may either reject it if they cannot wait or if they can wait, wait until they can get access to the delta CRLs again. Denis > CRL #1 is valid at 12:00. The next CRL might be issued at > 15:00, but it also might be issued at 12:05. > > CRL #3 is valid at 14:00. > > CRL #3's thisUpdate is two hours later than CRL #1's. CRL #3 > contains fresher revocation information, and it is incorrect > to assert that that information "contradicts" the staler > information in CRL #1. > > CRLs, like OCSP responses, are valid at the instant they > are issued, and no longer. Relying Parties may use nextUpdate to > determine when to look for a new CRL. But RPs must not delude > themselves into thinking that an old CRL is magically "valid" > until its nextUpdate, because another CRL, delta or full, could > have been issued seconds later. > > Dave > > Sarbari Gupta wrote: > > > > Tim, David, Russ, > > > > The "strawman" on the use of delta CRLs was very precise and clear - thank you. I know this thread had been discussed to death already, but I did have a comment: > > > > It seems counterproductive to have CRLs and delta-CRLs that are valid in parallel as in your examples. CRL #1 is valid between 12:00 and 15:00, and delta CRL #3 is valid between 14:00 and 15:00. If I am trying to validate certificate 124 at 14:30, I will get opposite results if I use CRL #1 versus delta CRL #3 - yet both are valid at the time. > > > > I can understand CRLs and OCSP giving different revocation status because of the different levels of latency. Why is it a good idea to have contradictory results with the same (CRL) mechanism? More importantly, why should the standard be formulated to allow such usage of CRLs, where you can have two CRLs that are both valid yet contradict each other? > > > > I would vote for CRLs and delta CRLs to have non-overlapping validity periods so that there is no possibility of a contradictory revocation status. If network delays are a problem, engineering solutions need to be found - the validity period of the CRL may need to be adjusted to be larger than the anticipated network delay, or the scope of the CRL may be adjusted to allow smaller-sized CRLs, or perhaps, a different revocation checking mechanism should be considered. > > > > - Sarbari Gupta > > ============================== > > Sarbari Gupta > > Electrosoft Services, Inc. > > Tel: (703)861-2108 > > FAX: (703)757-0040 > > Email: sarbari@electrosoft-inc.com > > Web: <http://www.electrosoft-inc.com/> > > ============================== Received: by above.proper.com (8.9.3/8.9.3) id JAA10648 for ietf-pkix-bks; Fri, 18 May 2001 09:56:24 -0700 (PDT) Received: from zrc2s03g.nortelnetworks.com ([47.103.122.66]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA10644 for <ietf-pkix@imc.org>; Fri, 18 May 2001 09:56:17 -0700 (PDT) Received: from zsc4s001.baynetworks.com (zsc4s001.baynetworks.com [134.177.3.62]) by zrc2s03g.nortelnetworks.com (8.9.3+Sun/8.9.1) with ESMTP id LAA29853 for <ietf-pkix@imc.org>; Fri, 18 May 2001 11:56:37 -0500 (CDT) Received: from zsc4c000.us.nortel.com by zsc4s001.baynetworks.com; Fri, 18 May 2001 09:48:37 -0700 Received: by zsc4c000.us.nortel.com with Internet Mail Service (5.5.2653.19) id <K0VN1HM5>; Fri, 18 May 2001 09:55:29 -0700 Message-ID: <6F303E756050D3119C4C0008C7917D0003FE7C73@zbl6c000.corpeast.baynetworks.com> From: "Kwok Lee" <kwlee@nortelnetworks.com> To: ietf-pkix@imc.org Subject: verification and encryption certificate... Date: Fri, 18 May 2001 09:55:24 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0DFBB.55409C70" X-Orig: <kwlee@americasm06.nt.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0DFBB.55409C70 Content-Type: text/plain; charset="iso-8859-1" Hi All, I am not sure whether this question has been asked before. If it did, please beat with me one more time. I am a little confused by how to obtain verification and encryption certificate using CMP. Is it possible to request for one certificate for signing, encryption instead of one for each purpose ? According to appendix B3 in rfc2510bis-03, it seems that I need to include two CertReqMsg in CertReqMessages. The first crm[0] is for verification certificate and the second crm[1] for the encryption certificate. Thanks and appreciate any input on this kc ------_=_NextPart_001_01C0DFBB.55409C70 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2654.59"> <TITLE>verification and encryption certificate...</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2 FACE=3D"Arial">Hi All, </FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I am not sure whether this question = has been asked before. </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">If it did, please beat with me one = more time.</FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">I am a little confused by how to = obtain verification and encryption certificate using CMP. </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">Is it possible to request for one = certificate for signing, encryption instead of one for each purpose = ?</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">According to appendix B3 in = rfc2510bis-03, it seems that I need to include two CertReqMsg</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">in CertReqMessages. The first crm[0] = is for verification certificate and the second crm[1] for the </FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">encryption certificate. </FONT> </P> <P><FONT SIZE=3D2 FACE=3D"Arial">Thanks and appreciate any input on = this</FONT> <BR><FONT SIZE=3D2 FACE=3D"Arial">kc</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0DFBB.55409C70-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA07401 for ietf-pkix-bks; Fri, 18 May 2001 08:56:07 -0700 (PDT) Received: from Arista.iris.com (arista.iris.com [198.112.211.42]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA07392 for <ietf-pkix@imc.org>; Fri, 18 May 2001 08:56:01 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Semantics of cRLSign (new-part1-06)? To: "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: <OFCAA5F789.BEC31F32-ON85256A50.0053D3E6@iris.com> Date: Fri, 18 May 2001 11:49:59 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Release 5.0.7 |March 21, 2001) at 05/18/2001 11:57:12 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> David, > >On the other hand, even if it isn't set, an RP could construct a valid path > >from a trust anchor through me that acquires the cRLSign capability if I > >issue a self-signed certificate that asserts the bit. Such self-signed > >certiicates are explicitly excluded from being limited by the path-length > >constraints in the validation algorithm in new-part1-06, so such a > >certificate ought to be able to be inserted into any valid chain without > >invalidating it. > > Yes. A CA can always issue a certificate to itself with whatever key usage bits set that it wants. This is OK, >however, since the purpose of setting the key usage bits in certificates issued to CAs is to limit the possible >uses of the subject public key, not the CA in general. The case I meant was that the CA would issue itself a self-signed cert asserting the cRLSign bit, not a cert for a different key. So the key would no longer be limited. > >How about the converse: A CA certificate that includes cRLSign but not > >keyCertSign? This would seem to allow a CA to delegate the ability to sign > >CRLs to another entity or key which is an important operational feature. > > Exactly. Imagine the example above, with the exception that different >keys are used to sign certificates and CRLs, and the CRL signing key >is less well protected than the certificate signing key. > > >With the new text about pathLenConstraint in new-part1-06 (which > >incidentally is mis-spelled at "pathLengthConstraint" in the path > >validation section), a CRL-signing certificate shouldn't be counted towards > >the maximum path length, as it's the last certificate in the chain. But > >what I don't understand is what the bit buys you. If a certificate > >contains a CDP extension naming entity A as the appropriate cRLIssuer, yet > >the trust chain the the RP constructs that ends with A doesn't contain the > >keyCertSign bit, I presume the RP is supposed to say that revocation status . >can't be verified. But how would this situation arise in practice? > > The example above in which the CRL was signed using a compromised key that >was never intended by the CA to be used to sign CRLs works. In this case, >the cRLSign bit not being set protects the relying party from trusting a >CRL that was signed by an attacker. I don't understand this. An RP would only consider trusting a CRL if that CRL is signed either by the certificate issuer, or by an entity named as a CRLIssuer in the CDP extension of the certificate. The only possible effect of the cRLSign bit (or rather its absence) is in preventing one of these entities from being trusted to sign CRLs. The RP is already protected from spoofing by random third parties. It doesn't make sense (I think) to ever not trust a CA to sign its own CRLs, so the only plausible effect if the cRLSign bit is on entities that appear in the CDP extension. Now, if the CA put some entity's name into a certificate as a CRLIssuer, it presumably trusted that entity when it cut the certificate. So the only deliberate reason for there not to be a cRLSign bit in the entity's certificate is if the CA has tried to revoke that ability. However, since the cRLSign bit isn't "scoped", the CRLIssuer might be an authorized CRL signer for some other CA (it might even be a certificate-issuing CA itself), so it might well have some other certificate for the same key that does assert cRLSign. So it seems like the only plausible use of the cRLSign bit (to allow revoking of CRL-signing ability) doesn't in fact work. The only way that I can see that a CA could ever guarantee that it would be able revoke the delegation of CRL signing capability is if the trust path to that CRL-signer was restricted (by RPs) to direct trust from the CA (i.e. the path used by an RP when validating a CRL-signer's key for the purpose of CRL checking must include, as its final certificate, a certificate issued by the CA, and with the cRLSign bit asserted). The CA would also have to take responsibility for revoking such CRL-delegation certificates itself :) If we want to allow CAs to delegate the ability to sign CRLs to third parties, or even to seperate keys (and there are compelling operational reasons to do so), I think we need to add a restriction like the above on suitable trust paths for CRL-signer validation. John Received: by above.proper.com (8.9.3/8.9.3) id IAA05975 for ietf-pkix-bks; Fri, 18 May 2001 08:30:33 -0700 (PDT) Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA05965 for <ietf-pkix@imc.org>; Fri, 18 May 2001 08:30:26 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id DAA20349; Sat, 19 May 2001 03:30:18 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <99019981831092>; Sat, 19 May 2001 03:30:18 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ietf-pkix@imc.org, jjacoby@rsasecurity.com, myers@coastside.net Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Sat, 19 May 2001 03:30:18 (NZST) Message-ID: <99019981831092@kahu.cs.auckland.ac.nz> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> "Michael Myers" <myers@coastside.net> writes: >Thanks for the catch. Yes, clearly the OID {id-kp 9} was assigned to id-kp- >temporalDataAuthority for EKU. In coordination with the PKIX OID Registrar >and the IESG, we will correct this defect with the result of a new OID for id- >kp-OCSPSigning for use in EKU. Given that there are already certs (and lots of software) out there which use the current OID, wouldn't it be better to relocate temporalDataAuthority (what is that anyway? Does anyone use it? It looks like an oddly-named TSA OID). (Given that the OCSP OID is already in active use, I suspect {id-kp 9} will remain "the OCSP OID" even if it's officially reassigned, this my comment that it's going to be easier for Mohammed to go to the mountain). Peter. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA05000 for ietf-pkix-bks; Fri, 18 May 2001 08:09:13 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA04995 for <ietf-pkix@imc.org>; Fri, 18 May 2001 08:09:06 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id LAA22264; Fri, 18 May 2001 11:08:56 -0400 (EDT) Message-Id: <4.2.2.20010518091640.00b27e60@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 18 May 2001 11:08:11 -0400 To: John_Wray@iris.com From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: Semantics of cRLSign (new-part1-06)? Cc: ietf-pkix@imc.org In-Reply-To: <OF7AC9BF3A.7F7A08BF-ON85256A4F.004FD492@iris.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> John, Here are my thoughts on the usefulness of the keyUsage bits in certificates issued to CAs. Others may have different (better?) thoughts on the issue. At 02:44 PM 5/17/01 -0400, John_Wray@iris.com wrote: >So, if I am a CA, and want to be sure that RPs will be able to check the >revocation status of my certificates without having to install me as a >trust anchor, I need to ensure that any cross-certificates in which I am >named as a subject include a cRLSign key-usage? Now, I can't force the >other CAs to do anything special (although some request protocols would >allow me to request that the bit be set), so this seems to be saying that, >in order for a distributed PKI to work, the cRLSign bit ought always to be >set in CA certificates. Yes. I would say that if one CA is issuing a cross-certificate to another CA, that certificate should have both the keyCertSign and cRLSign key usage bits set, unless the certificate issuer knows that the subject public key will not be verify signatures on CRLs. >On the other hand, even if it isn't set, an RP could construct a valid path >from a trust anchor through me that acquires the cRLSign capability if I >issue a self-signed certificate that asserts the bit. Such self-signed >certiicates are explicitly excluded from being limited by the path-length >constraints in the validation algorithm in new-part1-06, so such a >certificate ought to be able to be inserted into any valid chain without >invalidating it. Yes. A CA can always issue a certificate to itself with whatever key usage bits set that it wants. This is OK, however, since the purpose of setting the key usage bits in certificates issued to CAs is to limit the possible uses of the subject public key, not the CA in general. >So it sounds as though any CA certificate in which keyCertSign also grants >the target CA the right to sign CRLs (which makes not setting the bit >somewhat useless). A CA should always be able to sign CRLs that cover the certificates that it issues. It would make no sense to allow a CA to issue certificates but prevent it from revoking those certificates through CRLs. That does not mean that not setting the bit is useless. Suppose that a CA maintains 2 public/private key pairs. One private key is used to sign certificates and CRLs. This private key is stored in a FIPS 140-1 Level 4 validated cryptographic module, and the certificate/CRL generating hardware along with the cryptographic module are kept off-line and are placed in a tightly secured room. The second private key is only intended to be used to sign administrative messages (e.g., S/MIME messages exchanged with other CAs to make cross-certification arrangements). This second key is stored in a FIPS 140-1 Level 1 module on a standard desktop machine that is connected to the Internet and is placed in an office with limited physical access controls. Clearly their is a higher risk that the second private key will be compromised than that the first key will. So, the CA will arrange for the all cross certificates issued to it to include the first private key as the subject public key. This key will have the keyCertSign and cRLSign key usages set. The CA will issue itself a certificate with the second public key as the subject public key. This certificate will have the digitalSignature key usage set, but neither keyCertSign nor cRLSign will be set. So, if an attacker manages to compromise the second private key, he will be able to sign S/MIME messages that will be trusted as having come from the CA. However, since neither the keyCertSign nor cRLSign bits were set in the certificate that certified the corresponding public key, no certificates or CRLs signed by the attacker with the compromised key will be trusted by relying parties as having been signed by the CA. >How about the converse: A CA certificate that includes cRLSign but not >keyCertSign? This would seem to allow a CA to delegate the ability to sign >CRLs to another entity or key which is an important operational feature. Exactly. Imagine the example above, with the exception that different keys are used to sign certificates and CRLs, and the CRL signing key is less well protected than the certificate signing key. >With the new text about pathLenConstraint in new-part1-06 (which >incidentally is mis-spelled at "pathLengthConstraint" in the path >validation section), a CRL-signing certificate shouldn't be counted towards >the maximum path length, as it's the last certificate in the chain. But >what I don't understand is what the bit buys you. If a certificate >contains a CDP extension naming entity A as the appropriate cRLIssuer, yet >the trust chain the the RP constructs that ends with A doesn't contain the >keyCertSign bit, I presume the RP is supposed to say that revocation status >can't be verified. But how would this situation arise in practice? The example above in which the CRL was signed using a compromised key that was never intended by the CA to be used to sign CRLs works. In this case, the cRLSign bit not being set protects the relying party from trusting a CRL that was signed by an attacker. >I can think of only two possibilities: either the CA made a mistake and didn't >set the cRLIssuer key-usage bit in the cert it issued for the CRL-signer, >or the RP constructed the wrong chain to party A. In the first case, the >bit has merely served to introduce the possibility of an operational >failure (with no benefit); the latter case can be divided into two >sub-cases: either the key derived for A verifies the signature on the CRL >or it doesn't. In the latter case the absence of the cRLSign bit has >changed nothing - the RP wouldn't have used the CRL anyway. In the former >case, it has again merely introduced the possibility of a spurious failure >with no apparent benefit. > >Even if the chain I build to CRL-signer "A" does assert the cRLSign >key-usage, I don't see anything that verifies whether that particular chain >has anything to do with the CA that issued the cert that is bing checked. >"A" might be acting as a CRL-signer for another CA as well, and the trust >chain the the RP built happened to terminate with the CRL-signing cert >issued by that other CA. I don't see that it's any more appropriate to use >some random CA's CRL-signing cert than to use a cert that doesn't assert >cRLSign at all. As I said in my last message, a CRL signed by CRL-signer "A" should only be trusted to provide information about certificate "B" if: a) CRL-signer "A" was also the issuer of certificate "B"; or b) certificate "B" contains a CRLDistributionPoints extension in which the cRLIssuer field is present and has the value "A". In this case the issuer of certificate "B" is specifically telling the relying party to trust CRLs signed by "A". If neither of these conditions is met, then the relying party should not trust "A"'s CRL with respect to the status of certificate "B". It is not sufficient to find a random CA that is authorized to issue CRLs, one must only use CRLs that have been signed by CAs authorized by the certificate issuer. Once the correct CRL-issuer has been identified, the cRLSign bit can be used to determine whether a particular public key belonging to the authorized CRL-issuer can be used to verify signatures on CRLs (because if it wasn't, but the private key was used to sign CRLs anyway, this may be an indication of a key compromise). >Hopefully I'm just overlooking something obvious, and there is a real >function that this bit provides. > >John Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id FAA24100 for ietf-pkix-bks; Fri, 18 May 2001 05:12:45 -0700 (PDT) Received: from mailserver.exocom.com (smtp.exocom.com [216.95.175.231]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA24077 for <ietf-pkix@imc.org>; Fri, 18 May 2001 05:12:38 -0700 (PDT) Received: by mailserver.alacris.com with Internet Mail Service (5.5.2653.19) id <KT2KLB9H>; Fri, 18 May 2001 08:15:21 -0400 Message-ID: <385B3A866A39D411A15D00D0B73EAFD2857B6B@mailserver.alacris.com> From: "Issoupov, Denis" <dissoupo@alacris.com> To: ietf-pkix@imc.org Subject: Possible mistake in OCSPv2 draft Date: Fri, 18 May 2001 08:15:20 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0DF94.351CFD20" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0DF94.351CFD20 Content-Type: text/plain Greetings, Section 3.2.3 > 3.2.3 Signed Responses > > Response messages containing only a value for responseStatus SHALL NOT be > digitally signed. Response signatures SHALL be computed over the DER encoding > of the tbsRequest structure. But in RFC2560: > The value for signature SHALL be computed on the hash of the DER > encoding ResponseData. Regards, Denis Issoupov Sr. Developer, denis@alacris.com <mailto:denis@alacris.com> Alacris, Inc. www.alacris.com <http://www.alacris.com/> ------_=_NextPart_001_01C0DF94.351CFD20 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C0DF72.39063DB0"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle18 {mso-style-type:personal-reply; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:navy;} span.SpellE {mso-style-name:""; mso-spl-e:yes;} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:36.0pt'> <div class=3DSection1> <div> <div> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Greetings,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Section 3.2.3<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>> 3.2.3<span style=3D'mso-tab-count:1'> = </span>Signed Responses<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>> Response messages containing only a value for = <span class=3DSpellE><font color=3Dred><span = style=3D'color:red'>responseStatus</span></font></span> SHALL NOT be <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>> <span class=3DGramE>digitally</span> = signed.<span style=3D'mso-spacerun:yes'> </span>Response signatures SHALL be = computed over the DER encoding <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>> <span class=3DGramE>of</span> the <span = class=3DSpellE><font color=3Dred><span style=3D'color:red'>tbsRequest</span></font></span> = structure.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>But in RFC2560:<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>><span style=3D'mso-spacerun:yes'> = </span>The value for signature SHALL be computed on the hash of the = DER<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>><span style=3D'mso-spacerun:yes'> </span>encoding <span class=3DSpellE><font color=3Dred><span = style=3D'color:red'>ResponseData</span></font></span>.<o:p></o:p></span>= </font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D3 color=3Dnavy face=3D"Times New = Roman"><span style=3D'font-size:12.0pt;mso-bidi-font-size:10.0pt;color:navy'><o:p>&nb= sp;</o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Regards,<o:p></o:p></span></font></= p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><span style=3D'mso-spacerun:yes'> </span><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Denis = Issoupov<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Sr. = Developer,<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><a = href=3D"mailto:denis@alacris.com">denis@alacris.com</a><o:p></o:p></span= ></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'>Alacris, = Inc.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><a = href=3D"http://www.alacris.com/">www.alacris.com</a><o:p></o:p></span></= font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>= </div> </div> </div> </body> </html> ------_=_NextPart_001_01C0DF94.351CFD20-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id XAA18320 for ietf-pkix-bks; Thu, 17 May 2001 23:16:17 -0700 (PDT) Received: from arnie.adacel.com.au (arnie.adacel.com.au [203.36.26.147]) by above.proper.com (8.9.3/8.9.3) with SMTP id XAA18246 for <ietf-pkix@imc.org>; Thu, 17 May 2001 23:16:01 -0700 (PDT) Received: (qmail 30815 invoked from network); 18 May 2001 06:22:10 -0000 Received: from unknown (HELO shylock) (203.8.85.11) by arnie.adacel.com.au with SMTP; 18 May 2001 06:22:10 -0000 Reply-To: <andrews@adacel.com.au> From: "Andrew Sciberras" <andrews@adacel.com.au> To: <ietf-pkix@imc.org> Subject: Possible mistake in OCSPv2 draft Date: Fri, 18 May 2001 16:15:19 +1000 Message-ID: <000001c0df61$fa59e130$0b5508cb@adacel.com.au> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01C0DFB5.CC05F130" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C0DFB5.CC05F130 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit G'day I think that I may have located a typo in the OCSPv2 draft. Section 7.1 reads: "A DPD request SHALL contain a value of id-pkix-ocsp-path-req in the ResponseType field of the ResponseBytes syntax. id-pkix-ocsp-path-req OBJECT IDENTIFIER ::= { id-pkix-ocsp X }" Shouldn't this be: "A DPD request SHALL contain a value of id-pkix-ocsp-path-req in the requestExtensions field of TBSRequest. id-pkix-ocsp-path-req OBJECT IDENTIFIER ::= { id-pkix-ocsp X }" Cheers, Andrew Sciberras Software Engineer Adacel Technologies Ltd ------=_NextPart_000_0001_01C0DFB5.CC05F130 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR></HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2> <DIV><SPAN class=3D544234305-18052001><FONT face=3DArial=20 size=3D2>G'day</FONT></SPAN></DIV> <DIV><SPAN class=3D544234305-18052001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D544234305-18052001><FONT face=3DArial size=3D2>I = think that I may=20 have located a typo in the OCSPv2 draft.</FONT></SPAN></DIV> <DIV><SPAN class=3D544234305-18052001><FONT face=3DArial=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D544234305-18052001><FONT face=3DArial = size=3D2>Section 7.1=20 reads:</FONT></SPAN></DIV> <DIV><SPAN class=3D544234305-18052001><FONT face=3DArial = size=3D2>"</FONT><FONT=20 face=3DArial size=3D2>A DPD request SHALL contain a value of = id-pkix-ocsp-path-req=20 in the ResponseType <BR>field of the ResponseBytes=20 syntax.<BR><BR>id-pkix-ocsp-path-req OBJECT IDENTIFIER ::=3D = {=20 id-pkix-ocsp X }"<BR><BR>Shouldn't this be:</FONT></SPAN></DIV> <DIV><SPAN class=3D544234305-18052001><SPAN = class=3D544234305-18052001><FONT=20 face=3DArial size=3D2>"</FONT><FONT face=3DArial size=3D2>A DPD request = SHALL contain a=20 value of id-pkix-ocsp-path-req in the <FONT=20 color=3D#ff0000>requestExtensions</FONT> <BR>field of <FONT=20 color=3D#ff0000>TBSRequest</FONT>.<BR><BR>id-pkix-ocsp-path-req &nbs= p; OBJECT=20 IDENTIFIER ::=3D { id-pkix-ocsp X = }"<BR></FONT></SPAN></SPAN></DIV> <DIV><SPAN class=3D544234305-18052001><SPAN = class=3D544234305-18052001><FONT=20 face=3DArial size=3D2></FONT></SPAN></SPAN> </DIV> <DIV><SPAN class=3D544234305-18052001><SPAN = class=3D544234305-18052001><FONT=20 face=3DArial size=3D2>Cheers,</FONT></SPAN></SPAN></DIV> <DIV><FONT face=3DArial size=3D2><STRONG>Andrew = Sciberras</STRONG></FONT></DIV> <DIV><FONT face=3DArial size=3D2>Software Engineer</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Adacel Technologies=20 Ltd</FONT></DIV></FONT></DIV></BODY></HTML> ------=_NextPart_000_0001_01C0DFB5.CC05F130-- Received: by above.proper.com (8.9.3/8.9.3) id RAA07905 for ietf-pkix-bks; Thu, 17 May 2001 17:56:37 -0700 (PDT) Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA07901 for <ietf-pkix@imc.org>; Thu, 17 May 2001 17:56:31 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4I0uXj09798; Thu, 17 May 2001 17:56:33 -0700 (PDT) From: "Michael Myers" <myers@coastside.net> To: "Jeff Jacoby" <jjacoby@rsasecurity.com>, <ietf-pkix@imc.org> Subject: RE: Minor OID mistakes in OCSPv2 and the official OID list Date: Thu, 17 May 2001 17:55:59 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDEEBACBAA.myers@coastside.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <3B03FA8F.90ED790A@rsasecurity.com> Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Jeff, Thanks for the catch. Yes, clearly the OID {id-kp 9} was assigned to id-kp-temporalDataAuthority for EKU. In coordination with the PKIX OID Registrar and the IESG, we will correct this defect with the result of a new OID for id-kp-OCSPSigning for use in EKU. BTW, are you and/or your interoperability partners facing a need that depends upon this feature? Mike Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id LAA15990 for ietf-pkix-bks; Thu, 17 May 2001 11:47:43 -0700 (PDT) Received: from Arista.iris.com (arista.iris.com [198.112.211.42]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA15984 for <ietf-pkix@imc.org>; Thu, 17 May 2001 11:47:37 -0700 (PDT) From: John_Wray@iris.com Subject: Re: Semantics of cRLSign (new-part1-06)? To: "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org, owner-ietf-pkix@mail.imc.org X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: <OF7AC9BF3A.7F7A08BF-ON85256A4F.004FD492@iris.com> Date: Thu, 17 May 2001 14:44:33 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Release 5.0.7 |March 21, 2001) at 05/17/2001 02:49:51 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> So, if I am a CA, and want to be sure that RPs will be able to check the revocation status of my certificates without having to install me as a trust anchor, I need to ensure that any cross-certificates in which I am named as a subject include a cRLSign key-usage? Now, I can't force the other CAs to do anything special (although some request protocols would allow me to request that the bit be set), so this seems to be saying that, in order for a distributed PKI to work, the cRLSign bit ought always to be set in CA certificates. On the other hand, even if it isn't set, an RP could construct a valid path from a trust anchor through me that acquires the cRLSign capability if I issue a self-signed certificate that asserts the bit. Such self-signed certiicates are explicitly excluded from being limited by the path-length constraints in the validation algorithm in new-part1-06, so such a certificate ought to be able to be inserted into any valid chain without invalidating it. So it sounds as though any CA certificate in which keyCertSign also grants the target CA the right to sign CRLs (which makes not setting the bit somewhat useless). How about the converse: A CA certificate that includes cRLSign but not keyCertSign? This would seem to allow a CA to delegate the ability to sign CRLs to another entity or key which is an important operational feature. With the new text about pathLenConstraint in new-part1-06 (which incidentally is mis-spelled at "pathLengthConstraint" in the path validation section), a CRL-signing certificate shouldn't be counted towards the maximum path length, as it's the last certificate in the chain. But what I don't understand is what the bit buys you. If a certificate contains a CDP extension naming entity A as the appropriate cRLIssuer, yet the trust chain the the RP constructs that ends with A doesn't contain the keyCertSign bit, I presume the RP is supposed to say that revocation status can't be verified. But how would this situation arise in practice? I can think of only two possibilities: either the CA made a mistake and didn't set the cRLIssuer key-usage bit in the cert it issued for the CRL-signer, or the RP constructed the wrong chain to party A. In the first case, the bit has merely served to introduce the possibility of an operational failure (with no benefit); the latter case can be divided into two sub-cases: either the key derived for A verifies the signature on the CRL or it doesn't. In the latter case the absence of the cRLSign bit has changed nothing - the RP wouldn't have used the CRL anyway. In the former case, it has again merely introduced the possibility of a spurious failure with no apparent benefit. Even if the chain I build to CRL-signer "A" does assert the cRLSign key-usage, I don't see anything that verifies whether that particular chain has anything to do with the CA that issued the cert that is bing checked. "A" might be acting as a CRL-signer for another CA as well, and the trust chain the the RP built happened to terminate with the CRL-signing cert issued by that other CA. I don't see that it's any more appropriate to use some random CA's CRL-signing cert than to use a cert that doesn't assert cRLSign at all. Hopefully I'm just overlooking something obvious, and there is a real function that this bit provides. John "David A. Cooper" <david.cooper@nist To: John_Wray@iris.com .gov> cc: ietf-pkix@imc.org Sent by: Subject: Re: Semantics of cRLSign (new-part1-06)? owner-ietf-pkix@ma il.imc.org 05/16/01 04:53 PM John, The cRLSign bit merely indicates whether the subject public key may be used to verify signatures on CRLs (any CRLs). If the cRLSign bit is not set, it does not necessarily indicate that the subject of the certificate should not be trusted to sign CRLs, it simply means that this particular public key should not be used to verify CRLs (the subject may have other certified public keys). More to the point, however, the cRLSign bit is not the place to be looking to determine who is trusted to do what. By default a CA should be trusted to sign CRLs containing revocation information about its own certificates. If an entity other than the certificate issuer is to sign the CRLs that cover a certificate, the identity of that CRL issuer should be specified in the CRLDistributionPoints extension. So, if a certificate contains the CRLDistributionPoints extension with the cRLIssuer field present, then the entity identified in the cRLIssuer field should be trusted to sign the CRLs that provide revocation information for that certificate. If the extension is not present (or is present, but the cRLIssuer field is not), then only the certificate issuer should be trusted to sign the CRLs. Once the identity of the CRL signer has been determined, the cRLSign key usage bit can be used to determine whether a particular public key belonging to that entity should be trusted to sign CRLs. So, technically meaning (1) below is correct (or is closest to correct). However, one should only trust the information in a CRL about a particular certificate if the certificate specifies that the CRL signer should be trusted to sign the CRLs for that certificate. At 04:02 PM 5/16/01 -0400, John_Wray@iris.com wrote: >What are the semantics of the cRLSign bit? Does it mean: >1) "The subject of this certificate should be trusted to sign (arbitrary) >CRLs", or >2) "The subject of this certificate should be trusted to sign CRLs >containing certificates signed by the subject of this certificate", or >3) "The subject of this certificate should be trusted to sign CRLs >containing certificates signed by the issuer of this certificate" > >(1) is hopelessly vague, and (I hope) not what is intended although it is >what a literal reading of the text seems to imply. >(2) would allow a parent CA to create a child CA with two distinct keys, >one of which is used for certificate signing, and the other for CRL >signing. But it wouldn't allow the child CA to manage its own CRL-signing >key. It would be possible for a child CA to issue a CRL-signing >certificate to itself under another key, though. >(3) explicitly permits a CA to delegate responsibility for creating its >CRLs to another entity (or to a different key that it owns and manages >itself), which is a useful function, and allows a CA to deal with >revocation however it wants, and roll-over its CRL-signing key without >having to get new certificates issued to it by parent CAs or other CAs that >have cross-certified it. > >The definition of the indirectCRL extension implies that it is possible for >a CRL-signer to have a different name from the name of the issuer of the >certificates in the CRL, so this implies that (2) isn't what's meant, but >it should be made clearer. > >If a CA is certified by a certificate that doesn't have the cRLSign bit >set, does that meant that the CA shouldn't be trusted revoke certificates >it has issued? Or is a CA always trusted to revoke its own certificates, >and can additionally choose to use the cRLSign bit to delegate that ability >to another entity or key (which would be in line with interpretation (3) >above)? Again, the cRLSign bit only makes a statement about the particular public key in the certificate. Even if "a CA is certified by a certificate that doesn't have the cRLSign bit set", there may be another certificate (perhaps a self-signed one) issued to the CA in which the cRLSign bit is set. Perhaps, for security reasons, the CA issues CRLs under a different key than the one it uses to sign certificates. >There's nothing I could see in section 6.3 of new-part1-06 (CRL Validation) >that says anything about cRLSign being required (or even looked at) >anywhere along the trust path to the CRL being checked. I think this needs >to be fixed. Section 6.3 does not specify how to validate signatures on CRLs. The general rule for validating a signature is to (1) determine which public key needs to be used to validate the signature, (2) validate a path in which the end certificate certificates that public key, and (3) use the results of path validation to determine if the public key may be used for the intended purpose (e.g., check key usage, extended key usage, policies, etc.). This applies whether one is validating signatures on CRLs or S/MIME messages. Bear in mind, however, that there is no requirement to perform path validation to validate the public key used to sign a CRL. For example, if the CRL is to be verified using a key that belongs to one of the relying party's trust roots (i.e., the key is contained in one of the trusted self-signed certificates), then no path validation may be necessary, and so there would be no key usage bits to examine. Dave Received: by above.proper.com (8.9.3/8.9.3) id JAA10327 for ietf-pkix-bks; Thu, 17 May 2001 09:21:58 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA10319 for <ietf-pkix@imc.org>; Thu, 17 May 2001 09:21:51 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 17 May 2001 16:21:25 UT Received: from tuna.rsa.com (tuna.rsa.com [10.80.211.153]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id MAA03593 for <ietf-pkix@imc.org>; Thu, 17 May 2001 12:21:52 -0400 (EDT) Received: from rsasecurity.com ([10.81.217.242]) by tuna.rsa.com (8.8.8+Sun/8.8.8) with ESMTP id JAA17756 for <ietf-pkix@imc.org>; Thu, 17 May 2001 09:22:35 -0700 (PDT) Message-ID: <3B03FA8F.90ED790A@rsasecurity.com> Date: Thu, 17 May 2001 09:21:35 -0700 From: Jeff Jacoby <jjacoby@rsasecurity.com> Organization: RSA Security, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Minor OID mistakes in OCSPv2 and the official OID list Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Greetings, I believe there are two minor mistakes (or maybe just typos) in the OCSPv2 draft (draft-ietf-pkix-ocspv2-02) and in the "Official" list of PKIX OIDs. 1. Througout the draft are references to id-kp-OCSPSigning as id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} However, in the official list, (id-kp 9) is something called id-kp-temporalDataAuthority id-kp-temporalDataAuthority OBJECT IDENTIFIER ::= { id-kp 9 } Is this a mistake in the list document? 2. In section 3.4 of the draft (and this was true in the equivilent section in 2560) there are two references to "id-ad-ocspSigning" There is no such id in the list of PKIX OIDs. Is this just a typo in the draft, and that id-kp-OCSPSigning was intended? Regards, Jeff -- Jeff Jacoby, Sr. Programmer RSA Security Inc., SMDC 2755 Campus Dr., Ste. 300 jjacoby@rsasecurity.com San Mateo, CA 94403 (650) 295-7569 Received: by above.proper.com (8.9.3/8.9.3) id GAA25488 for ietf-pkix-bks; Thu, 17 May 2001 06:37:33 -0700 (PDT) Received: from indy.gradient.com (root@indy.gradient.com [192.92.110.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA25480 for <ietf-pkix@imc.org>; Thu, 17 May 2001 06:37:27 -0700 (PDT) Received: from bigbird.gradient.com (bigbird.gradient.com [192.92.110.50]) by indy.gradient.com (8.9.1a/8.9.1) with ESMTP id JAA19012; Thu, 17 May 2001 09:37:26 -0400 (EDT) Received: by BIGBIRD with Internet Mail Service (5.5.2650.10) id <LBJCTFW8>; Thu, 17 May 2001 09:42:27 -0400 Message-ID: <899128A30EEDD1118FC900A0C9C74A34BA97F0@BIGBIRD> From: Hal Lockhart <hal.lockhart@entegrity.com> To: "'Stephen Kent'" <kent@bbn.com>, "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org Subject: RE: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix -new-part1-06.txt comments) Date: Thu, 17 May 2001 09:42:26 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> >Stephen Kent wrote: > One might be able to retain the definitions of CA and AA and add a > new authority, but I think it probably would be clearer to refine the > CA and AA definitions to make it clear that these entities may > explicitly authorize another, newly named authority type, to issue > just CRLs. The obvious name is Revocation Authority. Unfortunately we already have an R.A. Hal Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id PAA07214 for ietf-pkix-bks; Wed, 16 May 2001 15:07:19 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA07201 for <ietf-pkix@imc.org>; Wed, 16 May 2001 15:07:12 -0700 (PDT) Received: from [128.33.238.22] (TC077.BBN.COM [128.33.238.77]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA09814; Wed, 16 May 2001 18:07:10 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010405b728971e9066@[128.33.238.22]> In-Reply-To: <4.2.2.20010516093846.00b2bd40@email.nist.gov> References: <4.2.2.20010515172220.00a677b0@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> <4.2.2.20010516093846.00b2bd40@email.nist.gov> Date: Wed, 16 May 2001 18:03:27 -0400 To: "David A. Cooper" <david.cooper@nist.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id PAA07202 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> David, >Steve, > >My interest is in ensuring that the PKIX Certificate and CRL Profile >is correct, consistent, and complete. If these issues are not of >interest to you, then feel free to ignore this message. I wrote the first Internet standard on PKI (RFC 1422) almost 10 years ago. If I didn't share the goals you cite, I would not still be working on this stuff. I respect your desire to make this document a good one, but I am frustrated by what I perceive as a very narrow reading of selected portions of the previous standards in support of your point of view re one aspect of this topic. > >At 06:45 PM 5/15/01 -0400, Stephen Kent wrote: >>Dave, >> >>I provided an analysis of the evolution of CRL signing from V1 + V2 >>certs, to the changes you cite re V3 certs. > >As far as I am concerned, v1 and v2 is irrelevant. Extensions did >not exist prior to v3, so neither v1 nor v2 could have included any >requirements with respect to the proper setting of the cA bit in the >basicConstraints extension. I cite the previous versions only because they establish context for v3. Note that ITU has a strong tradition of not making changes that are not backward compatible. Evidence of that abounds. Thus, it is appropriate to interpret each revised version of an ITU standard in such a context. > >You have chosen to ignore large parts of this analysis, and focus >on text in the current version of X.509 that emphasizes syntactic >details but not the larger semantic context. > >We are discussing the cA bit. I have quoted the text from X.509 that >provides the semantics for the cA bit numerous times. You have >chosen to ignore this text. As I noted in my response to Dave Kemp, you are arguing like a lawyer who tries to build a case around one fragment of a law, ignoring the legislative history that expresses the intent of the lawmakers. Sharon's message several weeks ago clearly stated that intent. > >You have not adressed the fact that both X.509 and RFC 2459 make >repeated references to "authorities" or CAs re CRL issuance. You >have received feedback from Sharon, and I think several of the 2459 >authors have weighed in on this topic during the multi-week debate. >> >>I see no point in continuing the discussion. > > >Based on the discussions that have occurred in this thread it seems >to me that there are a number of issues in X.509 and PKIX that need >to be resolved: > > >1) Who can issue CRLs? > > a) There seems to be consensus that it is acceptable for an >entity that does > not sign certificates to sign CRLs. > > b) There has been suggestion that the standards only allow >for authorities to issue CRLs. It's more than a suggestion; it is a well-documented intent of the authors' of the standards in question. > > c) X.509 defines an authority as "[a]n entity, responsible >for the issuance of certificates. > Two types are defined in this Specification; >certification authority which issues public-key > certificates and attribute authority which issues >attribute certificates." > > X.509 similarly defines an CA as "An authority trusted >by one or more users to create and > assign public-key certificates. Optionally the >certification authority may create the users keys." > An attribute authority is defined to be "[a]n authority >which assigns privileges by issuing > attribute certificates". > > So, if we wish to allow entities to sign CRLs but not >certificates, we either need to allow for entities > other than authorities to issue CRLs or we need to redefine the >terms CA, AA, and authority to include > include entities that do not issue certificates. One might be able to retain the definitions of CA and AA and add a new authority, but I think it probably would be clearer to refine the CA and AA definitions to make it clear that these entities may explicitly authorize another, newly named authority type, to issue just CRLs. >2) In which directory attributes should certificates that are issued >to subjects that are CAs be placed? > > a) RFC 2587 states that certificates issued to end entities >must be placed in the userCertificate > attribute and that certificates issued to CAs must be >placed in the cACertificate and/or > crossCertificatePair attributes (with specific rules on >when each of these attributes is to > be populated). > > b) RFC 2587 also states that "none of the ... CA >certificates shall include a basicConstraints > extension with the cA value set to FALSE". > > c) There has been no consensus that the cA value in >basicConstraints must be set to TRUE > whenever the certificate subject is a CA. This lack of >consensus is particularly the case > when the certificate contains a keyUsage extension with >neither the keyCertSign nor the > cRLSign bit set. (I believe that Tim Polk has proposed >changing the standards to require > the cA value to be set to TRUE whenever the subject is >a CA, but there has been no > consensus that such a change should be made). agreed, this is still unresolved. > So, either we need to change X.509 and PKIX to state that the >cA bit in basicConstraints indicates > whether the certificate subject is a CA or LDAP schema needs to >be clarified to clearly indicate in > which attribute(s) certificates issued to CAs should be placed >when basicConstraints is present but > cA is set to FALSE (e.g., if the subject public key is used to >sign CMP transactions, but not to sign > certificates or CRLs). This is a valid concern, relevant to how we decide the CA flag issue. Have we adequately addressed the problem of where to place the cert used to verify a CRL under the circumstances that we're exploring? >What does the cA bit in basicConstraints mean? > > As a result of the changes from new-part1-05 to new-part1-06, >the text in the PKIX profile describing > the cA bit is contradictory. It states: "The cA bit indicates >if the certified public key may be used to > verify signatures on other certificates. If the cA bit is >asserted, then either the keyCertSign bit or the > cRLSign bit in the key usage extension (see 4.2.1.3) MUST also >be asserted." > > The first sentence, which is essentially copied from X.509, >states that the bit indicates whether the > subject public key may be used to verify signatures on >certificates. The next sentence, however, > seems to contradict this by stating that the cA bit may be set >to TRUE even if the subject public key > may not be used to verify signatures on certificates (if the >subject public key may be used to verify > signatures on CRLs). yes, the text in question needs to be made consistent. one could do so in several ways, one of which would be to change the definition of the CA flag. > Of course, if there were a requirement to only set the cRLSign >bit in KeyUsage if the keyCertSign bit > is also set, then there would be no contradiction. If this were >the case, then the cA bit really would > indicate is the subject public key may be used to verify >signatures on certificates. However, there has > certainly been agreement that it should be acceptable to >specify that a key may be used to verify > signatures on CRLs but not certificates. So, we must either >revert to the new-part1-05 text which > clearly ties the cA bit to the keyCertSign bit, or we must >redefine the cA bit in both X.509 and PKIX. yes, there is consensus that we want to be able to have a key that is used to verify CRLs but not certs. >There may be other issues that I am not recalling at the moment. > >We need to step back and try to view this standard from the >perspective of someone who is new to X.509. We cannot expect that >everyone who makes use of the X.509 standard will have read through >all of the messages on the PKIX mailing list. If the X.509 >certificate generation and processing rules can not be unambiguously >determined from the written standards, then the standards need to be >fixed. Arguments to the effect of "the standard says X, but it >really means Y, and to see why Y is the correct interpretation >you'll need to read the relevant discussions from the PKIX mailing >list from April of 1998." Similarly, claims that people should >somehow determine the processing rules by looking at the "larger >semantic context" instead of "text in the current version of X.509 >that emphasizes syntactic details" are unacceptable. If the >syntactic details are incorrect, then we should fix them. We can not >have a standard that provides incorrect "syntactic details" and then >expect people ! >! >! >to correctly implement the standard based on an interpretation of >the "larger semantic context". I agree that it should not be necessary for people to read the background material to understand a standard, but it is quite reasonable to expect people creating a revised version of the standard to be cognizant of such background. I agree that the current standards (X.509 and RFC 2459) have proven to be somewhat ambiguous with regard to the issue of what class of entities are allowed to issue CRLs. You and others have cited text that, if read in isolation, supports the notion that a non-CA entity could sign a CRL. However, this text is not consistent with the persistent, repeated references to CAs (or CAs and AAs) as the issuer of CRLs that appear throughout the standards in question. So, I don't agree that the ambiguity is a great as you assert. Nonetheless, we both agree that the goal is to move forward with a new version that is unambiguous. I'm looking to the 2459 editors to propose text that is consistent, allows for separate keys for cert and CRL signing, and that makes it clear what class of entity is authorized to sign CRLs for certs issued by a specified CA. Given the extent of the analysis that we have endured, it is clear that the new reader of the document should not be expected to infer correct answer to this last question if we merely state in the context of the definition of the CA flag that it need not be asserted in a cert used to verify a CRL. There are too many places where we refer to CAs (and AAs in X.509) as the entities who sign CRLs. I said earlier that I can live with a change to the specs, a clarification if you prefer, that makes it explicit that we wish to state that non-CA entities can be authorized to sign CRLs. But, I also noted that we have to agree to make the changes throughout the document to make this clear, and that amounts to a lot of editing. Also, we it would be preferable to get our X.509 friends to agree to these changes, so that we remain in synch. As I have said several time before, I prefer the original intent as articulated by the authors of these documents, but I can live with the change so long as we are very explicit about that change. Steve Received: by above.proper.com (8.9.3/8.9.3) id PAA07199 for ietf-pkix-bks; Wed, 16 May 2001 15:07:10 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA07191 for <ietf-pkix@imc.org>; Wed, 16 May 2001 15:07:04 -0700 (PDT) Received: from [128.33.238.22] (TC077.BBN.COM [128.33.238.77]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA09773; Wed, 16 May 2001 18:06:56 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010403b7288eeda3d6@[128.33.238.22]> In-Reply-To: <200105161648.JAA13461@above.proper.com> References: <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> <p05010406b72760acb0bf@[128.33.238.68]> <200105161648.JAA13461@above.proper.com> Date: Wed, 16 May 2001 16:41:02 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, We have a fundamental disagreement here. You have posited that there is no need to change the text to make it clear that a non-CA entity can sign CRLs. We have heard from Sharon, who clearly stated that the intent of the authors of X.509 was to impose such a requirement, and I think Tim said the same. Russ, I think may have concurred, even though he now agrees with your reasoning about what is a reasonable interpretation going forward. What we have here is analogous to a lawyer proposing an interpretation of a law, but not being willing to examine the legislative history. That's simply mot acceptable. I won't argue whether it is appropriate to CHANGE to a scheme in which there is no need to check the CA flag when validating the signature on a CRL. if we have arrived at a consensus that this is OK, then fine. But, it is clearly a change relative to the expressed intent of the authors of previous versions of the standards and thus it merits an explicit change to the text of the next rev of the standards. As per the message text cites you forwarded, I don't interpret any of the quotes as supportive of your contention that there is no need to change the text of these standards when if we drop the CA flag bit requirement. Most of these messages are supportive of the change (some are taken out of context and so it's hard to tell even if that is the case). None of these addresses the issue you raise. So, no, I will not call for a poll on the question you pose because it ignores the stated intent of the authors and flies in the face of a reasonable interpretation of all preceding text by an intelligent reader. One cannot vote to change history, and I will not conduct a poll to determine if people want to change history. The only question o the table is whether we want to remove the implied restriction that used to exist, and thus accept the editing changes that it implies. Steve Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA06499 for ietf-pkix-bks; Wed, 16 May 2001 14:57:53 -0700 (PDT) Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA06472 for <ietf-pkix@imc.org>; Wed, 16 May 2001 14:57:46 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <LBMBN8D9>; Wed, 16 May 2001 17:57:18 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DEBF0@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: John_Wray@iris.com, ietf-pkix@imc.org Subject: RE: Semantics of cRLSign (new-part1-06)? Date: Wed, 16 May 2001 17:47:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0DE51.DDB22210" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0DE51.DDB22210 Content-Type: text/plain; charset="iso-8859-1" I will not speak for X.509 or for pkix. But from my humble notion of security, a trust anchor can do whatever it pleases. After that, if the key usage extension is present in a certificate and is marked critical, and does NOT have cRLSign bit set, the public key in the certificate MAY NOT be used to verify a signature on a CRL. -----Original Message----- From: John_Wray@iris.com [mailto:John_Wray@iris.com] Sent: Wednesday, May 16, 2001 4:02 PM To: ietf-pkix@imc.org Subject: Semantics of cRLSign (new-part1-06)? Reading through the treatment of CRLs in the new-part1-06, plus the earlier discussions including the one about path length constraints that petered out without an obvious resolution, I realized I am completely confused by the whole topic :) So I'm going to try to ask the major questions I have in individual messages. What are the semantics of the cRLSign bit? Does it mean: 1) "The subject of this certificate should be trusted to sign (arbitrary) CRLs", or 2) "The subject of this certificate should be trusted to sign CRLs containing certificates signed by the subject of this certificate", or 3) "The subject of this certificate should be trusted to sign CRLs containing certificates signed by the issuer of this certificate" (1) is hopelessly vague, and (I hope) not what is intended although it is what a literal reading of the text seems to imply. (2) would allow a parent CA to create a child CA with two distinct keys, one of which is used for certificate signing, and the other for CRL signing. But it wouldn't allow the child CA to manage its own CRL-signing key. It would be possible for a child CA to issue a CRL-signing certificate to itself under another key, though. (3) explicitly permits a CA to delegate responsibility for creating its CRLs to another entity (or to a different key that it owns and manages itself), which is a useful function, and allows a CA to deal with revocation however it wants, and roll-over its CRL-signing key without having to get new certificates issued to it by parent CAs or other CAs that have cross-certified it. The definition of the indirectCRL extension implies that it is possible for a CRL-signer to have a different name from the name of the issuer of the certificates in the CRL, so this implies that (2) isn't what's meant, but it should be made clearer. If a CA is certified by a certificate that doesn't have the cRLSign bit set, does that meant that the CA shouldn't be trusted revoke certificates it has issued? Or is a CA always trusted to revoke its own certificates, and can additionally choose to use the cRLSign bit to delegate that ability to another entity or key (which would be in line with interpretation (3) above)? There's nothing I could see in section 6.3 of new-part1-06 (CRL Validation) that says anything about cRLSign being required (or even looked at) anywhere along the trust path to the CRL being checked. I think this needs to be fixed. John ------_=_NextPart_001_01C0DE51.DDB22210 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Semantics of cRLSign (new-part1-06)?</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I will not speak for X.509 or for pkix. But = from my humble notion of security, a trust anchor can do whatever it = pleases. After that, if the key usage extension is present in a = certificate and is marked critical, and does NOT have cRLSign bit set, = the public key in the certificate MAY NOT be used to verify a signature = on a CRL.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: John_Wray@iris.com [<A = HREF=3D"mailto:John_Wray@iris.com">mailto:John_Wray@iris.com</A>]</FONT>= <BR><FONT SIZE=3D2>Sent: Wednesday, May 16, 2001 4:02 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Semantics of cRLSign (new-part1-06)?</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>Reading through the treatment of CRLs in the = new-part1-06, plus the earlier</FONT> <BR><FONT SIZE=3D2>discussions including the one about path length = constraints that petered</FONT> <BR><FONT SIZE=3D2>out without an obvious resolution, I realized I am = completely confused by</FONT> <BR><FONT SIZE=3D2>the whole topic :) So I'm going to = try to ask the major questions I have</FONT> <BR><FONT SIZE=3D2>in individual messages.</FONT> </P> <BR> <P><FONT SIZE=3D2>What are the semantics of the cRLSign bit? Does = it mean:</FONT> <BR><FONT SIZE=3D2>1) "The subject of this certificate = should be trusted to sign (arbitrary)</FONT> <BR><FONT SIZE=3D2>CRLs", or</FONT> <BR><FONT SIZE=3D2>2) "The subject of this certificate = should be trusted to sign CRLs</FONT> <BR><FONT SIZE=3D2>containing certificates signed by the subject of = this certificate", or</FONT> <BR><FONT SIZE=3D2>3) "The subject of this certificate = should be trusted to sign CRLs</FONT> <BR><FONT SIZE=3D2>containing certificates signed by the issuer of this = certificate"</FONT> </P> <P><FONT SIZE=3D2>(1) is hopelessly vague, and (I hope) not what is = intended although it is</FONT> <BR><FONT SIZE=3D2>what a literal reading of the text seems to = imply.</FONT> <BR><FONT SIZE=3D2>(2) would allow a parent CA to create a child CA = with two distinct keys,</FONT> <BR><FONT SIZE=3D2>one of which is used for certificate signing, and = the other for CRL</FONT> <BR><FONT SIZE=3D2>signing. But it wouldn't allow the child CA to = manage its own CRL-signing</FONT> <BR><FONT SIZE=3D2>key. It would be possible for a child CA to = issue a CRL-signing</FONT> <BR><FONT SIZE=3D2>certificate to itself under another key, = though.</FONT> <BR><FONT SIZE=3D2>(3) explicitly permits a CA to delegate = responsibility for creating its</FONT> <BR><FONT SIZE=3D2>CRLs to another entity (or to a different key that = it owns and manages</FONT> <BR><FONT SIZE=3D2>itself), which is a useful function, and allows a CA = to deal with</FONT> <BR><FONT SIZE=3D2>revocation however it wants, and roll-over its = CRL-signing key without</FONT> <BR><FONT SIZE=3D2>having to get new certificates issued to it by = parent CAs or other CAs that</FONT> <BR><FONT SIZE=3D2>have cross-certified it.</FONT> </P> <P><FONT SIZE=3D2>The definition of the indirectCRL extension implies = that it is possible for</FONT> <BR><FONT SIZE=3D2>a CRL-signer to have a different name from the name = of the issuer of the</FONT> <BR><FONT SIZE=3D2>certificates in the CRL, so this implies that (2) = isn't what's meant, but</FONT> <BR><FONT SIZE=3D2>it should be made clearer.</FONT> </P> <P><FONT SIZE=3D2>If a CA is certified by a certificate that doesn't = have the cRLSign bit</FONT> <BR><FONT SIZE=3D2>set, does that meant that the CA shouldn't be = trusted revoke certificates</FONT> <BR><FONT SIZE=3D2>it has issued? Or is a CA always trusted to = revoke its own certificates,</FONT> <BR><FONT SIZE=3D2>and can additionally choose to use the cRLSign bit = to delegate that ability</FONT> <BR><FONT SIZE=3D2>to another entity or key (which would be in line = with interpretation (3)</FONT> <BR><FONT SIZE=3D2>above)?</FONT> </P> <BR> <P><FONT SIZE=3D2>There's nothing I could see in section 6.3 of = new-part1-06 (CRL Validation)</FONT> <BR><FONT SIZE=3D2>that says anything about cRLSign being required (or = even looked at)</FONT> <BR><FONT SIZE=3D2>anywhere along the trust path to the CRL being = checked. I think this needs</FONT> <BR><FONT SIZE=3D2>to be fixed.</FONT> </P> <BR> <P><FONT SIZE=3D2>John</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0DE51.DDB22210-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id OAA06299 for ietf-pkix-bks; Wed, 16 May 2001 14:55:13 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA06273 for <ietf-pkix@imc.org>; Wed, 16 May 2001 14:55:06 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA04660; Wed, 16 May 2001 17:55:06 -0400 (EDT) Message-Id: <4.2.2.20010516174233.00b2d6b0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 May 2001 17:54:08 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net> From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: delta CRLs Cc: ietf-pkix@imc.org In-Reply-To: <3AFC1A33.5CEEEE09@bull.net> References: <3AFA4F09.5AB02392@bull.net> <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> <5.0.1.4.2.20010510143415.01896eb8@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Denis, It appears that the concerns you expressed below are not specifically related to the use of delta-CRLs, but are instead related to the use of CRLs in general. You seem to be suggesting that, in order to support non-repudiation, CRLs must be issued in a certain way and that you want to require that CRLs only be issued in a manner that supports non-repudiation. While I do not agree that all PKIs should be required to support the special needs of non-repudiation, I will set aside that issue for the moment. Even if I were to agree that CRLs must be issued in a manner that supports non-repudiation, I would still disagree with the requirements you propose for the following reasons: 1) You state that any two CRLs issued for a given scope must not have overlapping validity periods (where the validity period of a CRL is defined as [thisUpdate ... nextUpdate]). This is troubling for two reasons: a) As Trevor Freeman has pointed out, there may be significant delays between the time that a CRL is issued and when it is available in repositories. If the validity periods of CRLs can not overlap, then there will be gaps (periods of time in which no valid CRL is available to relying parties). This is not acceptable. b) If a CRL issuer discovers that a private key has been compromised, your requirements, by not allowing the issuing of an "emergency" CRL, would require the CRL issuer to hide the compromise of the private key from relying parties until the end of the validity period of the currently valid CRL. While this would ensure that all relying parties receive the same information, it would also ensure that all relying parties receive incorrect information. Does this really help to support non-repudiation? 2) You state that in a non-repudiation dispute, the issue would be settled by using CRLs or OCSP responses to determine the status of the certificate at some time T and that all possible methods of determining that status at time T must provide the same result. You did not state when time T should be. Time T could either be the time that the signature was created or the time that the signature is being validated. Since the signature could be validated at different times, it seems that the only way to ensure consistency is make time T the time that the signature was created. You state that one should use a CRL for which thisUpdate <= T <= nextUpdate. This, however, contradicts the requirements stated in "Internet X.509 Public Key Infrastructure Technical Requirements for a non-Repudiation Service" (http://www.ietf.org/internet-drafts/draft-ietf-pkix-technr-03.txt). According to this draft, in order to make a final judgement about the validity of a signature, one must use a CRL that has a thisUpdate time later than the time at which the signature was created (i.e, T <= thisUpdate). If one follows these guidelines, then consistency is assured. If the certificate was revoked at the time that the signature was created (T), then it will appear as revoked on any CRL issued after time T (at least until the certificate expires) with a revocationDate <= T. So, following the rules in the draft document on non-repudiation, one will always receive a consistent answer as to the status of the certificate, even if the CRL issuer creates "emergency" CRLs. Perhaps you believe that the draft document on non-repudiation does not accurately reflect the requirements for supporting non-repudiation. If this is the case, though, then any necessary changes should be made to that document, not to the text in the Certificate and CRL profile on how to use delta-CRLs. At 06:58 PM 5/11/01 +0200, Denis Pinkas wrote: >The thread has been focussing on the mechanisms, forgetting what is the >rational about them. So let us come back to the rationals. One of them >relates top the use of CRLs when applied to a non repudiation service. > >X.509 has been originally written to use CRLs for other security services >and for these other services, the problems are different. > >We all want to be able to use either CRLs or OSCP responses for non >repudiation purposes. In fact we want to allow any of these two techniques >to be used in single or in combination. Right ? > >Having said this, we can now explain some of the rational. > >When validating a digital signature, for a given time T, for non repudiation >purposes, it is important for a verifier to be able to prove that the >certificate was NOT revoked. It is also important that two different >verifiers come to the same result, for the same time T, because of the goal >of non repudiation is to solve disputes. The only way to determine whether a certificate was revoked at time T is to use a CRL that was issued after time T (i.e., T <= thisUpdate). If the certificate was revoked at time T, any CRL issued after time T will state that. The rules that you propose, on the other hand (thisUpdate <= T <= nextUpdate), would not achieve the result that you claim to desire. Perhaps the rules should instead state that in order to determine the status of a certificate at time T, one should obtain a CRL whose scope includes the certificate for which T <= thisUpdate (in the CRL) < notAfter (in the certificate). If the certificate is not listed or is listed with a revocationDate > T, then the certificate was not revoked at time T. >The same properties must be achieved whether OCSP or CRLs are used. When an >OCSP response is received with a time T in it, there can be no dispute about >it: it contains three possible answers (not revoked, revoked, don't know). >If an OCSP responder produces one such answer with a time T and one of the >three statuses, no one else can present an answer with the same time T in it >with a different answer from the same OCSP responder. Once again, it would >not be acceptable that at a given time T two opposite responses could be >obtained. This would result in disputes. Actually, this is not technically correct. There is no guarantee that an OCSP response that is received at time T was generated at time T. An OCSP response contains three fields: thisUpdate, nextUpdate, and producedAt. Any response received by a relying party for which T < nextUpdate should be considered a good response. However, there is no guarantee that the producedAt time is after the time at which the request was made. Furthermore, even if it were, the thisUpdate time in the response could precede the producedAt time. So, again, a response from an OCSP server at time T that states that a certificate is "not revoked" only guarantees that the status was "not revoked" at time thisUpdate. It is not a guarantee about the certificate's status at time T if T > thisUpdate. >This means that at time T, there is must be one and only one possible >answer. This allows to use OCSP responses for non repudiation purposes. The >same property must be supported so that CRLs can be used for non repudiation >purposes. So the goal is that when using CRLs in the context of non >repudiation, only one response (i.e. not revoked, revoked, don't know) can >be obtained. > >I do know that non repudiation is only one use of the PKI and that there are >other usages such as authentication, integrity and confidentiality. So let >us now describe what is necessary, if the CRL contains at least one >certificate that can be used for non repudiation purposes (e.g. it has the >NR bit set). > >If at time T there is more than one CRL valid, then there is a possibility >to miss the most recent, in case there is a denial of service attack on it >(i.e. suppression of the latest CRL while in transit). > >This means that "emergency" CRLs will not necessarily be seen. "Emergency" >CRLs may be used for authentication, integrity and confidentiality, but may >create problems when used in the context of non repudiation. > >This has several implications: we should deprecate the use of "emergency" >CRLs for being used for a non repudiation service, because they could >provide two different responses. > >People using full CRLs, i.e. without taking advantage of the delta CRLs, >would get only one result. > >People using base CRLs and thus taking advantage of the delta CRLs would >also get one single result. For that reason we should also deprecate the use >of "emergency" delta CRLs. > >This now explains why it is important to get one answer, at most, at a time. >I do understand that lacking this information, the mechanism seems to be >constrained without any "good" reason. > >Now how can a verifier be sure to get the freshest information ? > >This depends on the verification rules. Let us restrict the discussion to >the leaf certificate. > >If the validation rules (be careful this has strong relationships with the >DPV protocol) say : "use full CRLs only" and there is no "emergency CRL", >then everything works nice. > >If the validation rules say: "use the freshest information that is provided >by the CA", then the question is how can a verifier know how the freshest >information is obtained ? The answer is: only through extensions. Why ? > >Let us assume first that no extension either in the certificate or the CRL >is being used. The answer would be : make a search for delta CRLs in the >directory. The problem is that, in case a denial of service attack, the >delta CRLs, even if they exist, will not be "seen". So the verifier will use >the base CRL and thus two verifications done at the same time T will provide >two different results. :-( > >So there needs to be some way, so that, in the event of a denial of service >attacks, either the right information is obtained or that no information at >all is obtained. In the later case, if the revocation information is not >found, then the signature is not accepted (in some cases a try can be done >later on). > >A consequence is the following: verifiers must know without ambiguity >whether a delta CRL mechanism is supported, so that if delta CRL are >supported it is possible to know unambiguously that it is the case. > >There are two options. > >1) Should we use the freshestCRL extension from the leaf certificate ? This >means that the CA MUST support delta CRLs at any time during whole the >life-time of the certificate. This is quite constraining for the CA, but >this is possible. > >2) Should we use the freshestCRL extension from the CRL? This means that the >CA will only support delta CRLs for that CRL without any engagement to >support a delta CRL mechanism for the next one. This is more flexible. > >What does this means ? That it is very likely that we will not end up wit >the same mechanism when using delta CRLs for a certificate used for non >repudiation purposes and when using a certificate for other purposes. One of >the algorithms may look first at the delta CRLs, whether they exist or not, >while the other will only take a look for them after making sure that they >must exit. > >The best guess, if it succeeds, is certainly valid for "other purposes". So >I will now focus on the algorithm to be used for non repudiation purposes. > > An application that is willing to obtain the freshest CRL > information for a given certificate used for non repudiation > purposes, must know if a delta CRL mechanism is supported. > Either the certificate or any CRL that is able to reference > that certificate MUST include a freshestCRL extension > (a.k.a. a Delta CRL distribution point). > > The application may then construct an updated CRL for that > base, for a specific time T, by combining it with a delta > CRL which contains a delta CRL indicator extension with the > same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate > and nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, > for a specific time T, by using a previously locally > reconstructed CRL based on the current base CRL, and > combining it with a delta CRL which contains a delta CRL > indicator extension with the same CRL number as the base > CRL. > >For the constraint about the CA: > > For any CRL that may reference a certificate used for > non repudiation purposes, and for any time T until > the nextUpdate time indicated in a base CRL, the CA MUST > provide one and only one base CRL and one and only delta > CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. > >There are still other issues to discuss, like the CRL numbering, >whether it is unique or not, let us wait for next week for that topic. > >Regards, > >Denis Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id NAA27508 for ietf-pkix-bks; Wed, 16 May 2001 13:54:49 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA27490 for <ietf-pkix@imc.org>; Wed, 16 May 2001 13:54:43 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id QAA27971; Wed, 16 May 2001 16:54:29 -0400 (EDT) Message-Id: <4.2.2.20010516162551.00a69940@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 May 2001 16:53:35 -0400 To: John_Wray@iris.com From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: Semantics of cRLSign (new-part1-06)? Cc: ietf-pkix@imc.org In-Reply-To: <OF8941D973.7064EA4C-ON85256A4E.004E6B6D@iris.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> John, The cRLSign bit merely indicates whether the subject public key may be used to verify signatures on CRLs (any CRLs). If the cRLSign bit is not set, it does not necessarily indicate that the subject of the certificate should not be trusted to sign CRLs, it simply means that this particular public key should not be used to verify CRLs (the subject may have other certified public keys). More to the point, however, the cRLSign bit is not the place to be looking to determine who is trusted to do what. By default a CA should be trusted to sign CRLs containing revocation information about its own certificates. If an entity other than the certificate issuer is to sign the CRLs that cover a certificate, the identity of that CRL issuer should be specified in the CRLDistributionPoints extension. So, if a certificate contains the CRLDistributionPoints extension with the cRLIssuer field present, then the entity identified in the cRLIssuer field should be trusted to sign the CRLs that provide revocation information for that certificate. If the extension is not present (or is present, but the cRLIssuer field is not), then only the certificate issuer should be trusted to sign the CRLs. Once the identity of the CRL signer has been determined, the cRLSign key usage bit can be used to determine whether a particular public key belonging to that entity should be trusted to sign CRLs. So, technically meaning (1) below is correct (or is closest to correct). However, one should only trust the information in a CRL about a particular certificate if the certificate specifies that the CRL signer should be trusted to sign the CRLs for that certificate. At 04:02 PM 5/16/01 -0400, John_Wray@iris.com wrote: >What are the semantics of the cRLSign bit? Does it mean: >1) "The subject of this certificate should be trusted to sign (arbitrary) >CRLs", or >2) "The subject of this certificate should be trusted to sign CRLs >containing certificates signed by the subject of this certificate", or >3) "The subject of this certificate should be trusted to sign CRLs >containing certificates signed by the issuer of this certificate" > >(1) is hopelessly vague, and (I hope) not what is intended although it is >what a literal reading of the text seems to imply. >(2) would allow a parent CA to create a child CA with two distinct keys, >one of which is used for certificate signing, and the other for CRL >signing. But it wouldn't allow the child CA to manage its own CRL-signing >key. It would be possible for a child CA to issue a CRL-signing >certificate to itself under another key, though. >(3) explicitly permits a CA to delegate responsibility for creating its >CRLs to another entity (or to a different key that it owns and manages >itself), which is a useful function, and allows a CA to deal with >revocation however it wants, and roll-over its CRL-signing key without >having to get new certificates issued to it by parent CAs or other CAs that >have cross-certified it. > >The definition of the indirectCRL extension implies that it is possible for >a CRL-signer to have a different name from the name of the issuer of the >certificates in the CRL, so this implies that (2) isn't what's meant, but >it should be made clearer. > >If a CA is certified by a certificate that doesn't have the cRLSign bit >set, does that meant that the CA shouldn't be trusted revoke certificates >it has issued? Or is a CA always trusted to revoke its own certificates, >and can additionally choose to use the cRLSign bit to delegate that ability >to another entity or key (which would be in line with interpretation (3) >above)? Again, the cRLSign bit only makes a statement about the particular public key in the certificate. Even if "a CA is certified by a certificate that doesn't have the cRLSign bit set", there may be another certificate (perhaps a self-signed one) issued to the CA in which the cRLSign bit is set. Perhaps, for security reasons, the CA issues CRLs under a different key than the one it uses to sign certificates. >There's nothing I could see in section 6.3 of new-part1-06 (CRL Validation) >that says anything about cRLSign being required (or even looked at) >anywhere along the trust path to the CRL being checked. I think this needs >to be fixed. Section 6.3 does not specify how to validate signatures on CRLs. The general rule for validating a signature is to (1) determine which public key needs to be used to validate the signature, (2) validate a path in which the end certificate certificates that public key, and (3) use the results of path validation to determine if the public key may be used for the intended purpose (e.g., check key usage, extended key usage, policies, etc.). This applies whether one is validating signatures on CRLs or S/MIME messages. Bear in mind, however, that there is no requirement to perform path validation to validate the public key used to sign a CRL. For example, if the CRL is to be verified using a key that belongs to one of the relying party's trust roots (i.e., the key is contained in one of the trusted self-signed certificates), then no path validation may be necessary, and so there would be no key usage bits to examine. Dave Received: by above.proper.com (8.9.3/8.9.3) id NAA23336 for ietf-pkix-bks; Wed, 16 May 2001 13:05:53 -0700 (PDT) Received: from Arista.iris.com (arista.iris.com [198.112.211.42]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA23322 for <ietf-pkix@imc.org>; Wed, 16 May 2001 13:05:44 -0700 (PDT) From: John_Wray@iris.com Subject: Semantics of cRLSign (new-part1-06)? To: ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: <OF8941D973.7064EA4C-ON85256A4E.004E6B6D@iris.com> Date: Wed, 16 May 2001 16:02:24 -0400 X-MIMETrack: Serialize by Router on Arista/Iris(Release 5.0.7 |March 21, 2001) at 05/16/2001 04:07:59 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Reading through the treatment of CRLs in the new-part1-06, plus the earlier discussions including the one about path length constraints that petered out without an obvious resolution, I realized I am completely confused by the whole topic :) So I'm going to try to ask the major questions I have in individual messages. What are the semantics of the cRLSign bit? Does it mean: 1) "The subject of this certificate should be trusted to sign (arbitrary) CRLs", or 2) "The subject of this certificate should be trusted to sign CRLs containing certificates signed by the subject of this certificate", or 3) "The subject of this certificate should be trusted to sign CRLs containing certificates signed by the issuer of this certificate" (1) is hopelessly vague, and (I hope) not what is intended although it is what a literal reading of the text seems to imply. (2) would allow a parent CA to create a child CA with two distinct keys, one of which is used for certificate signing, and the other for CRL signing. But it wouldn't allow the child CA to manage its own CRL-signing key. It would be possible for a child CA to issue a CRL-signing certificate to itself under another key, though. (3) explicitly permits a CA to delegate responsibility for creating its CRLs to another entity (or to a different key that it owns and manages itself), which is a useful function, and allows a CA to deal with revocation however it wants, and roll-over its CRL-signing key without having to get new certificates issued to it by parent CAs or other CAs that have cross-certified it. The definition of the indirectCRL extension implies that it is possible for a CRL-signer to have a different name from the name of the issuer of the certificates in the CRL, so this implies that (2) isn't what's meant, but it should be made clearer. If a CA is certified by a certificate that doesn't have the cRLSign bit set, does that meant that the CA shouldn't be trusted revoke certificates it has issued? Or is a CA always trusted to revoke its own certificates, and can additionally choose to use the cRLSign bit to delegate that ability to another entity or key (which would be in line with interpretation (3) above)? There's nothing I could see in section 6.3 of new-part1-06 (CRL Validation) that says anything about cRLSign being required (or even looked at) anywhere along the trust path to the CRL being checked. I think this needs to be fixed. John Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id MAA19917 for ietf-pkix-bks; Wed, 16 May 2001 12:08:55 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA19910 for <ietf-pkix@imc.org>; Wed, 16 May 2001 12:08:47 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id PAA09190; Wed, 16 May 2001 15:08:45 -0400 (EDT) Message-Id: <4.2.0.58.20010516145111.01704990@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 16 May 2001 15:06:30 -0400 To: <sarbari@electrosoft-inc.com>, "Tim Polk" <wpolk@nist.gov> From: Tim Polk <tim.polk@nist.gov> Subject: RE: Strawman on Delta CRLs Cc: <ietf-pkix@imc.org> In-Reply-To: <NBEFIEBJJIPIFAAAIBFAIEIHCBAA.sarbari@electrosoft-inc.com> References: <4.2.0.58.20010511150324.01dc4320@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Sarbari, Having CRLs and delta-CRLs that are valid in parallel is a *feature*. <smile> It may be reasonable in some applications to accept CRLs that are updated relatively infrequently. Other applications may demand the freshest information available. By including the freshestCRL extension in a CRL, the relying party can determine which category they fall in and decide if they should retrieve the delta. This lets the relying party manage the risk according to the threat it faces. However, a CA that wants to maintain control can do so. If a CA wishes to ensure that all parties use the freshest information possible, they can always issue a full CRL simultaneously with each delta. In this case, the full CRLs are valid for relatively short periods, and clients that cannot process delta CRLs may consume a lot of network bandwidth downloading full CRLs. There are tradeoffs with both approaches (i.e., relying party control vs. CA control). The algorithms described in the delta CRL strawman have the flexibility to support local requirements. I think that is the right choice. BTW, I do not accept the notion that OCSP requests and CRL processing inherently provides different latency to the relying party. Since most OCSP servers obtain certificate status information in the form of CRLs, the information obtained by relying parties has the same latency regardless of the source. Where an OCSP server and CA are the same system, the latency will be different. However, this is a theoretical distinction since (most? all?) OCSP servers are separate systems. Thanks, Tim At 11:02 AM 5/16/01 -0400, Sarbari Gupta wrote: >Tim, David, Russ, > >The "strawman" on the use of delta CRLs was very precise and clear - thank >you. I know this thread had been discussed to death already, but I did >have a comment: > >It seems counterproductive to have CRLs and delta-CRLs that are valid in >parallel as in your examples. CRL #1 is valid between 12:00 and 15:00, and >delta CRL #3 is valid between 14:00 and 15:00. If I am trying to validate >certificate 124 at 14:30, I will get opposite results if I use CRL #1 >versus delta CRL #3 - yet both are valid at the time. > >I can understand CRLs and OCSP giving different revocation status because >of the different levels of latency. Why is it a good idea to have >contradictory results with the same (CRL) mechanism? More importantly, why >should the standard be formulated to allow such usage of CRLs, where you >can have two CRLs that are both valid yet contradict each other? > >I would vote for CRLs and delta CRLs to have non-overlapping validity >periods so that there is no possibility of a contradictory revocation >status. If network delays are a problem, engineering solutions need to be >found - the validity period of the CRL may need to be adjusted to be >larger than the anticipated network delay, or the scope of the CRL may be >adjusted to allow smaller-sized CRLs, or perhaps, a different revocation >checking mechanism should be considered. > >- Sarbari Gupta >============================== >Sarbari Gupta >Electrosoft Services, Inc. >Tel: (703)861-2108 >FAX: (703)757-0040 >Email: sarbari@electrosoft-inc.com >Web: <http://www.electrosoft-inc.com/> >============================== > >-----Original Message----- >From: owner-ietf-pkix@mail.imc.org >[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk >Sent: Friday, May 11, 2001 3:07 PM >To: ietf-pkix@imc.org >Subject: Strawman on Delta CRLs > > > >Folks, > >David Cooper, Russ Housley and I have collaborated on a "strawman" >describing the use of delta CRLs in PKIX implementations. We believe the >functionality we describe is consistent with ISO X.509 as well. > >The text describes algorithms for using deltas and base CRLs to (a) check >the status of a certificate or (b) create a constructed CRL. This is >followed by three scenarios for the use of deltas - "traditional deltas", >"sliding window deltas", and a variant on sliding window deltas that >factors in the real world delays in populating repositories with base and >delta CRLs. > >I have appended the strawman below in ASCII text. The text includes tables >for the examples. Please note, these tables *require* a fixed font to be >legible. If you would prefer a copy in either Word or PDF, I have posted >them at the following URLs: >http://csrc.nist.gov/pki/documents/PKIX/PKIXdeltas.doc and >http://csrc.nist.gov/pki/documents/PKIX/PKIXdeltas.pdf > >Hopefully, this strawman will serve to frame further discussions and >accelerate consensus. Once we agree on the requirements, Russ and I will >draft the necessary changes and we can finish Last Call. (I am nothing if >not an optimist.) > >We would also like to add the examples as an *informative* appendix in >son-of-2459. > >Thanks, > >Tim Polk > > >--------------------------------strawman--------------------------- > >Implementing Delta CRLs Using PKIX > >This paper addresses the use of delta CRLs in PKIX-compliant systems. >This paper assumes that delta CRLs include the delta CRL indicator >extension (rather than a CRL scope extension) and ignores >complications involving combined delta CRLs from indirect CRL issuers. > >This paper also assumes that CRLs with different scopes are distributed >using different distribution points. > >Terms > >Revoked: A statement that a particular certificate's status has changed >and it should no longer be trusted. Once a certificate is revoked, it >is always revoked. > >Suspension: A statement that a particular certificate may not be >trustworthy. Once placed on hold, a certificate may be revoked or the >suspension may be lifted. > >Revocation notice: A statement that a particular certificate has been >suspended or revoked. The revocation statement identifies the certificate >by the issuer name and serial number. The issuer may be specified >explicitly or implicitly. The issuer may be explicitly identified using >the certificate issuer extension. If not specified explicitly, the issuer >of the certificate is implicitly identified as the issuer of the CRL. A >revocation notice includes the date and time the certificate was revoked. >A revocation notice may optionally include a revocation reason in the >reason code CRL entry extension. [Note: A revocation notice may optionally >specify in the invalidity date extension the date from which the >certificate should be considered invalid. This date may precede the actual >revocation date. The invalidity date extension does not feature in this >discussion, so it is not considered further in this paper.] > >Certificate revocation list (CRL): a list of revocation notices for >certificates. > >CRL scope: the set of certificates that could appear on a given CRL. >For example, the scope may be "all certificates issued by CA X", "all >CA and end entity certificates issued by CA X", "all certificates issued >by CA X that have been revoked for key compromise and CA compromise", or >may be a set of certificates based on local information, such as "all >certificates issued to the NIST employees located in Boulder". > >Full CRL: a CRL that lists all unexpired certificates, in its scope, that >have been revoked for one of the revocation reasons covered by the scope >of the CRL. The scope of a full CRL does not necessarily include all of >the certificates issued by a CA or all possible revocation reasons. > >Base CRL: the particular CRL used as the foundation for a delta CRL. The >base must be a full CRL. > >Delta CRL: a CRL that only lists those unexpired certificates, in its scope, >whose revocation status has changed since the issuance of a particular, >referenced base CRL. The scope of a delta CRL is must be the same as the base >CRL that it references > >CRL Numbering > >A CRL issuer may generate full CRLs for more than one scope. The CRL issuer >may also generate delta CRLs. Each delta CRLs must have the same scope as the >full CRL referenced as its base. > >For each scope supported by the CRL issuer, a numbering sequence must be >maintained. For each scope, the CRLs are numbered in a monotonically >increasing >sequence. (Wrapping is not permitted in the PKIX profile.) If a CRL issuer >generates CRLs for one scope (e.g., full CRLs and deltas CRLs), the issuer >must >maintain one numbering sequence. If a delta CRL and a full CRL that cover the >same scope are issued at the same time, they will have the same CRL number. > >If a CRL issuer generates CRLs for two scopes (e.g., one covering CA >certificates and one covering end entity certificates), then the CRL issuer >must >maintain two number sequences. The CRLs and deltas for the same scope >(e.g., CA >certificates) will share one numbering sequence. The CRLs and deltas for the >second scope (e.g., end entity certificates) will share one numbering >sequence. >There is no requirement that these sequences be disjoint. > >Algorithms for Determining Status from a Full CRL and a Delta CRL > >Consider a full CRL, F, with CRL number X. A client may obtain BF in >either of >the following ways: >(a) the full CRL F may have been pushed to the client or pulled from a >repository; or >(b) F may have been constructed from a full CRL and a delta CRL using this >algorithm. > >Consider a delta CRL, D, which specifies base CRL Y and has CRL number >Z. This >means that all certificates whose statuses have changed since the issuance >of CRL Y >will be listed on the delta CRL. Note that the PKIX profile requires the >CA to issue >CRL Y as a full CRL. > >Determining Whether a Full CRL and Delta CRL May Be Combined > >F and D may be combined if each of the following conditions are met: > >(1) X is greater than or equal to Y. That is, the full CRL must (at a >minimum) >contain all the revocation information held by the referenced base CRL. >(2) X is less than Z. That is, the delta CRL must cover some time >that was not >covered by the full CRL. > >Determining Status of a Certificate from a Full CRL and a Delta CRL > >If the PKI client maintains the delta and full CRL, the status of an unexpired >certificate C may be determined as follows: > >(1) If C is listed on the delta CRL, then: >a. If C is listed on the delta CRL with reason code "removeFromCRL", >then C >is not revoked. >b. Otherwise, certificate C is revoked. >(2) If C was not listed on the delta CRL, then the full CRL is >checked, and the >status is as follows: >a. If C is listed on the full CRL, then C is revoked. >b. If C is not listed on the full CRL, then C is not revoked. > >Combining a Full CRL and Delta CRL into a Constructed CRL > >If the PKI client maintains the current CRL in a local cache: > >The revocation information on F is assumed as the initial condition. F is >a list >of revoked certificates; each certificate is listed with a revocation reason >(which may be "unspecified"). > >The list of revoked certificates L with n entries denoted as L[i] where 1 ><= i <= n. >(The value n may shrink or grow as the combination process proceeds.) > >Initialize L to the revocation notices on F. For each certificate C on the >delta CRL, >update the contents of L as follows. > >If a certificate C appears on the delta CRL, and C is not currently in the >list L, >then: >(a) if C has a revocation reason other than "removeFromCRL", add C as >a new >entry >in the list of revoked certificates L. >(b) If C has revocation reason "removeFromCRL", skip this >certificate. No >update >to the cache is needed. > >If a certificate C appears on the delta CRL, and C is presently listed in L >as entry >L[i], then: >(a) If C is listed on the delta CRL with a revocation reason of >"removeFromCRL", >delete entry L[i] >(b) If C is listed on the delta CRL without a revocation reason or with a >revocation >reason other than "removeFromCRL", change the reason code associated with >L[i] to the >reason code specified in the delta CRL. > >The combination of F and D forms a new full CRL with CRL number Z. This >full CRL has >complete information until the time specified in the next update field in >the delta CRL >is reached. If a relying party is validating a certificate with respect to >time T, and >T is before the next update field in the delta CRL, they may assume >complete information. > >If an unexpired certificate C within the scope of the constructed CRL is >not listed, then >certificate C is not revoked for one of the revocation reasons covered by >this CRL. If >the constructed CRL covers all reasons, then the certificate C is not revoked. > >Using Deltas to Distribute Revocation Information > >This section provides three different scenarios for the use of delta >CRLs. For the >purpose of these examples, assume a goal of providing revocation >information to relying >parties that is no more than one hour old. > >The following notation is used to denote a revoked certificate on a CRL: > Xr certificate X is listed for reason r, where r in > {a,k,h,r} >The reason codes {a,k,h,r} correspond to "affiliation changed", "key >compromise", >"certificate hold", and "remove from CRL" respectively. > >(Note: The remaining reason codes are omitted for simplicity. The >handling of >certificates revoked for the reasons "unspecified", "CA compromise", >"superseded", and >"cessationOfOperation" are identical to "affiliation changed or "key >compromise"). > > > >Example #1 > >The example below shows the "traditional" method of issuing delta CRLs. >In this example, full CRLs are issued once every 3 hours and deltas are >issued once an hour. For consistency, the issuer begins issuing deltas >at the same time as the very first full CRL. After that, however, a delta >can always use a previously issued full CRL as its base. Notice that >starting with cRLNumber 4, the delta CRL issued at the same time as a >full CRL uses the previously issued full CRL as its base. However, the >delta-CRLs never provide more than 3 hours of history. > >In this example: >Certificate 14 was revoked for key compromise before 12:00 when the first >CRL was issued. >Certificate 124 was revoked for key compromise between 12:00 and 13:00. >Certificate 39 was placed on hold between 14:00 and 15:00, and its >suspension was lifted between 16:00 and 17:00. >Certificate 67 was revoked for an affiliation change between 16:00 and >17:00. The reason was changed to key compromise between 18:00 and 19:00. > >current | Revoked | Full CRL | Delta-CRL >time | certificates | | >---------|--------------|--------------------------|---------------------- >12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 > | | thisUpdate = 12:00 | thisUpdate = >12:00 > | | nextUpdate = 15:00 | nextUpdate = 13:00 > | | CertificateList = {14k} | BaseCRLNumber = 1 > | | | CertificateList = >{} >---------|--------------|--------------------------|---------------------- >13:00 | {14k, 124k} | | cRLNumber = 2 > | | | thisUpdate = 13:00 > | | | nextUpdate = 14:00 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >14:00 | {14k, 124k} | | cRLNumber = 3 > | | | thisUpdate = 14:00 > | | | nextUpdate = 15:00 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 > | 39h} | thisUpdate = 15:00 | thisUpdate = >15:00 > | | nextUpdate = 18:00 | nextUpdate = 16:00 > | | CertificateList = | BaseCRLNumber = 1 > | | {14k, 124k, 39h} | CertificateList = > | | | {124k, 39h} >---------|--------------|--------------------------|---------------------- >16:00 | {14k, 124k, | | cRLNumber = 5 > | 39h, 67a} | | thisUpdate = 16:00 > | | | nextUpdate = 17:00 > | | | BaseCRLNumber = 4 > | | | CertificateList = {67a} > | | | >---------|--------------|--------------------------|---------------------- >17:00 | {14k, 124k, | | cRLNumber = 6 > | 67a} | | thisUpdate = 17:00 > | | | nextUpdate = 18:00 > | | | BaseCRLNumber = 4 > | | | CertificateList = > | | | {39r, 67a} >---------|--------------|--------------------------|---------------------- >18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 > | 67a} | thisUpdate = 18:00 | thisUpdate = >18:00 > | | nextUpdate = 21:00 | nextUpdate = 19:00 > | | CertificateList = | BaseCRLNumber = 4 > | | {14k, 124k, 67a} | CertificateList = > | | | {39r, >67a} >---------|--------------|--------------------------|---------------------- >19:00 | {14k, 124k, | | cRLNumber = 8 > | 67k} | | thisUpdate = 19:00 > | | | nextUpdate = 20:00 > | | | BaseCRLNumber = 7 > | | | CertificateList = {67k} >---------|--------------|--------------------------|---------------------- > >Scenario #2 > >The example below shows the "sliding window" method of issuing delta-CRLs. >In this example, full CRLs are issued once every 3 hours and deltas are >issued once an hour. For consistency, the issuer begins issuing deltas at >the same time as the very first full CRL. Notice that starting with >cRLNumber 7, the delta CRL issued at the same time as a full CRL does not >use the previously issued full CRL as its base but the preceding CRL instead. >However, these delta-CRLs never provide more than 6 hours of history. > >As in example #1: >Certificate 14 was revoked for key compromise before 12:00 when the first >CRL was issued. >Certificate 124 was revoked for key compromise between 12:00 and 13:00. >Certificate 39 was placed on hold between 14:00 and 15:00, and its >suspension was lifted between >16:00 and 17:00. >Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. >The reason was changed to key compromise between 18:00 and 19:00. > >current | Revoked | Full CRL | Delta-CRL >time | certificates | | >---------|--------------|--------------------------|---------------------- >12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 > | | thisUpdate = 12:00 | thisUpdate = >12:00 > | | nextUpdate = 15:00 | nextUpdate = 13:00 > | | CertificateList = {14k} | BaseCRLNumber = 1 > | | | CertificateList = >{} >---------|--------------|--------------------------|---------------------- >13:00 | {14k, 124k} | | cRLNumber = 2 > | | | thisUpdate = 13:00 > | | | nextUpdate = 14:00 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >14:00 | {14k, 124k} | | cRLNumber = 3 > | | | thisUpdate = 14:00 > | | | nextUpdate = 15:00 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 > | 39h} | thisUpdate = 15:00 | thisUpdate = >15:00 > | | nextUpdate = 18:00 | nextUpdate = 16:00 > | | CertificateList = | BaseCRLNumber = 1 > | | {14k, 124k, 39h} | CertificateList = > | | | {124k, 39h} >---------|--------------|--------------------------|---------------------- >16:00 | {14k, 124k, | | cRLNumber = 5 > | 39h, 67a} | | thisUpdate = 16:00 > | | | nextUpdate = 17:00 > | | | BaseCRLNumber = 1 > | | | CertificateList = > | | | {124k, 39h, 67a} >---------|--------------|--------------------------|---------------------- >17:00 | {14k, 124k, | | cRLNumber = 6 > | 67a} | | thisUpdate = 17:00 > | | | nextUpdate = 18:00 > | | | BaseCRLNumber = 1 > | | | CertificateList = > | | | {124k, 39h, 67a} >---------|--------------|--------------------------|---------------------- >18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 > | 67a} | thisUpdate = 18:00 | thisUpdate = >18:00 > | | nextUpdate = 21:00 | nextUpdate = 19:00 > | | CertificateList = | BaseCRLNumber = 1 > | | {14k, 124k, 67a} | CertificateList = > | | | {124k, 39r, 67a} >---------|--------------|--------------------------|---------------------- >19:00 | {14k, 124k, | | cRLNumber = 8 > | 67k} | | thisUpdate = 19:00 > | | | nextUpdate = 20:00 > | | | BaseCRLNumber = 7 > | | | CertificateList = > | | | {39r, 67k >---------|--------------|--------------------------|---------------------- > > >Note that the delta CRLs are marginally larger than in the first scenario >since they cover a longer time period. On the other hand, a relying party >is less likely to download full CRLs in the second scenario. > >For example, a relying party that validated one certificate at 12:15, then >a second certificate at 16:15 would not require a new full CRL in scenario #2. >In scenario #1, the relying party would be forced to obtain both full CRL 4 >and delta CRL 5. > >Scenario #3 Allowing for Replication/Propagation Delays > >In this scenario, full CRLs and delta CRLs are replicated throughout a >repository system. Data is replicated through the system at different >rates based on the size of the file. The CA operators estimate that full >CRLs will be available throughout the system within three hours. Delta CRLs >will be available within 15 minutes. (Assume the initial CRL is small and >will propagate as if a delta CRL to resolve the bootstrap issues.) > >The example below uses the "sliding window" method of issuing delta-CRLs, >but overlaps the thisUpdate and nextUpdate times to allow for propagation. >In this example, full CRLs are issued once every 3 hours and deltas are >issued every 45 minutes. For consistency, the issuer begins issuing deltas >at the same time as the very first full CRL. Notice that starting with >cRLNumber 7, the delta CRL issued at the same time as a full CRL does not >use the previously issued full CRL as its base but the preceding CRL instead. >As in example #2, these delta-CRLs never provide more than 6 hours of history. > >Similary to examples #1 and #2: >Certificate 14 was revoked for key compromise before 12:00 when the first CRL >was issued. >Certificate 124 was revoked for key compromise between 12:00 and 12:45. >Certificate 39 was placed on hold between 14:15 and 15:00, and its suspension >was lifted between 16:00 and 17:00. >Certificate 67 was revoked for an affiliation change between 15:45 and 16:30. >The reason was changed to key compromise between 18:00 and 18:45. > >current | Revoked | Full CRL | Delta-CRL >time | certificates | | >---------|--------------|--------------------------|---------------------- >12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 > | | thisUpdate = 12:00 | thisUpdate = >12:00 > | | nextUpdate = 18:00 | nextUpdate = 13:00 > | | CertificateList = {14k} | BaseCRLNumber = 1 > | | | CertificateList = >{} >---------|--------------|--------------------------|---------------------- >12:45 | {14k, 124k} | | cRLNumber = 2 > | | | thisUpdate = 12:45 > | | | nextUpdate = 13:45 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >13:30 | {14k, 124k} | | cRLNumber = 3 > | | | thisUpdate = 13:30 > | | | nextUpdate = 14:30 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >14:15 | {14k, 124k} | | cRLNumber = 4 > | | | thisUpdate = 14:15 > | | | nextUpdate = 15:15 > | | | BaseCRLNumber = 1 > | | | CertificateList = > {124k} >---------|--------------|--------------------------|---------------------- >15:00 | {14k, 124k, | cRLNumber = 5 | cRLNumber = 5 > | 39h} | thisUpdate = 15:00 | thisUpdate = >15:00 > | | nextUpdate = 21:00 | nextUpdate = 16:00 > | | CertificateList = | BaseCRLNumber = 1 > | | {14k, 124k, 39h} | CertificateList = > | | | {124k, 39h} >---------|--------------|--------------------------|---------------------- >15:45 | {14k, 124k, | | cRLNumber = 6 > | 39h, 67a} | | thisUpdate = 15:45 > | | | nextUpdate = 16:45 > | | | BaseCRLNumber = 1 > | | | CertificateList = > | | | {124k, 39h, 67a} >---------|--------------|--------------------------|---------------------- >16:30 | {14k, 124k, | | cRLNumber = 7 > | 67a} | | thisUpdate = 16:30 > | | | nextUpdate = 17:30 > | | | BaseCRLNumber = 1 > | | | CertificateList = > | | | {124k, 39r, 67a} >---------|--------------|--------------------------|---------------------- >17:15 | {14k, 124k, | | cRLNumber = 8 > | 67a} | | thisUpdate = 17:15 > | | | nextUpdate = 18:15 > | | | BaseCRLNumber = 1 > | | | CertificateList = > | | | {124k, 39r, 67a} >---------|--------------|--------------------------|---------------------- >18:00 | {14k, 124k, | cRLNumber = 9 | cRLNumber = 9 > | 67a} | thisUpdate = 18:00 | thisUpdate = >18:00 > | | nextUpdate = 24:00 | nextUpdate = 19:00 > | | CertificateList = | BaseCRLNumber = 5 > | | {14k, 124k, 67a} | CertificateList = > | | | {39r, 67a} >---------|--------------|--------------------------|---------------------- >18:45 | {14k, 124k, | | cRLNumber = 10 > | 67k} | | thisUpdate = 18:45 > | | | nextUpdate = 19:45 > | | | BaseCRLNumber = 5 > | | | CertificateList = > | | | {39r, 67k} >---------|--------------|--------------------------|---------------------- > > > >Delta CRL number 6 is issued at 15:45. By 16:00, delta CRL number 6 should >be available throughout the system. As a result, delta CRL number 5 specified >16:00 as its nextUpdate time. > >However, full CRL number 5 was issued at 15:00 and may not be available >throughout the system until 18:00. As a result, full CRL number 1 specified >18:00 as its nextUpdate time. In addition, delta CRL number 6 must be based >on full CRL number 1 which was issued at 12:00. > >If the relying party finds full CRL number 5 in the repository, they may still >apply delta CRL number 6 and achieve the correct answer. > >Finally, note that a CRL issuer must generate more CRLs to achieve the goal of >status information that is no more than one hour old when factoring in the >propagation delays. > > > Received: by above.proper.com (8.9.3/8.9.3) id MAA19518 for ietf-pkix-bks; Wed, 16 May 2001 12:01:49 -0700 (PDT) Received: from luc.ab.org (mail.ab.org [209.112.11.37]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA19505 for <ietf-pkix@imc.org>; Wed, 16 May 2001 12:01:37 -0700 (PDT) Received: from d00364 ([206.222.76.33]) by luc.ab.org (Netscape Messaging Server 3.6) with SMTP id AAACB3B for <ietf-pkix@imc.org>; Wed, 16 May 2001 15:10:46 -0400 Reply-To: <mgratton@adga.ca> From: "Mario Gratton" <m.gratton@adga.ca> To: <ietf-pkix@imc.org> Subject: 2 Identities on 1 Certificate Date: Wed, 16 May 2001 15:00:41 -0400 Message-ID: <003201c0de3a$816dcca0$7b00030a@adga.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Is it possible to include 2 Public keys (and also two email address) on 1 certificate? The particular scenario that prompted this question is as follow: I have two individuals each with their own PKI credentials that were created under the same CPS. Both these individuals work in the same office (same OU, O, C). Private correspondance to one of these individuals would be encrypted using his/her public certificate but "office" correspondance would be achieved using this "office" certificate and therefore encrypted using both public keys. Please note that I can not create a third PKI entity and share its private keys to both individuals. The scenario described above seems to be my only option unless I create a Secure Mail List expansion agent! Thanks. Mario Gratton Manager IT Security Engineering AEPOS Technologies Corporation (613)237-3022 Received: by above.proper.com (8.9.3/8.9.3) id KAA16065 for ietf-pkix-bks; Wed, 16 May 2001 10:20:55 -0700 (PDT) Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA16046 for <ietf-pkix@imc.org>; Wed, 16 May 2001 10:20:48 -0700 (PDT) Message-Id: <200105161720.KAA16046@above.proper.com> Received: from mfil.terminal (mfil@localhost) by roadblock.missi.ncsc.mil with SMTP id NAA21257 for <ietf-pkix@imc.org>; Wed, 16 May 2001 13:04:38 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by roadblock.missi.ncsc.mil with SMTP id NAA21252 for <ietf-pkix@imc.org>; Wed, 16 May 2001 13:04:35 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Wed, 16 May 2001 13:04:02 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JSFMBZGZ; Wed, 16 May 2001 13:04:22 -0400 Date: Wed, 16 May 2001 12:58:18 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Strawman on Delta CRLs References: <NBEFIEBJJIPIFAAAIBFAIEIHCBAA.sarbari@electrosoft-inc.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Sarbari, The CRLs in the examples do not give contradictory results because CRLs do *not* have a validity period, they have a validity instant. CRL #1 is valid at 12:00. The next CRL might be issued at 15:00, but it also might be issued at 12:05. CRL #3 is valid at 14:00. CRL #3's thisUpdate is two hours later than CRL #1's. CRL #3 contains fresher revocation information, and it is incorrect to assert that that information "contradicts" the staler information in CRL #1. CRLs, like OCSP responses, are valid at the instant they are issued, and no longer. Relying Parties may use nextUpdate to determine when to look for a new CRL. But RPs must not delude themselves into thinking that an old CRL is magically "valid" until its nextUpdate, because another CRL, delta or full, could have been issued seconds later. Dave Sarbari Gupta wrote: > > Tim, David, Russ, > > The "strawman" on the use of delta CRLs was very precise and clear - thank you. I know this thread had been discussed to death already, but I did have a comment: > > It seems counterproductive to have CRLs and delta-CRLs that are valid in parallel as in your examples. CRL #1 is valid between 12:00 and 15:00, and delta CRL #3 is valid between 14:00 and 15:00. If I am trying to validate certificate 124 at 14:30, I will get opposite results if I use CRL #1 versus delta CRL #3 - yet both are valid at the time. > > I can understand CRLs and OCSP giving different revocation status because of the different levels of latency. Why is it a good idea to have contradictory results with the same (CRL) mechanism? More importantly, why should the standard be formulated to allow such usage of CRLs, where you can have two CRLs that are both valid yet contradict each other? > > I would vote for CRLs and delta CRLs to have non-overlapping validity periods so that there is no possibility of a contradictory revocation status. If network delays are a problem, engineering solutions need to be found - the validity period of the CRL may need to be adjusted to be larger than the anticipated network delay, or the scope of the CRL may be adjusted to allow smaller-sized CRLs, or perhaps, a different revocation checking mechanism should be considered. > > - Sarbari Gupta > ============================== > Sarbari Gupta > Electrosoft Services, Inc. > Tel: (703)861-2108 > FAX: (703)757-0040 > Email: sarbari@electrosoft-inc.com > Web: <http://www.electrosoft-inc.com/> > ============================== Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id JAA13474 for ietf-pkix-bks; Wed, 16 May 2001 09:48:45 -0700 (PDT) Received: from roadblock.missi.ncsc.mil ([144.51.50.70]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13461 for <ietf-pkix@imc.org>; Wed, 16 May 2001 09:48:38 -0700 (PDT) Message-Id: <200105161648.JAA13461@above.proper.com> Received: from mfil.terminal (mfil@localhost) by roadblock.missi.ncsc.mil with SMTP id MAA20993 for <ietf-pkix@imc.org>; Wed, 16 May 2001 12:38:27 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by roadblock.missi.ncsc.mil with SMTP id MAA20988 for <ietf-pkix@imc.org>; Wed, 16 May 2001 12:38:23 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Wed, 16 May 2001 12:37:50 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JSFMBZD9; Wed, 16 May 2001 12:38:10 -0400 Date: Wed, 16 May 2001 12:31:48 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) References: <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> <p05010406b72760acb0bf@[128.33.238.68]> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Steve, Santosh has stated that setting both the cA flag and the cRLSign bit provides no security advantage over setting the cRLSign bit only. Tom Gindin has said: > Just BTW, my reasoning is similar to Santosh's. I would like to > mention that the reasons for issuing a distinct CMP certificate for a CA > are even stronger than those for a distinct CRL certificate. However, it > is not obvious whether this should be classed as a CA certificate since a > certificate to be used with CMP looks more like a standard server > certificate. Russ Housley has said: > Dave: > > Your first two arguments seem to be compelling. > > Russ > > At 11:42 AM 4/30/2001 -0400, you [David Kemp] wrote: > > > >1) Previously, conforming clients could validate a CRL if the cRLSign > > bit is asserted and the cA flag is not asserted. This change > > would declare such clients to be non-conforming. > > > >2) [snip] > > My position is that no additional flag is needed in either the CA or > > the AA case. If the CRL signer has a valid certificate with the > > cRLSign bit set, then it is an authority because the certificate > > signer (or it's parent) has said so. Requiring two flags in the > > same certificate is no more secure than requiring one. Denis Pinkas has said: > As far as I remember, originally the cA boolean in the basic constraints > extension only allowed to make the difference between leaf certificates and > CA certificates. This boolean now seems to be be used with a different > meaning (and, maybe, we should change its meaning - not the syntax). > > Could someone say again, why that change was requested and > what are the real benefits of that change ? You have ignored David Cooper's point that the CA signs the certificate containing the cRLSign bit, and therefore relying parties know conclusively that a certificate with cRLSign asserted (and cA not necessarily asserted) contains the public key that the CA uses to sign CRLs. This is the semantic context that matters - as you say, the CA is responsible for signing CRLs. The CA can unambiguously designate the key RPs use to validate its CRLs by setting only the cRLSign bit in a self-issued certificate. I believe it is time for you to call for a straw poll on whether to make extensive changes to the texts of PKIX and X.509 to require the cA flag to be set in certificates used to validate CRLs By my count, at least 5 people believe there is no need for such a change: Santosh Chokhani David Cooper Denis Pinkas Russ Housley Dave Kemp I have not heard from Tim Polk since Russ' conversion :-), and I can't determine a position from postings by Tom Ginden and Sharon Boeyen. Dave ----------------- Begin Included Message --------------------------- > Date: Tue, 15 May 2001 18:45:26 -0400 > To: "David A. Cooper" <david.cooper@nist.gov> > From: Stephen Kent <kent@bbn.com> > Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) > Cc: ietf-pkix@imc.org > > Dave, > > I provided an analysis of the evolution of CRL signing from V1 + V2 > certs, to the changes you cite re V3 certs. You have chosen to > ignore large parts of this analysis, and focus on text in the current > version of X.509 that emphasizes syntactic details but not the larger > semantic context. You have not adressed the fact that both X.509 and > RFC 2459 make repeated references to "authorities" or CAs re CRL > issuance. You have received feedback from Sharon, and I think several > of the 2459 authors have weighed in on this topic during the > multi-week debate. > > I see no point in continuing the discussion. > > Steve Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id IAA04483 for ietf-pkix-bks; Wed, 16 May 2001 08:02:32 -0700 (PDT) Received: from mail01.san.yahoo.com (mail01.san.yahoo.com [209.132.1.35]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA04475 for <ietf-pkix@imc.org>; Wed, 16 May 2001 08:02:25 -0700 (PDT) Received: from sgupta (66.44.46.12) by mail01.san.yahoo.com (5.1.062) id 3AEBC0F800886F90; Wed, 16 May 2001 07:55:45 -0700 Reply-To: <sarbari@electrosoft-inc.com> From: "Sarbari Gupta" <sarbari@electrosoft-inc.com> To: "Tim Polk" <wpolk@nist.gov> Cc: <ietf-pkix@imc.org> Subject: RE: Strawman on Delta CRLs Date: Wed, 16 May 2001 11:02:52 -0400 Message-ID: <NBEFIEBJJIPIFAAAIBFAIEIHCBAA.sarbari@electrosoft-inc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <4.2.0.58.20010511150324.01dc4320@email.nist.gov> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by above.proper.com id IAA04476 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Tim, David, Russ, The "strawman" on the use of delta CRLs was very precise and clear - thank you. I know this thread had been discussed to death already, but I did have a comment: It seems counterproductive to have CRLs and delta-CRLs that are valid in parallel as in your examples. CRL #1 is valid between 12:00 and 15:00, and delta CRL #3 is valid between 14:00 and 15:00. If I am trying to validate certificate 124 at 14:30, I will get opposite results if I use CRL #1 versus delta CRL #3 - yet both are valid at the time. I can understand CRLs and OCSP giving different revocation status because of the different levels of latency. Why is it a good idea to have contradictory results with the same (CRL) mechanism? More importantly, why should the standard be formulated to allow such usage of CRLs, where you can have two CRLs that are both valid yet contradict each other? I would vote for CRLs and delta CRLs to have non-overlapping validity periods so that there is no possibility of a contradictory revocation status. If network delays are a problem, engineering solutions need to be found - the validity period of the CRL may need to be adjusted to be larger than the anticipated network delay, or the scope of the CRL may be adjusted to allow smaller-sized CRLs, or perhaps, a different revocation checking mechanism should be considered. - Sarbari Gupta ============================== Sarbari Gupta Electrosoft Services, Inc. Tel: (703)861-2108 FAX: (703)757-0040 Email: sarbari@electrosoft-inc.com Web: <http://www.electrosoft-inc.com/> ============================== -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Tim Polk Sent: Friday, May 11, 2001 3:07 PM To: ietf-pkix@imc.org Subject: Strawman on Delta CRLs Folks, David Cooper, Russ Housley and I have collaborated on a "strawman" describing the use of delta CRLs in PKIX implementations. We believe the functionality we describe is consistent with ISO X.509 as well. The text describes algorithms for using deltas and base CRLs to (a) check the status of a certificate or (b) create a constructed CRL. This is followed by three scenarios for the use of deltas - "traditional deltas", "sliding window deltas", and a variant on sliding window deltas that factors in the real world delays in populating repositories with base and delta CRLs. I have appended the strawman below in ASCII text. The text includes tables for the examples. Please note, these tables *require* a fixed font to be legible. If you would prefer a copy in either Word or PDF, I have posted them at the following URLs: http://csrc.nist.gov/pki/documents/PKIX/PKIXdeltas.doc and http://csrc.nist.gov/pki/documents/PKIX/PKIXdeltas.pdf Hopefully, this strawman will serve to frame further discussions and accelerate consensus. Once we agree on the requirements, Russ and I will draft the necessary changes and we can finish Last Call. (I am nothing if not an optimist.) We would also like to add the examples as an *informative* appendix in son-of-2459. Thanks, Tim Polk --------------------------------strawman--------------------------- Implementing Delta CRLs Using PKIX This paper addresses the use of delta CRLs in PKIX-compliant systems. This paper assumes that delta CRLs include the delta CRL indicator extension (rather than a CRL scope extension) and ignores complications involving combined delta CRLs from indirect CRL issuers. This paper also assumes that CRLs with different scopes are distributed using different distribution points. Terms Revoked: A statement that a particular certificate's status has changed and it should no longer be trusted. Once a certificate is revoked, it is always revoked. Suspension: A statement that a particular certificate may not be trustworthy. Once placed on hold, a certificate may be revoked or the suspension may be lifted. Revocation notice: A statement that a particular certificate has been suspended or revoked. The revocation statement identifies the certificate by the issuer name and serial number. The issuer may be specified explicitly or implicitly. The issuer may be explicitly identified using the certificate issuer extension. If not specified explicitly, the issuer of the certificate is implicitly identified as the issuer of the CRL. A revocation notice includes the date and time the certificate was revoked. A revocation notice may optionally include a revocation reason in the reason code CRL entry extension. [Note: A revocation notice may optionally specify in the invalidity date extension the date from which the certificate should be considered invalid. This date may precede the actual revocation date. The invalidity date extension does not feature in this discussion, so it is not considered further in this paper.] Certificate revocation list (CRL): a list of revocation notices for certificates. CRL scope: the set of certificates that could appear on a given CRL. For example, the scope may be "all certificates issued by CA X", "all CA and end entity certificates issued by CA X", "all certificates issued by CA X that have been revoked for key compromise and CA compromise", or may be a set of certificates based on local information, such as "all certificates issued to the NIST employees located in Boulder". Full CRL: a CRL that lists all unexpired certificates, in its scope, that have been revoked for one of the revocation reasons covered by the scope of the CRL. The scope of a full CRL does not necessarily include all of the certificates issued by a CA or all possible revocation reasons. Base CRL: the particular CRL used as the foundation for a delta CRL. The base must be a full CRL. Delta CRL: a CRL that only lists those unexpired certificates, in its scope, whose revocation status has changed since the issuance of a particular, referenced base CRL. The scope of a delta CRL is must be the same as the base CRL that it references CRL Numbering A CRL issuer may generate full CRLs for more than one scope. The CRL issuer may also generate delta CRLs. Each delta CRLs must have the same scope as the full CRL referenced as its base. For each scope supported by the CRL issuer, a numbering sequence must be maintained. For each scope, the CRLs are numbered in a monotonically increasing sequence. (Wrapping is not permitted in the PKIX profile.) If a CRL issuer generates CRLs for one scope (e.g., full CRLs and deltas CRLs), the issuer must maintain one numbering sequence. If a delta CRL and a full CRL that cover the same scope are issued at the same time, they will have the same CRL number. If a CRL issuer generates CRLs for two scopes (e.g., one covering CA certificates and one covering end entity certificates), then the CRL issuer must maintain two number sequences. The CRLs and deltas for the same scope (e.g., CA certificates) will share one numbering sequence. The CRLs and deltas for the second scope (e.g., end entity certificates) will share one numbering sequence. There is no requirement that these sequences be disjoint. Algorithms for Determining Status from a Full CRL and a Delta CRL Consider a full CRL, F, with CRL number X. A client may obtain BF in either of the following ways: (a) the full CRL F may have been pushed to the client or pulled from a repository; or (b) F may have been constructed from a full CRL and a delta CRL using this algorithm. Consider a delta CRL, D, which specifies base CRL Y and has CRL number Z. This means that all certificates whose statuses have changed since the issuance of CRL Y will be listed on the delta CRL. Note that the PKIX profile requires the CA to issue CRL Y as a full CRL. Determining Whether a Full CRL and Delta CRL May Be Combined F and D may be combined if each of the following conditions are met: (1) X is greater than or equal to Y. That is, the full CRL must (at a minimum) contain all the revocation information held by the referenced base CRL. (2) X is less than Z. That is, the delta CRL must cover some time that was not covered by the full CRL. Determining Status of a Certificate from a Full CRL and a Delta CRL If the PKI client maintains the delta and full CRL, the status of an unexpired certificate C may be determined as follows: (1) If C is listed on the delta CRL, then: a. If C is listed on the delta CRL with reason code "removeFromCRL", then C is not revoked. b. Otherwise, certificate C is revoked. (2) If C was not listed on the delta CRL, then the full CRL is checked, and the status is as follows: a. If C is listed on the full CRL, then C is revoked. b. If C is not listed on the full CRL, then C is not revoked. Combining a Full CRL and Delta CRL into a Constructed CRL If the PKI client maintains the current CRL in a local cache: The revocation information on F is assumed as the initial condition. F is a list of revoked certificates; each certificate is listed with a revocation reason (which may be "unspecified"). The list of revoked certificates L with n entries denoted as L[i] where 1 <= i <= n. (The value n may shrink or grow as the combination process proceeds.) Initialize L to the revocation notices on F. For each certificate C on the delta CRL, update the contents of L as follows. If a certificate C appears on the delta CRL, and C is not currently in the list L, then: (a) if C has a revocation reason other than "removeFromCRL", add C as a new entry in the list of revoked certificates L. (b) If C has revocation reason "removeFromCRL", skip this certificate. No update to the cache is needed. If a certificate C appears on the delta CRL, and C is presently listed in L as entry L[i], then: (a) If C is listed on the delta CRL with a revocation reason of "removeFromCRL", delete entry L[i] (b) If C is listed on the delta CRL without a revocation reason or with a revocation reason other than "removeFromCRL", change the reason code associated with L[i] to the reason code specified in the delta CRL. The combination of F and D forms a new full CRL with CRL number Z. This full CRL has complete information until the time specified in the next update field in the delta CRL is reached. If a relying party is validating a certificate with respect to time T, and T is before the next update field in the delta CRL, they may assume complete information. If an unexpired certificate C within the scope of the constructed CRL is not listed, then certificate C is not revoked for one of the revocation reasons covered by this CRL. If the constructed CRL covers all reasons, then the certificate C is not revoked. Using Deltas to Distribute Revocation Information This section provides three different scenarios for the use of delta CRLs. For the purpose of these examples, assume a goal of providing revocation information to relying parties that is no more than one hour old. The following notation is used to denote a revoked certificate on a CRL: Xr certificate X is listed for reason r, where r in {a,k,h,r} The reason codes {a,k,h,r} correspond to "affiliation changed", "key compromise", "certificate hold", and "remove from CRL" respectively. (Note: The remaining reason codes are omitted for simplicity. The handling of certificates revoked for the reasons "unspecified", "CA compromise", "superseded", and "cessationOfOperation" are identical to "affiliation changed or "key compromise"). Example #1 The example below shows the "traditional" method of issuing delta CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. After that, however, a delta can always use a previously issued full CRL as its base. Notice that starting with cRLNumber 4, the delta CRL issued at the same time as a full CRL uses the previously issued full CRL as its base. However, the delta-CRLs never provide more than 3 hours of history. In this example: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 4 | | | CertificateList = {67a} | | | ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 4 | | | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 4 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = {67k} ---------|--------------|--------------------------|---------------------- Scenario #2 The example below shows the "sliding window" method of issuing delta-CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. However, these delta-CRLs never provide more than 6 hours of history. As in example #1: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 67a} | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = | | | {39r, 67k ---------|--------------|--------------------------|---------------------- Note that the delta CRLs are marginally larger than in the first scenario since they cover a longer time period. On the other hand, a relying party is less likely to download full CRLs in the second scenario. For example, a relying party that validated one certificate at 12:15, then a second certificate at 16:15 would not require a new full CRL in scenario #2. In scenario #1, the relying party would be forced to obtain both full CRL 4 and delta CRL 5. Scenario #3 Allowing for Replication/Propagation Delays In this scenario, full CRLs and delta CRLs are replicated throughout a repository system. Data is replicated through the system at different rates based on the size of the file. The CA operators estimate that full CRLs will be available throughout the system within three hours. Delta CRLs will be available within 15 minutes. (Assume the initial CRL is small and will propagate as if a delta CRL to resolve the bootstrap issues.) The example below uses the "sliding window" method of issuing delta-CRLs, but overlaps the thisUpdate and nextUpdate times to allow for propagation. In this example, full CRLs are issued once every 3 hours and deltas are issued every 45 minutes. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. As in example #2, these delta-CRLs never provide more than 6 hours of history. Similary to examples #1 and #2: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 12:45. Certificate 39 was placed on hold between 14:15 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 15:45 and 16:30. The reason was changed to key compromise between 18:00 and 18:45. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 18:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 12:45 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 12:45 | | | nextUpdate = 13:45 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 13:30 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 13:30 | | | nextUpdate = 14:30 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:15 | {14k, 124k} | | cRLNumber = 4 | | | thisUpdate = 14:15 | | | nextUpdate = 15:15 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 5 | cRLNumber = 5 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 21:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 15:45 | {14k, 124k, | | cRLNumber = 6 | 39h, 67a} | | thisUpdate = 15:45 | | | nextUpdate = 16:45 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 16:30 | {14k, 124k, | | cRLNumber = 7 | 67a} | | thisUpdate = 16:30 | | | nextUpdate = 17:30 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 17:15 | {14k, 124k, | | cRLNumber = 8 | 67a} | | thisUpdate = 17:15 | | | nextUpdate = 18:15 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 9 | cRLNumber = 9 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 24:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 5 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:45 | {14k, 124k, | | cRLNumber = 10 | 67k} | | thisUpdate = 18:45 | | | nextUpdate = 19:45 | | | BaseCRLNumber = 5 | | | CertificateList = | | | {39r, 67k} ---------|--------------|--------------------------|---------------------- Delta CRL number 6 is issued at 15:45. By 16:00, delta CRL number 6 should be available throughout the system. As a result, delta CRL number 5 specified 16:00 as its nextUpdate time. However, full CRL number 5 was issued at 15:00 and may not be available throughout the system until 18:00. As a result, full CRL number 1 specified 18:00 as its nextUpdate time. In addition, delta CRL number 6 must be based on full CRL number 1 which was issued at 12:00. If the relying party finds full CRL number 5 in the repository, they may still apply delta CRL number 6 and achieve the correct answer. Finally, note that a CRL issuer must generate more CRLs to achieve the goal of status information that is no more than one hour old when factoring in the propagation delays. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id HAA03816 for ietf-pkix-bks; Wed, 16 May 2001 07:47:33 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA03812 for <ietf-pkix@imc.org>; Wed, 16 May 2001 07:47:26 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id KAA17499 for <ietf-pkix@imc.org>; Wed, 16 May 2001 10:47:26 -0400 (EDT) Message-Id: <4.2.2.20010516093846.00b2bd40@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 16 May 2001 10:46:45 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <p05010406b72760acb0bf@[128.33.238.68]> References: <4.2.2.20010515172220.00a677b0@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id HAA03813 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Steve, My interest is in ensuring that the PKIX Certificate and CRL Profile is correct, consistent, and complete. If these issues are not of interest to you, then feel free to ignore this message. At 06:45 PM 5/15/01 -0400, Stephen Kent wrote: >Dave, > >I provided an analysis of the evolution of CRL signing from V1 + V2 certs, to the changes you cite re V3 certs. As far as I am concerned, v1 and v2 is irrelevant. Extensions did not exist prior to v3, so neither v1 nor v2 could have included any requirements with respect to the proper setting of the cA bit in the basicConstraints extension. >You have chosen to ignore large parts of this analysis, and focus on text in the current version of X.509 that emphasizes syntactic details but not the larger semantic context. We are discussing the cA bit. I have quoted the text from X.509 that provides the semantics for the cA bit numerous times. You have chosen to ignore this text. >You have not adressed the fact that both X.509 and RFC 2459 make repeated references to "authorities" or CAs re CRL issuance. You have received feedback from Sharon, and I think several of the 2459 authors have weighed in on this topic during the multi-week debate. > >I see no point in continuing the discussion. Based on the discussions that have occurred in this thread it seems to me that there are a number of issues in X.509 and PKIX that need to be resolved: 1) Who can issue CRLs? a) There seems to be consensus that it is acceptable for an entity that does not sign certificates to sign CRLs. b) There has been suggestion that the standards only allow for authorities to issue CRLs. c) X.509 defines an authority as "[a]n entity, responsible for the issuance of certificates. Two types are defined in this Specification; certification authority which issues public-key certificates and attribute authority which issues attribute certificates." X.509 similarly defines an CA as "An authority trusted by one or more users to create and assign public-key certificates. Optionally the certification authority may create the users keys." An attribute authority is defined to be "[a]n authority which assigns privileges by issuing attribute certificates". So, if we wish to allow entities to sign CRLs but not certificates, we either need to allow for entities other than authorities to issue CRLs or we need to redefine the terms CA, AA, and authority to include include entities that do not issue certificates. 2) In which directory attributes should certificates that are issued to subjects that are CAs be placed? a) RFC 2587 states that certificates issued to end entities must be placed in the userCertificate attribute and that certificates issued to CAs must be placed in the cACertificate and/or crossCertificatePair attributes (with specific rules on when each of these attributes is to be populated). b) RFC 2587 also states that "none of the ... CA certificates shall include a basicConstraints extension with the cA value set to FALSE". c) There has been no consensus that the cA value in basicConstraints must be set to TRUE whenever the certificate subject is a CA. This lack of consensus is particularly the case when the certificate contains a keyUsage extension with neither the keyCertSign nor the cRLSign bit set. (I believe that Tim Polk has proposed changing the standards to require the cA value to be set to TRUE whenever the subject is a CA, but there has been no consensus that such a change should be made). So, either we need to change X.509 and PKIX to state that the cA bit in basicConstraints indicates whether the certificate subject is a CA or LDAP schema needs to be clarified to clearly indicate in which attribute(s) certificates issued to CAs should be placed when basicConstraints is present but cA is set to FALSE (e.g., if the subject public key is used to sign CMP transactions, but not to sign certificates or CRLs). What does the cA bit in basicConstraints mean? As a result of the changes from new-part1-05 to new-part1-06, the text in the PKIX profile describing the cA bit is contradictory. It states: "The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then either the keyCertSign bit or the cRLSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted." The first sentence, which is essentially copied from X.509, states that the bit indicates whether the subject public key may be used to verify signatures on certificates. The next sentence, however, seems to contradict this by stating that the cA bit may be set to TRUE even if the subject public key may not be used to verify signatures on certificates (if the subject public key may be used to verify signatures on CRLs). Of course, if there were a requirement to only set the cRLSign bit in KeyUsage if the keyCertSign bit is also set, then there would be no contradiction. If this were the case, then the cA bit really would indicate is the subject public key may be used to verify signatures on certificates. However, there has certainly been agreement that it should be acceptable to specify that a key may be used to verify signatures on CRLs but not certificates. So, we must either revert to the new-part1-05 text which clearly ties the cA bit to the keyCertSign bit, or we must redefine the cA bit in both X.509 and PKIX. There may be other issues that I am not recalling at the moment. We need to step back and try to view this standard from the perspective of someone who is new to X.509. We cannot expect that everyone who makes use of the X.509 standard will have read through all of the messages on the PKIX mailing list. If the X.509 certificate generation and processing rules can not be unambiguously determined from the written standards, then the standards need to be fixed. Arguments to the effect of "the standard says X, but it really means Y, and to see why Y is the correct interpretation you'll need to read the relevant discussions from the PKIX mailing list from April of 1998." Similarly, claims that people should somehow determine the processing rules by looking at the "larger semantic context" instead of "text in the current version of X.509 that emphasizes syntactic details" are unacceptable. If the syntactic details are incorrect, then we should fix them. We can not have a standard that provides incorrect "syntactic details" and then expect people to correctly implement the standard based on an interpretation of the "larger semantic context". Dave Received: by above.proper.com (8.9.3/8.9.3) id DAA10652 for ietf-pkix-bks; Wed, 16 May 2001 03:25:39 -0700 (PDT) Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA10647 for <ietf-pkix@imc.org>; Wed, 16 May 2001 03:25:31 -0700 (PDT) Received: from kant [129.27.152.76] by iaik.tu-graz.ac.at (SMTPD32-6.06) id A58962C5003A; Wed, 16 May 2001 12:25:13 +0200 Message-ID: <004701c0ddf2$65c09d40$4c981b81@kant> From: "Andreas Sterbenz" <asterbenz-pkix@iaik.at> To: "Housley, Russ" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> References: <5.0.1.4.2.20010514164713.018e40c8@exna07.securitydynamics.com> Subject: Re: keyCertSign and Path Validation Date: Wed, 16 May 2001 12:24:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> The point I was making is that the key usage extension, if present, is handled differently depending on whether or not it is critical. This may be for a reason, but it seems neither intuitive to me nor explained in the rest of the document. The reason I came across this is the X.509 conformance test suite by NIST, Cygnacom, and others posted to the list by Tim Polk some time ago. It requires that CA certificates with a non-critical key usage extension and the keyCertSign bit cleared are rejected (IC.05.02). This is in obvious contradiction to the PKIX validation algorithm. This may be either due to an oversight in either of the two, or due to an incompatible interpretation of X.509. I believe the issue should be addressed in either case. The text below from X.509 4th ed. draft 8 seems to confirm the NIST position. === If the extension if flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. If this extension is present, and the certificate-using system recognizes and processes the keyUsage extension type, then the certificate-using system shall ensure that the certificate shall be used only for a purpose for which the corresponding key usage bit is set to one. A bit set to zero indicates that the key is not intended for that purpose. If all bits are zero, it indicates the key is intended for some purpose other than those listed. === Andreas Sterbenz mailto:Andreas.Sterbenz@iaik.at ----- Original Message ----- From: "Housley, Russ" <rhousley@rsasecurity.com> To: "Andreas Sterbenz" <asterbenz-pkix@iaik.at> Cc: <ietf-pkix@imc.org> Sent: Monday, May 14, 2001 10:48 PM Subject: Re: keyCertSign and Path Validation > It is intentional. I do not recall all of the reasons. One reason was to > permit support for version 1 certificates. A version 1 certificate cannot > be part of a certification path if we handle it differently. > > Russ > > At 01:55 PM 5/14/2001 +0200, Andreas Sterbenz wrote: > >All, > > > >new-part1-06 states in section 6.1.4 (Preparation for Certificate i+1) that > > > > (n) If a key usage extension is present and marked critical, > > verify that the keyCertSign bit is set. > > > >A certificate that fails this check is rejected. However, this means that a > >certificate with a non-critical key usage extension is always accepted, even > >if the keyCertSign bit is not set. > > > >I am wondering if that behavior is intentional as it seems to conflict with > >the text describing the key usage and basic constraints extension. > > > > Andreas Sterbenz mailto:Andreas.Sterbenz@iaik.at > Received: by above.proper.com (8.9.3/8.9.3) id PAA24159 for ietf-pkix-bks; Tue, 15 May 2001 15:46:56 -0700 (PDT) Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA24144 for <ietf-pkix@imc.org>; Tue, 15 May 2001 15:46:49 -0700 (PDT) Received: from [128.33.238.68] (TC069.BBN.COM [128.33.238.69]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA05713; Tue, 15 May 2001 18:46:50 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010406b72760acb0bf@[128.33.238.68]> In-Reply-To: <4.2.2.20010515172220.00a677b0@email.nist.gov> References: <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010515172220.00a677b0@email.nist.gov> Date: Tue, 15 May 2001 18:45:26 -0400 To: "David A. Cooper" <david.cooper@nist.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Dave, I provided an analysis of the evolution of CRL signing from V1 + V2 certs, to the changes you cite re V3 certs. You have chosen to ignore large parts of this analysis, and focus on text in the current version of X.509 that emphasizes syntactic details but not the larger semantic context. You have not adressed the fact that both X.509 and RFC 2459 make repeated references to "authorities" or CAs re CRL issuance. You have received feedback from Sharon, and I think several of the 2459 authors have weighed in on this topic during the multi-week debate. I see no point in continuing the discussion. Steve Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id PAA20950 for ietf-pkix-bks; Tue, 15 May 2001 15:12:44 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA20939 for <ietf-pkix@imc.org>; Tue, 15 May 2001 15:12:37 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id SAA16971 for <ietf-pkix@imc.org>; Tue, 15 May 2001 18:12:39 -0400 (EDT) Message-Id: <4.2.2.20010515172220.00a677b0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 15 May 2001 18:11:05 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) In-Reply-To: <p05010401b710bf7aa776@[128.33.238.42]> References: <4.2.2.20010425132032.00af9740@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_34911567==_.ALT" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> --=====================_34911567==_.ALT Content-Type: text/plain; charset="us-ascii" At 05:31 PM 4/28/01 -0400, Stephen Kent wrote: >So, my "interpretation" of the CA bit is simple; it identifies a cert as belonging to a CA and used to validate certs or CRLs. This is consistent with the notion that the bit needs to be set whenever the processing of the object using the public key from the cert is constrained by the presence or absence of that bit. I still can not find any text that justifies the requirements that you claim to exist. X.509 clearly states: The cA component indicates if the certified public key may be used to verify certificate signatures if the value of cA is not set to true then the certified public key shall not be used to verify a certificate signature If this extension is not present, or is flagged non-critical and is not recognized by a certificate-using system, then the certificate is to be considered an end-entity certificate and cannot be used to verify certificate signatures These statement clearly impose a requirement on certificate issuers to include basicConstraints with cA=true if the subject public key in the certificate is to be used to verify signatures on certificates. The third quote seems to impose a requirement on relying parties to check for the presence of basicConstraints with cA=true before using a subject public key to verify signatures on certificates. Where is the corresponding text for CRLs? You seem to suggest that the requirement exists implicitly as a result of a requirement for only CAs to issue CRLs. However, according to the text in X.509, the cA bit does not indicate whether or not the certificate subject is a CA. It only indicates whether the particular subject public key may be used to verify signatures on certificates. I think the proper interpretation of a requirement that only CAs can issue CRLs is that it imposes a requirement on certificate issuers to only set the cRLSign bit in a certificate if the subject is a CA. If only CAs can issue CRLs, and certificate has the cRLSign bit set, then the relying party should be able to conclude that the subject of the certificate is a CA. Given this, why should the relying party need to check to see if the cA bit is set (a bit that merely indicates whether the subject public key can be used to verify signatures on certificates)? There are certainly no security implications. >> From what I have read so far, it appears that you believe that the cA bit should be used to indicate if the subject of the certificate is a CA. But, if this is the case, then new-part1-06 still does not accurately reflect your notion of the cA bit. Currently the text states that the cA bit may only be set if the keyCertSign bit or the cRLSign bit in keyUsage is set. However, a CA does more than just issue certificates and CRLs. A CA may have a private key dedicated to signing PKI transaction messages (e.g., certification response, revocation response, proof-of-possession challenge). If a certificate were issued to a CA with its PKI transaction message verification key as the subject public key, neither the keyCertSign nor the cRLSign bit in KeyUsage would be set, but the subject of the certificate would still be a CA. > >This is an example where the processing of the signature on the signed object is not constrained by the presence or absence of the CA bit. I think the text you cite about setting the CA bit ONLY when other bits are set should be reviewed; it may be fine as is, but we need to decide whether we backed into this characterization or whether we mean exactly what it says. Again, other than for verifying the signature on a certificate, where is the use of a public key to verify a signature constrained by the presence or absence of the cA bit? You claim that X.509 requires CRL issuers to be CAs, but that is not sufficient to demonstrate a requirement with respect the cA bit. If X.509 stated that the cA bit indicates whether the subject is a CA, then perhaps you would be correct in claiming that such a processing requirement exists. However, X.509 is very clear about the meaning of the cA bit, and it states that the cA bit is simply an indicator of whether the subject public key may be used to verify signatures on certificates. >>So, should the cA bit be used to indicate if the certificate subject is a CA or to indicate that the subject public key may be used to verify signatures on certificates and/or CRLs? If the latter, then not all certificates issued to CAs will have the cA bit set. > >A fair question. My answer above would say that not all certs employed by a CA would have to have the bit set, e.g., because some objects signed using a key associated with a CA are employed in protocols that do not mandate checking the CA flag. So, does this mean that the cA bit is not fully defined? There are some cases where the bit should definitely be set, others where it should definitely not be set, and then other times when proper value for the bit is undetermined. Somehow a definition of "the cA flag should be set when the subject public key may be employed in protocols that mandate checking the cA flag" seems inappropriate. The cA bit should be a source of information. CAs should know when the bit should or should not be set and relying parties should know what it means when the bit is or is not set. How can certificate processing requirements be meaningful if the data in the certificates that is used in the processing has no meaning? Dave --=====================_34911567==_.ALT Content-Type: text/html; charset="us-ascii" <html> At 05:31 PM 4/28/01 -0400, Stephen Kent wrote:<br> <blockquote type=cite cite>So, my "interpretation" of the CA bit is simple; it identifies a cert as belonging to a CA and used to validate certs or CRLs. This is consistent with the notion that the bit needs to be set whenever the processing of the object using the public key from the cert is constrained by the presence or absence of that bit.</blockquote><br> I still can not find any text that justifies the requirements that you claim to exist. X.509 clearly states:<br> <br> <x-tab> </x-tab>The <font size=2>cA</font> component indicates if the certified public key may be used to verify certificate signatures<br> <br> <x-tab> </x-tab>if the value of <font size=2>cA</font> is not set to true then the certified public key shall not be used to verify a<br> <x-tab> </x-tab>certificate signature<br> <br> <x-tab> </x-tab>If this extension is not present, or is flagged non-critical and is not recognized by a<br> <x-tab> </x-tab>certificate-using system, then the certificate is to be considered an end-entity certificate<br> <x-tab> </x-tab>and cannot be used to verify certificate signatures<br> <br> These statement clearly impose a requirement on certificate issuers to include basicConstraints with cA=true if the subject public key in the certificate is to be used to verify signatures on certificates. The third quote seems to impose a requirement on relying parties to check for the presence of basicConstraints with cA=true before using a subject public key to verify signatures on certificates. Where is the corresponding text for CRLs?<br> <br> You seem to suggest that the requirement exists implicitly as a result of a requirement for only CAs to issue CRLs. However, according to the text in X.509, the cA bit does not indicate whether or not the certificate subject is a CA. It only indicates whether the particular subject public key may be used to verify signatures on certificates.<br> <br> I think the proper interpretation of a requirement that only CAs can issue CRLs is that it imposes a requirement on certificate issuers to only set the cRLSign bit in a certificate if the subject is a CA. If only CAs can issue CRLs, and certificate has the cRLSign bit set, then the relying party should be able to conclude that the subject of the certificate is a CA. Given this, why should the relying party need to check to see if the cA bit is set (a bit that merely indicates whether the subject public key can be used to verify signatures on certificates)? There are certainly no security implications.<br> <br> <blockquote type=cite cite><blockquote type=cite cite> From what I have read so far, it appears that you believe that the cA bit should be used to indicate if the subject of the certificate is a CA. But, if this is the case, then new-part1-06 still does not accurately reflect your notion of the cA bit. Currently the text states that the cA bit may only be set if the keyCertSign bit or the cRLSign bit in keyUsage is set. However, a CA does more than just issue certificates and CRLs. A CA may have a private key dedicated to signing PKI transaction messages (e.g., certification response, revocation response, proof-of-possession challenge). If a certificate were issued to a CA with its PKI transaction message verification key as the subject public key, neither the keyCertSign nor the cRLSign bit in KeyUsage would be set, but the subject of the certificate would still be a CA.</blockquote><br> This is an example where the processing of the signature on the signed object is not constrained by the presence or absence of the CA bit. I think the text you cite about setting the CA bit ONLY when other bits are set should be reviewed; it may be fine as is, but we need to decide whether we backed into this characterization or whether we mean exactly what it says.</blockquote><br> Again, other than for verifying the signature on a certificate, where is the use of a public key to verify a signature constrained by the presence or absence of the cA bit? You claim that X.509 requires CRL issuers to be CAs, but that is not sufficient to demonstrate a requirement with respect the cA bit. If X.509 stated that the cA bit indicates whether the subject is a CA, then perhaps you would be correct in claiming that such a processing requirement exists. However, X.509 is very clear about the meaning of the cA bit, and it states that the cA bit is simply an indicator of whether the subject public key may be used to verify signatures on certificates.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>So, should the cA bit be used to indicate if the certificate subject is a CA or to indicate that the subject public key may be used to verify signatures on certificates and/or CRLs? If the latter, then not all certificates issued to CAs will have the cA bit set.</blockquote><br> A fair question. My answer above would say that not all certs employed by a CA would have to have the bit set, e.g., because some objects signed using a key associated with a CA are employed in protocols that do not mandate checking the CA flag.</blockquote><br> So, does this mean that the cA bit is not fully defined? There are some cases where the bit should definitely be set, others where it should definitely not be set, and then other times when proper value for the bit is undetermined. Somehow a definition of "the cA flag should be set when the subject public key may be employed in protocols that mandate checking the cA flag" seems inappropriate.<br> <br> The cA bit should be a source of information. CAs should know when the bit should or should not be set and relying parties should know what it means when the bit is or is not set. How can certificate processing requirements be meaningful if the data in the certificates that is used in the processing has no meaning?<br> <br> Dave<br> <br> </html> --=====================_34911567==_.ALT-- Received: by above.proper.com (8.9.3/8.9.3) id IAA22745 for ietf-pkix-bks; Tue, 15 May 2001 08:34:08 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA22731 for <ietf-pkix@imc.org>; Tue, 15 May 2001 08:33:59 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id RAA08459 for <ietf-pkix@imc.org>; Tue, 15 May 2001 17:34:00 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Tue, 15 May 2001 17:34:00 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id RAA04028 for <ietf-pkix@imc.org>; Tue, 15 May 2001 17:33:59 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id RAA02489 for ietf-pkix@imc.org; Tue, 15 May 2001 17:33:58 +0200 (MET DST) Date: Tue, 15 May 2001 17:33:58 +0200 (MET DST) Message-Id: <200105151533.RAA02489@emeriau.edelweb.fr> To: ietf-pkix@imc.org Subject: CRL signing certificats Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> I would like to know the position of the group concerning certificates for CRL signing. If I resume the previous discussions then it seems to me that it is possible to have - separate signing keys and certificates for crl and cert signing. - that a crl signing certificate can have the same DN as CA in order to avoid an extension. If this is the case, then it seems to me that the comment on page 60 concerning self issued certificates may need some clarification. Received: by above.proper.com (8.9.3/8.9.3) id AAA11352 for ietf-pkix-bks; Tue, 15 May 2001 00:20:56 -0700 (PDT) Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by above.proper.com (8.9.3/8.9.3) with ESMTP id AAA11310 for <ietf-pkix@imc.org>; Tue, 15 May 2001 00:20:48 -0700 (PDT) Received: from [10.0.1.2] (user-38ldjsb.dialup.mindspring.com [209.86.207.139]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id AAA28053; Tue, 15 May 2001 00:19:46 -0700 (PDT) Mime-Version: 1.0 X-Sender: hoytkesterson@mail.earthlink.net Message-Id: <a05100312b7268608ad11@[10.0.1.2]> Date: Tue, 15 May 2001 00:17:21 -0700 To: "X.509":; From: "Hoyt L. Kesterson II" <hoytkesterson@earthlink.net> Subject: a new version of the 4th edition of x.509 Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Hello all Believe it or not, the ITU is very close to publishing the new 4th edition. During the final document shakedown we found a number of very minor editorials. I have posted that new version upon the server in pdf and word formats at ftp://ftp.bull.com/pub/OSIdirectory/4thEditionTexts/X509_4thEditionDraftV8.doc and ftp://ftp.bull.com/pub/OSIdirectory/4thEditionTexts/X509_4thEditionDraftV8.pdf Newly revised drafts of the 4th edition of the other parts of X.500 are also available at the same server in ftp://ftp.bull.com/pub/OSIdirectory/4thEditionTexts I am beginning to feel like chicken littlle in warning you that I am about to remove X.509 from this server. However, I have seen the FINAL text this week and ITU and ISO are very close to publishing. But as I said before, ITU is allowing any three recommendations to be downloaded at no cost from their server. It is an interesting experiment that they are evaluating for 2001. For more information see http://www.itu.int/publications/bookshop/how-to-buy.html Be gentle hoyt -- Received: by above.proper.com (8.9.3/8.9.3) id NAA09662 for ietf-pkix-bks; Mon, 14 May 2001 13:52:06 -0700 (PDT) Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA09652 for <ietf-pkix@imc.org>; Mon, 14 May 2001 13:51:53 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 14 May 2001 20:51:31 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA04016 for <ietf-pkix@imc.org>; Mon, 14 May 2001 16:51:53 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NXZ0F>; Mon, 14 May 2001 16:51:52 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.15]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NXZ0D; Mon, 14 May 2001 16:51:49 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Andreas Sterbenz <asterbenz-pkix@iaik.at> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010514164713.018e40c8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 14 May 2001 16:48:51 -0400 Subject: Re: keyCertSign and Path Validation In-Reply-To: <006401c0dc6c$bd00f870$4c981b81@kant> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> It is intentional. I do not recall all of the reasons. One reason was to permit support for version 1 certificates. A version 1 certificate cannot be part of a certification path if we handle it differently. Russ At 01:55 PM 5/14/2001 +0200, Andreas Sterbenz wrote: >All, > >new-part1-06 states in section 6.1.4 (Preparation for Certificate i+1) that > > (n) If a key usage extension is present and marked critical, > verify that the keyCertSign bit is set. > >A certificate that fails this check is rejected. However, this means that a >certificate with a non-critical key usage extension is always accepted, even >if the keyCertSign bit is not set. > >I am wondering if that behavior is intentional as it seems to conflict with >the text describing the key usage and basic constraints extension. > > Andreas Sterbenz mailto:Andreas.Sterbenz@iaik.at Received: by above.proper.com (8.9.3/8.9.3) id EAA00386 for ietf-pkix-bks; Mon, 14 May 2001 04:58:03 -0700 (PDT) Received: from iaik.tu-graz.ac.at (excalibur.iaik.tu-graz.ac.at [129.27.152.30]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA00382 for <ietf-pkix@imc.org>; Mon, 14 May 2001 04:57:55 -0700 (PDT) Received: from kant [129.27.152.76] by iaik.tu-graz.ac.at (SMTPD32-6.06) id A83281A0100; Mon, 14 May 2001 13:57:38 +0200 Message-ID: <006401c0dc6c$bd00f870$4c981b81@kant> From: "Andreas Sterbenz" <asterbenz-pkix@iaik.at> To: <ietf-pkix@imc.org> Subject: keyCertSign and Path Validation Date: Mon, 14 May 2001 13:55:14 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> All, new-part1-06 states in section 6.1.4 (Preparation for Certificate i+1) that (n) If a key usage extension is present and marked critical, verify that the keyCertSign bit is set. A certificate that fails this check is rejected. However, this means that a certificate with a non-critical key usage extension is always accepted, even if the keyCertSign bit is not set. I am wondering if that behavior is intentional as it seems to conflict with the text describing the key usage and basic constraints extension. Andreas Sterbenz mailto:Andreas.Sterbenz@iaik.at Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id EAA13958 for ietf-pkix-bks; Sat, 12 May 2001 04:27:57 -0700 (PDT) Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA13939 for <ietf-pkix@imc.org>; Sat, 12 May 2001 04:27:49 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KXJY5K35>; Sat, 12 May 2001 07:27:19 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DEA7C@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Denis Pinkas <Denis.Pinkas@bull.net>, "Housley, Russ" <rhousley@rsasecurity.com> Cc: ietf-pkix@imc.org, Tim Polk <wpolk@nist.gov>, "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs Date: Sat, 12 May 2001 07:18:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0DAD5.35616B40" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0DAD5.35616B40 Content-Type: text/plain; charset="iso-8859-1" Denis: You assumptions and recommendations may be appropriate for your environment and PKIX should accommodate your design. In my mind PKIX DOES accommodate your design. However, others may want to design PKI where the freshness of revocation information is not guaranteed beyond nextUpdate, but could be published be available, modulo network security assumptions. In that scenario, publishing revocation information via full or delta CRL's that are not promised via nextxUpdate is also fine, knowing full well that the CA can not guarantee that RP will be ensured of out of cycle CRL availability. In short, RP knows that the non-repudiation between thisUpdate of CRL and current time is up in air. Thus, I am not in favor of the constraints on the CA you cited. -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Friday, May 11, 2001 12:58 PM To: Housley, Russ Cc: ietf-pkix@imc.org; Tim Polk; David A. Cooper Subject: Re: delta CRLs Russ, Thanks for this very detailed collective response. I have been hoping to have a phone call with some of you today, but since this had not been possible, here is an answer to your email. FYI, I will be out of my office during three days, so do no expect a reply before next Thursday. The thread has been focussing on the mechanisms, forgetting what is the rational about them. So let us come back to the rationals. One of them relates top the use of CRLs when applied to a non repudiation service. X.509 has been originally written to use CRLs for other security services and for these other services, the problems are different. We all want to be able to use either CRLs or OSCP responses for non repudiation purposes. In fact we want to allow any of these two techniques to be used in single or in combination. Right ? Having said this, we can now explain some of the rational. When validating a digital signature, for a given time T, for non repudiation purposes, it is important for a verifier to be able to prove that the certificate was NOT revoked. It is also important that two different verifiers come to the same result, for the same time T, because of the goal of non repudiation is to solve disputes. The same properties must be achieved whether OCSP or CRLs are used. When an OCSP response is received with a time T in it, there can be no dispute about it: it contains three possible answers (not revoked, revoked, don't know). If an OCSP responder produces one such answer with a time T and one of the three statuses, no one else can present an answer with the same time T in it with a different answer from the same OCSP responder. Once again, it would not be acceptable that at a given time T two opposite responses could be obtained. This would result in disputes. This means that at time T, there is must be one and only one possible answer. This allows to use OCSP responses for non repudiation purposes. The same property must be supported so that CRLs can be used for non repudiation purposes. So the goal is that when using CRLs in the context of non repudiation, only one response (i.e. not revoked, revoked, don't know) can be obtained. I do know that non repudiation is only one use of the PKI and that there are other usages such as authentication, integrity and confidentiality. So let us now describe what is necessary, if the CRL contains at least one certificate that can be used for non repudiation purposes (e.g. it has the NR bit set). If at time T there is more than one CRL valid, then there is a possibility to miss the most recent, in case there is a denial of service attack on it (i.e. suppression of the latest CRL while in transit). This means that "emergency" CRLs will not necessarily be seen. "Emergency" CRLs may be used for authentication, integrity and confidentiality, but may create problems when used in the context of non repudiation. This has several implications: we should deprecate the use of "emergency" CRLs for being used for a non repudiation service, because they could provide two different responses. People using full CRLs, i.e. without taking advantage of the delta CRLs, would get only one result. People using base CRLs and thus taking advantage of the delta CRLs would also get one single result. For that reason we should also deprecate the use of "emergency" delta CRLs. This now explains why it is important to get one answer, at most, at a time. I do understand that lacking this information, the mechanism seems to be constrained without any "good" reason. Now how can a verifier be sure to get the freshest information ? This depends on the verification rules. Let us restrict the discussion to the leaf certificate. If the validation rules (be careful this has strong relationships with the DPV protocol) say : "use full CRLs only" and there is no "emergency CRL", then everything works nice. If the validation rules say: "use the freshest information that is provided by the CA", then the question is how can a verifier know how the freshest information is obtained ? The answer is: only through extensions. Why ? Let us assume first that no extension either in the certificate or the CRL is being used. The answer would be : make a search for delta CRLs in the directory. The problem is that, in case a denial of service attack, the delta CRLs, even if they exist, will not be "seen". So the verifier will use the base CRL and thus two verifications done at the same time T will provide two different results. :-( So there needs to be some way, so that, in the event of a denial of service attacks, either the right information is obtained or that no information at all is obtained. In the later case, if the revocation information is not found, then the signature is not accepted (in some cases a try can be done later on). A consequence is the following: verifiers must know without ambiguity whether a delta CRL mechanism is supported, so that if delta CRL are supported it is possible to know unambiguously that it is the case. There are two options. 1) Should we use the freshestCRL extension from the leaf certificate ? This means that the CA MUST support delta CRLs at any time during whole the life-time of the certificate. This is quite constraining for the CA, but this is possible. 2) Should we use the freshestCRL extension from the CRL? This means that the CA will only support delta CRLs for that CRL without any engagement to support a delta CRL mechanism for the next one. This is more flexible. What does this means ? That it is very likely that we will not end up wit the same mechanism when using delta CRLs for a certificate used for non repudiation purposes and when using a certificate for other purposes. One of the algorithms may look first at the delta CRLs, whether they exist or not, while the other will only take a look for them after making sure that they must exit. The best guess, if it succeeds, is certainly valid for "other purposes". So I will now focus on the algorithm to be used for non repudiation purposes. An application that is willing to obtain the freshest CRL information for a given certificate used for non repudiation purposes, must know if a delta CRL mechanism is supported. Either the certificate or any CRL that is able to reference that certificate MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point). The application may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. For the constraint about the CA: For any CRL that may reference a certificate used for non repudiation purposes, and for any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one base CRL and one and only delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. There are still other issues to discuss, like the CRL numbering, whether it is unique or not, let us wait for next week for that topic. Regards, Denis > Denis: > > Please excuse the half-done message from this morning. My mailer and I had > a disagreement... > > Anyway, since I was not going to get the full message out before the end of > the business day in France, I took the time to coordinate a response with > Tim Polk and David Cooper. This mail thread is quite long, so hopefully > our coordination on the side will reduce the overall number of messages to > the list and help to reach consensus faster. > > Here goes .... > > >There is difference between a base CRL and a full CRL : a base CRL MUST > >include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > >whereas a full CRL may not include that extension. In other words, a base > >CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > There is no requirement in X.509 to include any extension in a certificate > or CRL advertising the availability of delta CRLs. PKIX makes the > freshestCRL extension available for advertising the existence of delta > CRLs, but again does not mandate its use. Furthermore, even if the > freshestCRL extension is used, it may be placed in either the certificate > or the full CRL. If the extension is placed in certificates, there is no > need for it to be in the full CRL (but, it could be). > > Finally, if delta CRLs are being issued, and are being advertised through > the freshestCRL CRL extension, then the extension should be included in all > full CRLs for that scope, not just the base CRLs. If a relying party > obtains the most recently issued full CRL for a scope from a repository, > and that full CRL is not a base CRL, how will the relying party know that > delta CRLs are available? > > >At any time a CA may issue a full CRL, whether or not a base CRL has already > >been issued. This additional CRL SHOULD have nextUpdate equal to the > >nextUpdate of the last issued full CRL. However, there is no guarantee that > >this additional CRL will ever be seen by the relying party (because there > >will be two CRLs matching the thisUpdate and nextUpdate rule and if one is > >deleted, this is not seen by a relying party). > > The nextUpdate field in a full CRL (base or otherwise) should specify the > time by which new revocation information will be available. So, if a new > base CRL is issued once a day, but full CRLs are issued every hour, the > nextUpdate field of each full CRL should one hour after that CRL's > thisUpdate time. > > >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > >they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > >delta CRL and a full CRL that cover the same scope and are issued at the > >same time CANNOT have the same number. > > We disagree. If a full CRL and a delta CRL are issued at the same time for > the same scope, then they ARE the same CRL and MUST have the same CRL number. > > >If a full CRL is issued, its CRL > >number bears no relationship with the previous base CRL, if any. > > Again, we disagree. A sequence of CRLs for a given scope must contain a > monotonically increasing sequence of CRL numbers. Relying parties that do > not process delta CRLs, and thus do not recognize the non-critical > freshestCRL extension, will not be able to distinguish between those full > CRLs that are base CRLs and those full CRLs that are not base CRLs. The CRL > numbers for these full CRLs must be from one monotonically increasing sequence. > > >The only > >relationship between the numbers is defined by the rule that CRLs numbers > >are strictly increasing. As Santosh said : "the CRL number is unique > >whether it is a base or a delta ". > > > >This is fairly important to be able to unambiguously (and thus uniquely) > >refer to a CRL by only providing its CRL number. > > Exactly. If a full CRL and the delta CRL are issued for the same scope at > the same time, they are the same CRL. The CRL number unambiguously and > uniquely refers to this ONE CRL. > > >Besides the fact that a CRL issued later MUST have a higher CRL number, full > >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, > >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > >number (for the same or no stream identifier). > > If you agree that delta thisUpdate > base thisUpdate implies delta CRL > number > base CRL, then you are acknowledging that the CRL numbers of the > full CRLs and delta CRLs are not independent. > > >As Santosh said : "a check based on thisUpdate is more general and > >preferred [to the use of CRL numbers]. " > > > >Related to the three rules mentioned by Russ : > > > >1) the first rule is not understandable to me. > >2) the second rule does not say anything more than the basic rule valid > > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > >3) we will debate the hold condition, once we will have sorted the main > > issue. > > > >Russ said : "If separate number sequence is used, then you will have to > >periodically fetch base CRLs ". This is true. > > > >Tim said that he would *not* like to be forced to download new base CRLs. > >This is the core of the "dispute". > > Our goal should be to allow delta CRL enabled clients to obtain accurate > information in the most efficient manner possible. Forcing clients to > periodically download full CRLs, when this is not necessary, is inefficient. > > > From the definition of what a delta CRL is, it is *not* possible to > >get rid of the fetching of base CRLs. Unless we add a new sentence to > >expand/change that definition, base CRL fetching will remain mandatory. > > True. However, if one performs validations frequently enough, it is > possible to obtain a single full CRL and then subsequently download only > delta CRLs. We need to require that full CRL be issued periodically so that > clients whose locally stored information is not sufficiently up-to-date to > apply the delta CRLs being issued can obtain the full CRLs that they need, > but we should not require clients to download full CRLs when it is not > necessary for them to do so. > > >Remember that the goal of delta CRLs is to provide the freshest information, > >and to my knowledge the goal was not to get rid of the fetching of base CRLs > >(which may less frequent due to the support of delta CRLs). > > Yes, but the goal should be to minimize the fetching of full CRLs. > > >If I understand correctly, Tim/David/Russ would like to *always* achieve the > >following property : it is possible to reconstruct the current CRL by using > >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been > >issued at the same time a base CRL was issued and which contains updates > >made to the *previous* base. > > > >By this way the fetching of base CRLs could be avoided. However, note that > >it is perfectly " legal " to stop issuing base and delta CRLs during some > >period of time and to issue full CRLs instead (see the difference between > >"full" and "base" at the top of this e-mail). In other words there is no > >need to issue a new base CRL at the end of the validity period of the > >previous base CRL. Doing this would mandate to prescribe issuing rules > >for CAs that we have not prescripted. > > You are mixing apples and oranges. Obviously the scheme of keeping > up-to-date by obtaining a base from 1990 and then only downloading deltas > will only work so long as deltas continue to be issued. If the CRL issuer > ceases to issue deltas, then the relying parties will have to revert to > downloading full CRLs. > > >I will now raise a series of questions, for which I believe we have > >different answers. Tim/David/Russ do not hesitate to correct > >if my guess is wrong. ;-) > > > >Common point: > > > >1) What will be the value of the nextUpdate field from the last issued delta > >CRL for a given base CRL ? > > > >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to > >the value of nextUpdate from the base CRL. > > > >Tim/David/Russ: ??? > > The nextUpdate field in a base CRL states when the next full CRL will be > available. This is important for supporting clients that do not handle > delta CRLs. The nextUpdate field in a delta CRL states when the next CRL > (either a delta CRL or a full CRL) will be available. As a general rule, if > the CA is continuing to issue deltas, the nextUpdate in the delta will be > the time by which the next delta will be available. If this is the last > delta that the CA is going to issue, then the nextUpdate in the delta will > be the time by which the next full CRL will be available. ("Available" > SHOULD reflect distribution delays associated with the repository > architecture.) > > >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > > > >Denis: No. > >Tim/David/Russ : ??? > > No. A CA never is required to issue deltas. However, it would be helpful to > delta CRL enabled clients to allow them to construct the full CRL. > > If the full CRL contains a freshestCRL extension, then it is a very good > idea to generate a delta CRL at the same time. In this way, any client will > be able to find a current delta CRL. > > >3) Does a CA needs to issue a new base CRL at the end of the validity of a > >current base CRL ? > > > >Denis: No. > >Tim/David/Russ : ??? > > No. HOWEVER, the CA must issue a new full CRL by the nextUpdate in the > previously issued full CRL (whether that full CRL is a base CRL or not). > There is no requirement that the next full CRL be a base CRL. (The CA could > quit issuing deltas, etc. etc.) > > Every base CRL MUST be a full CRL, but not every full CRL is a base CRL. > But, a CA could make every full CRL a base CRL if they wanted to. > > >4) Does a CA needs to issue a delta CRL at the same time a new base is > >issued ? > > > >Denis: Yes. The delta CRL refers to the *new* base. > >Tim/David/Russ : ??? > > No. HOWEVER, in practice we belive that CAs will do so. The delta CRL needs > to exist so that clients can follow the freshest CRL extension (either in a > certificate or a base CRL). The delta CRL that is issued at the same time > SHOULD point to a previously issued full CRL (which will then, by > definition be a base CRL) whenever possible. There is no information to add > to the new base CRL! By providing the delta as an update to a previous base > CRL, clients can download the delta CRL to construct the new base CRL. > > >The last point highlights the most noticeable difference. Other differences > >appears when considering the guaranty to get the freshest information : > >using the traditional scheme and the thisUpdate and nextUpdate fields the > >guaranty to get the freshest information is obtained, but cannot be obtained > >using the other scheme. :-( > > > >Several people are referring to the X.509 document for arguments to support > >that discussion. However, it is important to remember that we are defining > >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, > >but only what we believe is relevant. > > PKIX is a profile of X.509. PKIX may impose additional requirements beyond > those in X.509 or may exclude features that are optional in X.509, but > otherwise PKIX must be consistent with X.509. In that context, references > to X.509 are appropriate. > > >We first need to clearly define the processing rules applicable to the > >relying parties. These rules will certainly contain SHALL/MUST statements, > >but may also include some MAY statements which may even be conditional to > >what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > > > >Here is a proposal for the MUST statement, based on the previous text I > >produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). > > No. The relying party needs a full CRL (either one that has been downloaded > from a repository or one that has been locally generated) against which the > delta CRL of interest may be applied. There is no requirement that the full > CRL be a base CRL. > > > It may then construct > > an updated CRL for that base, for a specific time T, by combining > > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. > > It may construct an updated CRL by combining the delta CRL with any full > CRL whose CRL number is greater than or equal to the CRL number of the > referenced base. By saying "equal" instead of "greater than or equal" we > would be hiding useful information from implementors. We should not be > hiding useful information. > > > Applications that support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > As stated above, the nextUpdate field in a base CRL specifies the time by > which new revocation information will be available through full CRLs. A > delta CRL may be applied to a base CRL as long as the CRL number in the > base CRL is greater than or equal to the CRL number of the base CRL > referenced by the delta CRL. The nextUpdate time of the base CRL is irrelevant. > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally reconstructed CRL > > based on the current base CRL, and combining it with a delta CRL which > > contains a delta CRL indicator extension with the same CRL number as > > the base CRL. > > Same problem as above. Need to say "greater than or equal to". > > >We also need to clearly separate the issuing rules applicable for the CAs. > >These rules will certainly contain SHALL statements, but could also include > >some MAY statements. (I let Tim/David or Russ provide the MAY statement). > > > >Here is a proposal for the MUST statement, based on the previous text I > >produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, > > This is an unnecessary statement. A delta CRL must include a BaseCRLNumber. > The CRL specified by that BaseCRLNumber is by definition a base CRL. Of > course, the referenced base CRL MUST be a full CRL. > > > i.e. a full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). > > While it might be a good idea to mandate the inclusion of the frestestCRL > extension in full CRLs that are issued for scopes in which delta CRLs are > also being issued, there is currently no such requirement in the draft PKIX > profile. > > > For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > This sentence has several problems: > > 1) The nextUpdate time of a base CRL is the time when the next full CRL > will be available, which may precede the time that the next base CRL will > be issued. > > 2) There is no requirement that a delta CRL use the most recently issued > base CRL as its base. I suppose that we could add this requirement for the > PKIX profile, but why? Does it really simplify the client? Or, does it > just make it a wee bit harder to make a conforming CA that supports delta CRLs? > > 3) If the thisUpdate time of one delta CRL must equal the nextUpdate time > of the previously issued delta CRL, then no time can be allotted to account > for propagation delays between when a delta-CRL is issued and when it is > available in repositories for relying parties to obtain. Thus, there would > be gaps between when the nextUpdate time of one delta-CRL was reached and > when the next delta-CRL was available. > > 4) There is nothing in either X.509 or the PKIX profile that prevents a CA > from issuing an unscheduled (or "emergency") delta CRL. And, there should > not be! Many CAs intend to issue a new CRL (delta or otherwise) > immediately upon the revocation of a certificate due to key compromise. > When such an "emergency" delta CRL is issued, there will be two delta CRLs > for which T falls between thisUpdate and nextUpdate. While it is true that > there is no guarantee that relying parties will obtain the fresher of these > two delta CRLs, that is no reason to prevent the CA from issuing the > "emergency" delta. Some clients will obtain the emergency CRL. > > >In his e-mail from Wednesday, May 9, David said that delta-CRL processing > >rules could be base on time instead of CRL numbers. This is a point of which > >I strongly agree. Let us do it! > > > >(However, there is no need to add to PKIX, as he suggested, the support of > >the baseUpdateTime extension from X.509 which would even more complicate the > >problem.) > > No. In order to base delta CRL processing on time, the baseUpdateTime > extension must be present in the delta CRL. Furthermore, the presence of > this extension would not complicate the problem. baseUpdateTime is a > non-critical extension that merely provides useful information. If you > don't think that the information provided by baseUpdateTime is useful, > ignore it. Since the extension is non-critical and can be ignored, its > presence can not complicate the problem. > > At 09:05 AM 5/10/2001 -0400, Housley, Russ wrote: > >Denis: > > > >>There is difference between a base CRL and a full CRL > > > >You are quite right. I, for one, will try to be more careful about the > >use of them. > > > >>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > >>they are a base CRL or delta CRL, CANNOT have the same CRL number. > > > >I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) > >and a delta CRL issued at the same time as that full CRL may actually > >represent the same revocation information. In this case, they are the > >same CRL, and they should have the same number. There have been several > >tables posted that illustrate this numbering scheme, and I do not see any > >text in X.509-200 that indicates this scheme is > [snip - truncate - the message is too long anyway] ------_=_NextPart_001_01C0DAD5.35616B40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Denis:</FONT> </P> <P><FONT SIZE=3D2>You assumptions and recommendations may be = appropriate for your environment and PKIX should accommodate your = design. In my mind PKIX DOES accommodate your design.</FONT></P> <P><FONT SIZE=3D2>However, others may want to design PKI where the = freshness of revocation information is not guaranteed beyond = nextUpdate, but could be published be available, modulo network = security assumptions. In that scenario, publishing revocation = information via full or delta CRL's that are not promised via = nextxUpdate is also fine, knowing full well that the CA can not = guarantee that RP will be ensured of out of cycle CRL = availability.</FONT></P> <P><FONT SIZE=3D2>In short, RP knows that the non-repudiation between = thisUpdate of CRL and current time is up in air.</FONT> </P> <P><FONT SIZE=3D2>Thus, I am not in favor of the constraints on the CA = you cited.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Friday, May 11, 2001 12:58 PM</FONT> <BR><FONT SIZE=3D2>To: Housley, Russ</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org; Tim Polk; David A. = Cooper</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ, </FONT> </P> <P><FONT SIZE=3D2>Thanks for this very detailed collective = response.</FONT> </P> <P><FONT SIZE=3D2>I have been hoping to have a phone call with some of = you today, but since</FONT> <BR><FONT SIZE=3D2>this had not been possible, here is an answer to = your email.</FONT> </P> <P><FONT SIZE=3D2>FYI, I will be out of my office during three days, so = do no expect a reply</FONT> <BR><FONT SIZE=3D2>before next Thursday.</FONT> </P> <P><FONT SIZE=3D2>The thread has been focussing on the mechanisms, = forgetting what is the</FONT> <BR><FONT SIZE=3D2>rational about them. So let us come back to the = rationals. One of them</FONT> <BR><FONT SIZE=3D2>relates top the use of CRLs when applied to a non = repudiation service.</FONT> </P> <P><FONT SIZE=3D2>X.509 has been originally written to use CRLs for = other security services</FONT> <BR><FONT SIZE=3D2>and for these other services, the problems are = different.</FONT> </P> <P><FONT SIZE=3D2>We all want to be able to use either CRLs or OSCP = responses for non</FONT> <BR><FONT SIZE=3D2>repudiation purposes. In fact we want to allow any = of these two techniques</FONT> <BR><FONT SIZE=3D2>to be used in single or in combination. Right = ?</FONT> </P> <P><FONT SIZE=3D2>Having said this, we can now explain some of the = rational. </FONT> </P> <P><FONT SIZE=3D2>When validating a digital signature, for a given time = T, for non repudiation</FONT> <BR><FONT SIZE=3D2>purposes, it is important for a verifier to be able = to prove that the</FONT> <BR><FONT SIZE=3D2>certificate was NOT revoked. It is also important = that two different</FONT> <BR><FONT SIZE=3D2>verifiers come to the same result, for the same time = T, because of the goal</FONT> <BR><FONT SIZE=3D2>of non repudiation is to solve disputes.</FONT> </P> <P><FONT SIZE=3D2>The same properties must be achieved whether OCSP or = CRLs are used. When an</FONT> <BR><FONT SIZE=3D2>OCSP response is received with a time T in it, there = can be no dispute about</FONT> <BR><FONT SIZE=3D2>it: it contains three possible answers (not revoked, = revoked, don't know).</FONT> <BR><FONT SIZE=3D2>If an OCSP responder produces one such answer with a = time T and one of the</FONT> <BR><FONT SIZE=3D2>three statuses, no one else can present an answer = with the same time T in it</FONT> <BR><FONT SIZE=3D2>with a different answer from the same OCSP = responder. Once again, it would</FONT> <BR><FONT SIZE=3D2>not be acceptable that at a given time T two = opposite responses could be</FONT> <BR><FONT SIZE=3D2>obtained. This would result in disputes.</FONT> </P> <P><FONT SIZE=3D2>This means that at time T, there is must be one and = only one possible</FONT> <BR><FONT SIZE=3D2>answer. This allows to use OCSP responses for non = repudiation purposes. The</FONT> <BR><FONT SIZE=3D2>same property must be supported so that CRLs can be = used for non repudiation</FONT> <BR><FONT SIZE=3D2>purposes. So the goal is that when using CRLs in the = context of non</FONT> <BR><FONT SIZE=3D2>repudiation, only one response (i.e. not revoked, = revoked, don't know) can</FONT> <BR><FONT SIZE=3D2>be obtained.</FONT> </P> <P><FONT SIZE=3D2>I do know that non repudiation is only one use of the = PKI and that there are</FONT> <BR><FONT SIZE=3D2>other usages such as authentication, integrity and = confidentiality. So let</FONT> <BR><FONT SIZE=3D2>us now describe what is necessary, if the CRL = contains at least one</FONT> <BR><FONT SIZE=3D2>certificate that can be used for non repudiation = purposes (e.g. it has the</FONT> <BR><FONT SIZE=3D2>NR bit set).</FONT> </P> <P><FONT SIZE=3D2>If at time T there is more than one CRL valid, then = there is a possibility</FONT> <BR><FONT SIZE=3D2>to miss the most recent, in case there is a denial = of service attack on it</FONT> <BR><FONT SIZE=3D2>(i.e. suppression of the latest CRL while in = transit).</FONT> </P> <P><FONT SIZE=3D2>This means that "emergency" CRLs will not = necessarily be seen. "Emergency"</FONT> <BR><FONT SIZE=3D2>CRLs may be used for authentication, integrity and = confidentiality, but may</FONT> <BR><FONT SIZE=3D2>create problems when used in the context of non = repudiation.</FONT> </P> <P><FONT SIZE=3D2>This has several implications: we should deprecate = the use of "emergency"</FONT> <BR><FONT SIZE=3D2>CRLs for being used for a non repudiation service, = because they could</FONT> <BR><FONT SIZE=3D2>provide two different responses. </FONT> </P> <P><FONT SIZE=3D2>People using full CRLs, i.e. without taking advantage = of the delta CRLs,</FONT> <BR><FONT SIZE=3D2>would get only one result.</FONT> </P> <P><FONT SIZE=3D2>People using base CRLs and thus taking advantage of = the delta CRLs would</FONT> <BR><FONT SIZE=3D2>also get one single result. For that reason we = should also deprecate the use</FONT> <BR><FONT SIZE=3D2>of "emergency" delta CRLs.</FONT> </P> <P><FONT SIZE=3D2>This now explains why it is important to get one = answer, at most, at a time.</FONT> <BR><FONT SIZE=3D2>I do understand that lacking this information, the = mechanism seems to be</FONT> <BR><FONT SIZE=3D2>constrained without any "good" = reason.</FONT> </P> <P><FONT SIZE=3D2>Now how can a verifier be sure to get the freshest = information ?</FONT> </P> <P><FONT SIZE=3D2>This depends on the verification rules. Let us = restrict the discussion to</FONT> <BR><FONT SIZE=3D2>the leaf certificate.</FONT> </P> <P><FONT SIZE=3D2>If the validation rules (be careful this has strong = relationships with the</FONT> <BR><FONT SIZE=3D2>DPV protocol) say : "use full CRLs only" = and there is no "emergency CRL",</FONT> <BR><FONT SIZE=3D2>then everything works nice.</FONT> </P> <P><FONT SIZE=3D2>If the validation rules say: "use the freshest = information that is provided</FONT> <BR><FONT SIZE=3D2>by the CA", then the question is how can a = verifier know how the freshest</FONT> <BR><FONT SIZE=3D2>information is obtained ? The answer is: only = through extensions. Why ?</FONT> </P> <P><FONT SIZE=3D2>Let us assume first that no extension either in the = certificate or the CRL</FONT> <BR><FONT SIZE=3D2>is being used. The answer would be : make a search = for delta CRLs in the</FONT> <BR><FONT SIZE=3D2>directory. The problem is that, in case a denial of = service attack, the</FONT> <BR><FONT SIZE=3D2>delta CRLs, even if they exist, will not be = "seen". So the verifier will use</FONT> <BR><FONT SIZE=3D2>the base CRL and thus two verifications done at the = same time T will provide</FONT> <BR><FONT SIZE=3D2>two different results. :-(</FONT> </P> <P><FONT SIZE=3D2>So there needs to be some way, so that, in the event = of a denial of service</FONT> <BR><FONT SIZE=3D2>attacks, either the right information is obtained or = that no information at</FONT> <BR><FONT SIZE=3D2>all is obtained. In the later case, if the = revocation information is not</FONT> <BR><FONT SIZE=3D2>found, then the signature is not accepted (in some = cases a try can be done</FONT> <BR><FONT SIZE=3D2>later on).</FONT> </P> <P><FONT SIZE=3D2>A consequence is the following: verifiers must know = without ambiguity</FONT> <BR><FONT SIZE=3D2>whether a delta CRL mechanism is supported, so that = if delta CRL are</FONT> <BR><FONT SIZE=3D2>supported it is possible to know unambiguously that = it is the case. </FONT> </P> <P><FONT SIZE=3D2>There are two options. </FONT> </P> <P><FONT SIZE=3D2>1) Should we use the freshestCRL extension from the = leaf certificate ? This</FONT> <BR><FONT SIZE=3D2>means that the CA MUST support delta CRLs at any = time during whole the</FONT> <BR><FONT SIZE=3D2>life-time of the certificate. This is quite = constraining for the CA, but</FONT> <BR><FONT SIZE=3D2>this is possible.</FONT> </P> <P><FONT SIZE=3D2>2) Should we use the freshestCRL extension from the = CRL? This means that the</FONT> <BR><FONT SIZE=3D2>CA will only support delta CRLs for that CRL without = any engagement to</FONT> <BR><FONT SIZE=3D2>support a delta CRL mechanism for the next one. This = is more flexible.</FONT> </P> <P><FONT SIZE=3D2>What does this means ? That it is very likely that we = will not end up wit</FONT> <BR><FONT SIZE=3D2>the same mechanism when using delta CRLs for a = certificate used for non</FONT> <BR><FONT SIZE=3D2>repudiation purposes and when using a certificate = for other purposes. One of</FONT> <BR><FONT SIZE=3D2>the algorithms may look first at the delta CRLs, = whether they exist or not,</FONT> <BR><FONT SIZE=3D2>while the other will only take a look for them after = making sure that they</FONT> <BR><FONT SIZE=3D2>must exit.</FONT> </P> <P><FONT SIZE=3D2>The best guess, if it succeeds, is certainly valid = for "other purposes". So</FONT> <BR><FONT SIZE=3D2>I will now focus on the algorithm to be used for non = repudiation purposes.</FONT> </P> <P><FONT SIZE=3D2> An application that is willing to obtain = the freshest CRL </FONT> <BR><FONT SIZE=3D2> information for a given certificate = used for non repudiation </FONT> <BR><FONT SIZE=3D2> purposes, must know if a delta CRL = mechanism is supported. </FONT> <BR><FONT SIZE=3D2> Either the certificate or any CRL that = is able to reference </FONT> <BR><FONT SIZE=3D2> that certificate MUST include a = freshestCRL extension </FONT> <BR><FONT SIZE=3D2> (a.k.a. a Delta CRL distribution = point). </FONT> </P> <P><FONT SIZE=3D2> The application may then construct an = updated CRL for that </FONT> <BR><FONT SIZE=3D2> base, for a specific time T, by = combining it with a delta </FONT> <BR><FONT SIZE=3D2> CRL which contains a delta CRL = indicator extension with the </FONT> <BR><FONT SIZE=3D2> same CRL number as the base CRL. = Applications that support </FONT> <BR><FONT SIZE=3D2> delta CRLs MUST ensure that time T = falls between thisUpdate </FONT> <BR><FONT SIZE=3D2> and nextUpdate for both the base CRL = and the delta CRL.</FONT> </P> <P><FONT SIZE=3D2> Note: An application could also = reconstruct an updated CRL, </FONT> <BR><FONT SIZE=3D2> for a specific time T, by using a = previously locally </FONT> <BR><FONT SIZE=3D2> reconstructed CRL based on the current = base CRL, and </FONT> <BR><FONT SIZE=3D2> combining it with a delta CRL which = contains a delta CRL </FONT> <BR><FONT SIZE=3D2> indicator extension with the same CRL = number as the base </FONT> <BR><FONT SIZE=3D2> CRL.</FONT> </P> <P><FONT SIZE=3D2>For the constraint about the CA:</FONT> </P> <P><FONT SIZE=3D2> For any CRL that may reference a = certificate used for </FONT> <BR><FONT SIZE=3D2> non repudiation purposes, and for any = time T until </FONT> <BR><FONT SIZE=3D2> the nextUpdate time indicated in a base = CRL, the CA MUST </FONT> <BR><FONT SIZE=3D2> provide one and only one base CRL and = one and only delta </FONT> <BR><FONT SIZE=3D2> CRL that refers to that base CRL and = for which time T </FONT> <BR><FONT SIZE=3D2> falls between thisUpdate and nextUpdate = from the delta CRL.</FONT> </P> <P><FONT SIZE=3D2>There are still other issues to discuss, like the CRL = numbering,</FONT> <BR><FONT SIZE=3D2>whether it is unique or not, let us wait for next = week for that topic.</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Denis</FONT> </P> <BR> <P><FONT SIZE=3D2>> Denis:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Please excuse the half-done message from this = morning. My mailer and I had</FONT> <BR><FONT SIZE=3D2>> a disagreement...</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Anyway, since I was not going to get the full = message out before the end of</FONT> <BR><FONT SIZE=3D2>> the business day in France, I took the time to = coordinate a response with</FONT> <BR><FONT SIZE=3D2>> Tim Polk and David Cooper. This mail = thread is quite long, so hopefully</FONT> <BR><FONT SIZE=3D2>> our coordination on the side will reduce the = overall number of messages to</FONT> <BR><FONT SIZE=3D2>> the list and help to reach consensus = faster.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Here goes ....</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >There is difference between a base = CRL and a full CRL : a base CRL MUST</FONT> <BR><FONT SIZE=3D2>> >include a freshestCRL extension = (a.k.a. a Delta CRL distribution point),</FONT> <BR><FONT SIZE=3D2>> >whereas a full CRL may not include = that extension. In other words, a base</FONT> <BR><FONT SIZE=3D2>> >CRL is a also a full CRL, but a full = CRL is not necessarily a base CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> There is no requirement in X.509 to include any = extension in a certificate</FONT> <BR><FONT SIZE=3D2>> or CRL advertising the availability of delta = CRLs. PKIX makes the</FONT> <BR><FONT SIZE=3D2>> freshestCRL extension available for advertising = the existence of delta</FONT> <BR><FONT SIZE=3D2>> CRLs, but again does not mandate its use. = Furthermore, even if the</FONT> <BR><FONT SIZE=3D2>> freshestCRL extension is used, it may be placed = in either the certificate</FONT> <BR><FONT SIZE=3D2>> or the full CRL. If the extension is placed in = certificates, there is no</FONT> <BR><FONT SIZE=3D2>> need for it to be in the full CRL (but, it = could be).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Finally, if delta CRLs are being issued, and = are being advertised through</FONT> <BR><FONT SIZE=3D2>> the freshestCRL CRL extension, then the = extension should be included in all</FONT> <BR><FONT SIZE=3D2>> full CRLs for that scope, not just the base = CRLs. If a relying party</FONT> <BR><FONT SIZE=3D2>> obtains the most recently issued full CRL for a = scope from a repository,</FONT> <BR><FONT SIZE=3D2>> and that full CRL is not a base CRL, how will = the relying party know that</FONT> <BR><FONT SIZE=3D2>> delta CRLs are available?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >At any time a CA may issue a full = CRL, whether or not a base CRL has already</FONT> <BR><FONT SIZE=3D2>> >been issued. This additional CRL = SHOULD have nextUpdate equal to the</FONT> <BR><FONT SIZE=3D2>> >nextUpdate of the last issued full = CRL. However, there is no guarantee that</FONT> <BR><FONT SIZE=3D2>> >this additional CRL will ever be seen = by the relying party (because there</FONT> <BR><FONT SIZE=3D2>> >will be two CRLs matching the = thisUpdate and nextUpdate rule and if one is</FONT> <BR><FONT SIZE=3D2>> >deleted, this is not seen by a = relying party).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The nextUpdate field in a full CRL (base or = otherwise) should specify the</FONT> <BR><FONT SIZE=3D2>> time by which new revocation information will = be available. So, if a new</FONT> <BR><FONT SIZE=3D2>> base CRL is issued once a day, but full CRLs = are issued every hour, the</FONT> <BR><FONT SIZE=3D2>> nextUpdate field of each full CRL should one = hour after that CRL's</FONT> <BR><FONT SIZE=3D2>> thisUpdate time.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >Due to the fact that CRLs numbers are = strictly increasing, two CRLs whether</FONT> <BR><FONT SIZE=3D2>> >they are a base CRL or delta CRL, = CANNOT have the same CRL number. So a</FONT> <BR><FONT SIZE=3D2>> >delta CRL and a full CRL that cover = the same scope and are issued at the</FONT> <BR><FONT SIZE=3D2>> >same time CANNOT have the same = number.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> We disagree. If a full CRL and a delta = CRL are issued at the same time for</FONT> <BR><FONT SIZE=3D2>> the same scope, then they ARE the same CRL and = MUST have the same CRL number.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >If a full CRL is issued, its = CRL</FONT> <BR><FONT SIZE=3D2>> >number bears no relationship with the = previous base CRL, if any.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Again, we disagree. A sequence of CRLs for a = given scope must contain a</FONT> <BR><FONT SIZE=3D2>> monotonically increasing sequence of CRL = numbers. Relying parties that do</FONT> <BR><FONT SIZE=3D2>> not process delta CRLs, and thus do not = recognize the non-critical</FONT> <BR><FONT SIZE=3D2>> freshestCRL extension, will not be able to = distinguish between those full</FONT> <BR><FONT SIZE=3D2>> CRLs that are base CRLs and those full CRLs = that are not base CRLs. The CRL</FONT> <BR><FONT SIZE=3D2>> numbers for these full CRLs must be from one = monotonically increasing sequence.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >The only</FONT> <BR><FONT SIZE=3D2>> >relationship between the numbers is = defined by the rule that CRLs numbers</FONT> <BR><FONT SIZE=3D2>> >are strictly increasing. As Santosh = said : "the CRL number is unique</FONT> <BR><FONT SIZE=3D2>> >whether it is a base or a delta = ".</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >This is fairly important to be able = to unambiguously (and thus uniquely)</FONT> <BR><FONT SIZE=3D2>> >refer to a CRL by only providing its = CRL number.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Exactly. If a full CRL and the delta CRL are = issued for the same scope at</FONT> <BR><FONT SIZE=3D2>> the same time, they are the same CRL. The CRL = number unambiguously and</FONT> <BR><FONT SIZE=3D2>> uniquely refers to this ONE CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >Besides the fact that a CRL issued = later MUST have a higher CRL number, full</FONT> <BR><FONT SIZE=3D2>> >CRLs and delta CRLs have independent = numbering rules. As noticed by Santosh,</FONT> <BR><FONT SIZE=3D2>> >" if the delta thisUpdate > = base thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT SIZE=3D2>> >number (for the same or no stream = identifier).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If you agree that delta thisUpdate > base = thisUpdate implies delta CRL</FONT> <BR><FONT SIZE=3D2>> number > base CRL, then you are = acknowledging that the CRL numbers of the</FONT> <BR><FONT SIZE=3D2>> full CRLs and delta CRLs are not = independent.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >As Santosh said : "a check based = on thisUpdate is more general and</FONT> <BR><FONT SIZE=3D2>> >preferred [to the use of CRL = numbers]. "</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Related to the three rules mentioned = by Russ :</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >1) the first rule is not = understandable to me.</FONT> <BR><FONT SIZE=3D2>> >2) the second rule does not say = anything more than the basic rule valid</FONT> <BR><FONT SIZE=3D2>> > for any CRL (i.e. = a CRL issued later MUST have a higher CRL number).</FONT> <BR><FONT SIZE=3D2>> >3) we will debate the hold condition, = once we will have sorted the main</FONT> <BR><FONT SIZE=3D2>> > issue.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Russ said : "If separate number = sequence is used, then you will have to</FONT> <BR><FONT SIZE=3D2>> >periodically fetch base CRLs ". = This is true.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Tim said that he would *not* like to = be forced to download new base CRLs.</FONT> <BR><FONT SIZE=3D2>> >This is the core of the = "dispute".</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Our goal should be to allow delta CRL enabled = clients to obtain accurate</FONT> <BR><FONT SIZE=3D2>> information in the most efficient manner = possible. Forcing clients to</FONT> <BR><FONT SIZE=3D2>> periodically download full CRLs, when this is = not necessary, is inefficient.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > From the definition of what a delta = CRL is, it is *not* possible to</FONT> <BR><FONT SIZE=3D2>> >get rid of the fetching of base CRLs. = Unless we add a new sentence to</FONT> <BR><FONT SIZE=3D2>> >expand/change that definition, base = CRL fetching will remain mandatory.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> True. However, if one performs validations = frequently enough, it is</FONT> <BR><FONT SIZE=3D2>> possible to obtain a single full CRL and then = subsequently download only</FONT> <BR><FONT SIZE=3D2>> delta CRLs. We need to require that full CRL be = issued periodically so that</FONT> <BR><FONT SIZE=3D2>> clients whose locally stored information is not = sufficiently up-to-date to</FONT> <BR><FONT SIZE=3D2>> apply the delta CRLs being issued can obtain = the full CRLs that they need,</FONT> <BR><FONT SIZE=3D2>> but we should not require clients to download = full CRLs when it is not</FONT> <BR><FONT SIZE=3D2>> necessary for them to do so.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >Remember that the goal of delta CRLs = is to provide the freshest information,</FONT> <BR><FONT SIZE=3D2>> >and to my knowledge the goal was not = to get rid of the fetching of base CRLs</FONT> <BR><FONT SIZE=3D2>> >(which may less frequent due to the = support of delta CRLs).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Yes, but the goal should be to minimize the = fetching of full CRLs.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >If I understand correctly, = Tim/David/Russ would like to *always* achieve the</FONT> <BR><FONT SIZE=3D2>> >following property : it is possible = to reconstruct the current CRL by using</FONT> <BR><FONT SIZE=3D2>> >a base CRL from, e.g. 1990, i.e. by = capturing every delta CRL that has been</FONT> <BR><FONT SIZE=3D2>> >issued at the same time a base CRL = was issued and which contains updates</FONT> <BR><FONT SIZE=3D2>> >made to the *previous* base.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >By this way the fetching of base CRLs = could be avoided. However, note that</FONT> <BR><FONT SIZE=3D2>> >it is perfectly " legal " = to stop issuing base and delta CRLs during some</FONT> <BR><FONT SIZE=3D2>> >period of time and to issue full CRLs = instead (see the difference between</FONT> <BR><FONT SIZE=3D2>> >"full" and "base" = at the top of this e-mail). In other words there is no</FONT> <BR><FONT SIZE=3D2>> >need to issue a new base CRL at the = end of the validity period of the</FONT> <BR><FONT SIZE=3D2>> >previous base CRL. Doing this would = mandate to prescribe issuing rules</FONT> <BR><FONT SIZE=3D2>> >for CAs that we have not = prescripted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> You are mixing apples and oranges. Obviously = the scheme of keeping</FONT> <BR><FONT SIZE=3D2>> up-to-date by obtaining a base from 1990 and = then only downloading deltas</FONT> <BR><FONT SIZE=3D2>> will only work so long as deltas continue to be = issued. If the CRL issuer</FONT> <BR><FONT SIZE=3D2>> ceases to issue deltas, then the relying = parties will have to revert to</FONT> <BR><FONT SIZE=3D2>> downloading full CRLs.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >I will now raise a series of = questions, for which I believe we have</FONT> <BR><FONT SIZE=3D2>> >different answers. Tim/David/Russ do = not hesitate to correct</FONT> <BR><FONT SIZE=3D2>> >if my guess is wrong. ;-)</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Common point:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >1) What will be the value of the = nextUpdate field from the last issued delta</FONT> <BR><FONT SIZE=3D2>> >CRL for a given base CRL ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Denis: the nextUpdate field from the = last issued delta CRL MUST be equal to</FONT> <BR><FONT SIZE=3D2>> >the value of nextUpdate from the base = CRL.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Tim/David/Russ: ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The nextUpdate field in a base CRL states when = the next full CRL will be</FONT> <BR><FONT SIZE=3D2>> available. This is important for supporting = clients that do not handle</FONT> <BR><FONT SIZE=3D2>> delta CRLs. The nextUpdate field in a delta CRL = states when the next CRL</FONT> <BR><FONT SIZE=3D2>> (either a delta CRL or a full CRL) will be = available. As a general rule, if</FONT> <BR><FONT SIZE=3D2>> the CA is continuing to issue deltas, the = nextUpdate in the delta will be</FONT> <BR><FONT SIZE=3D2>> the time by which the next delta will be = available. If this is the last</FONT> <BR><FONT SIZE=3D2>> delta that the CA is going to issue, then the = nextUpdate in the delta will</FONT> <BR><FONT SIZE=3D2>> be the time by which the next full CRL will be = available. ("Available"</FONT> <BR><FONT SIZE=3D2>> SHOULD reflect distribution delays associated = with the repository</FONT> <BR><FONT SIZE=3D2>> architecture.)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >2) Does a CA needs to issue a delta = CRL at the time a full CRL is issued ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Denis: No.</FONT> <BR><FONT SIZE=3D2>> >Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> No. A CA never is required to issue deltas. = However, it would be helpful to</FONT> <BR><FONT SIZE=3D2>> delta CRL enabled clients to allow them to = construct the full CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If the full CRL contains a freshestCRL = extension, then it is a very good</FONT> <BR><FONT SIZE=3D2>> idea to generate a delta CRL at the same time. = In this way, any client will</FONT> <BR><FONT SIZE=3D2>> be able to find a current delta CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >3) Does a CA needs to issue a new = base CRL at the end of the validity of a</FONT> <BR><FONT SIZE=3D2>> >current base CRL ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Denis: No.</FONT> <BR><FONT SIZE=3D2>> >Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> No. HOWEVER, the CA must issue a new full CRL = by the nextUpdate in the</FONT> <BR><FONT SIZE=3D2>> previously issued full CRL (whether that full = CRL is a base CRL or not).</FONT> <BR><FONT SIZE=3D2>> There is no requirement that the next full CRL = be a base CRL. (The CA could</FONT> <BR><FONT SIZE=3D2>> quit issuing deltas, etc. etc.)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Every base CRL MUST be a full CRL, but not = every full CRL is a base CRL.</FONT> <BR><FONT SIZE=3D2>> But, a CA could make every full CRL a base CRL = if they wanted to.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >4) Does a CA needs to issue a delta = CRL at the same time a new base is</FONT> <BR><FONT SIZE=3D2>> >issued ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Denis: Yes. The delta CRL refers to = the *new* base.</FONT> <BR><FONT SIZE=3D2>> >Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> No. HOWEVER, in practice we belive that CAs = will do so. The delta CRL needs</FONT> <BR><FONT SIZE=3D2>> to exist so that clients can follow the = freshest CRL extension (either in a</FONT> <BR><FONT SIZE=3D2>> certificate or a base CRL). The delta CRL that = is issued at the same time</FONT> <BR><FONT SIZE=3D2>> SHOULD point to a previously issued full CRL = (which will then, by</FONT> <BR><FONT SIZE=3D2>> definition be a base CRL) whenever possible. = There is no information to add</FONT> <BR><FONT SIZE=3D2>> to the new base CRL! By providing the delta as = an update to a previous base</FONT> <BR><FONT SIZE=3D2>> CRL, clients can download the delta CRL to = construct the new base CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >The last point highlights the most = noticeable difference. Other differences</FONT> <BR><FONT SIZE=3D2>> >appears when considering the guaranty = to get the freshest information :</FONT> <BR><FONT SIZE=3D2>> >using the traditional scheme and the = thisUpdate and nextUpdate fields the</FONT> <BR><FONT SIZE=3D2>> >guaranty to get the freshest = information is obtained, but cannot be obtained</FONT> <BR><FONT SIZE=3D2>> >using the other scheme. :-(</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Several people are referring to the = X.509 document for arguments to support</FONT> <BR><FONT SIZE=3D2>> >that discussion. However, it is = important to remember that we are defining</FONT> <BR><FONT SIZE=3D2>> >PKIX, not X.509, so we DO NOT need to = copy and paste everything from X.509,</FONT> <BR><FONT SIZE=3D2>> >but only what we believe is = relevant.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> PKIX is a profile of X.509. PKIX may = impose additional requirements beyond</FONT> <BR><FONT SIZE=3D2>> those in X.509 or may exclude features that are = optional in X.509, but</FONT> <BR><FONT SIZE=3D2>> otherwise PKIX must be consistent with X.509. = In that context, references</FONT> <BR><FONT SIZE=3D2>> to X.509 are appropriate.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >We first need to clearly define the = processing rules applicable to the</FONT> <BR><FONT SIZE=3D2>> >relying parties. These rules will = certainly contain SHALL/MUST statements,</FONT> <BR><FONT SIZE=3D2>> >but may also include some MAY = statements which may even be conditional to</FONT> <BR><FONT SIZE=3D2>> >what the CA is doing. (I let = Tim/David or Russ provide the MAY statement).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Here is a proposal for the MUST = statement, based on the previous text I</FONT> <BR><FONT SIZE=3D2>> >produced:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > An application = that is wishing to take advantage of delta CRLs</FONT> <BR><FONT SIZE=3D2>> > for a given scope, = MUST first find a base CRL for that scope,</FONT> <BR><FONT SIZE=3D2>> > i.e. a full CRL = that that contains a freshestCRL extension</FONT> <BR><FONT SIZE=3D2>> > (a.k.a. a Delta = CRL distribution point).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> No. The relying party needs a full CRL (either = one that has been downloaded</FONT> <BR><FONT SIZE=3D2>> from a repository or one that has been locally = generated) against which the</FONT> <BR><FONT SIZE=3D2>> delta CRL of interest may be applied. There is = no requirement that the full</FONT> <BR><FONT SIZE=3D2>> CRL be a base CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > It may then = construct</FONT> <BR><FONT SIZE=3D2>> > an updated CRL for = that base, for a specific time T, by combining</FONT> <BR><FONT SIZE=3D2>> > it with a delta = CRL which contains a delta CRL indicator extension</FONT> <BR><FONT SIZE=3D2>> > with the same CRL = number as the base CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> It may construct an updated CRL by combining = the delta CRL with any full</FONT> <BR><FONT SIZE=3D2>> CRL whose CRL number is greater than or equal = to the CRL number of the</FONT> <BR><FONT SIZE=3D2>> referenced base. By saying = "equal" instead of "greater than or equal" = we</FONT> <BR><FONT SIZE=3D2>> would be hiding useful information from = implementors. We should not be</FONT> <BR><FONT SIZE=3D2>> hiding useful information.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > Applications that = support</FONT> <BR><FONT SIZE=3D2>> > delta CRLs MUST = ensure that time T falls between thisUpdate and</FONT> <BR><FONT SIZE=3D2>> > nextUpdate for = both the base CRL and the delta CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> As stated above, the nextUpdate field in a base = CRL specifies the time by</FONT> <BR><FONT SIZE=3D2>> which new revocation information will be = available through full CRLs. A</FONT> <BR><FONT SIZE=3D2>> delta CRL may be applied to a base CRL as long = as the CRL number in the</FONT> <BR><FONT SIZE=3D2>> base CRL is greater than or equal to the CRL = number of the base CRL</FONT> <BR><FONT SIZE=3D2>> referenced by the delta CRL. The nextUpdate = time of the base CRL is irrelevant.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > Note: An = application could also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=3D2>> > a specific time T, = by using a previously locally reconstructed CRL</FONT> <BR><FONT SIZE=3D2>> > based on the = current base CRL, and combining it with a delta CRL which</FONT> <BR><FONT SIZE=3D2>> > contains a delta = CRL indicator extension with the same CRL number as</FONT> <BR><FONT SIZE=3D2>> > the base = CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Same problem as above. Need to say = "greater than or equal to".</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >We also need to clearly separate the = issuing rules applicable for the CAs.</FONT> <BR><FONT SIZE=3D2>> >These rules will certainly contain = SHALL statements, but could also include</FONT> <BR><FONT SIZE=3D2>> >some MAY statements. (I let Tim/David = or Russ provide the MAY statement).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Here is a proposal for the MUST statem= ent, based on the previous text I</FONT> <BR><FONT SIZE=3D2>> >produced:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > A CA that supports = delta-CRLs, MUST issue a base CRL,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> This is an unnecessary statement. A delta CRL = must include a BaseCRLNumber.</FONT> <BR><FONT SIZE=3D2>> The CRL specified by that BaseCRLNumber is by = definition a base CRL. Of</FONT> <BR><FONT SIZE=3D2>> course, the referenced base CRL MUST be a full = CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > i.e. a full</FONT> <BR><FONT SIZE=3D2>> > CRL that contains = a freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT SIZE=3D2>> > distribution = point).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> While it might be a good idea to mandate the = inclusion of the frestestCRL</FONT> <BR><FONT SIZE=3D2>> extension in full CRLs that are issued for = scopes in which delta CRLs are</FONT> <BR><FONT SIZE=3D2>> also being issued, there is currently no such = requirement in the draft PKIX</FONT> <BR><FONT SIZE=3D2>> profile.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > For any time T = until the nextUpdate time</FONT> <BR><FONT SIZE=3D2>> > indicated in a = base CRL, the CA MUST provide one and only one</FONT> <BR><FONT SIZE=3D2>> > delta CRL that = refers to that base CRL and for which time T</FONT> <BR><FONT SIZE=3D2>> > falls between = thisUpdate and nextUpdate from the delta CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> This sentence has several problems:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 1) The nextUpdate time of a base CRL is the = time when the next full CRL</FONT> <BR><FONT SIZE=3D2>> will be available, which may precede the time = that the next base CRL will</FONT> <BR><FONT SIZE=3D2>> be issued.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 2) There is no requirement that a delta CRL use = the most recently issued</FONT> <BR><FONT SIZE=3D2>> base CRL as its base. I suppose that we = could add this requirement for the</FONT> <BR><FONT SIZE=3D2>> PKIX profile, but why? Does it really = simplify the client? Or, does it</FONT> <BR><FONT SIZE=3D2>> just make it a wee bit harder to make a = conforming CA that supports delta CRLs?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 3) If the thisUpdate time of one delta CRL must = equal the nextUpdate time</FONT> <BR><FONT SIZE=3D2>> of the previously issued delta CRL, then no = time can be allotted to account</FONT> <BR><FONT SIZE=3D2>> for propagation delays between when a delta-CRL = is issued and when it is</FONT> <BR><FONT SIZE=3D2>> available in repositories for relying parties = to obtain. Thus, there would</FONT> <BR><FONT SIZE=3D2>> be gaps between when the nextUpdate time of one = delta-CRL was reached and</FONT> <BR><FONT SIZE=3D2>> when the next delta-CRL was available.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 4) There is nothing in either X.509 or the PKIX = profile that prevents a CA</FONT> <BR><FONT SIZE=3D2>> from issuing an unscheduled (or = "emergency") delta CRL. And, there should</FONT> <BR><FONT SIZE=3D2>> not be! Many CAs intend to issue a new = CRL (delta or otherwise)</FONT> <BR><FONT SIZE=3D2>> immediately upon the revocation of a = certificate due to key compromise.</FONT> <BR><FONT SIZE=3D2>> When such an "emergency" delta CRL is = issued, there will be two delta CRLs</FONT> <BR><FONT SIZE=3D2>> for which T falls between thisUpdate and = nextUpdate. While it is true that</FONT> <BR><FONT SIZE=3D2>> there is no guarantee that relying parties will = obtain the fresher of these</FONT> <BR><FONT SIZE=3D2>> two delta CRLs, that is no reason to prevent = the CA from issuing the</FONT> <BR><FONT SIZE=3D2>> "emergency" delta. Some clients = will obtain the emergency CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >In his e-mail from Wednesday, May 9, = David said that delta-CRL processing</FONT> <BR><FONT SIZE=3D2>> >rules could be base on time instead = of CRL numbers. This is a point of which</FONT> <BR><FONT SIZE=3D2>> >I strongly agree. Let us do = it!</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >(However, there is no need to add to = PKIX, as he suggested, the support of</FONT> <BR><FONT SIZE=3D2>> >the baseUpdateTime extension from = X.509 which would even more complicate the</FONT> <BR><FONT SIZE=3D2>> >problem.)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> No. In order to base delta CRL processing on = time, the baseUpdateTime</FONT> <BR><FONT SIZE=3D2>> extension must be present in the delta CRL. = Furthermore, the presence of</FONT> <BR><FONT SIZE=3D2>> this extension would not complicate the = problem. baseUpdateTime is a</FONT> <BR><FONT SIZE=3D2>> non-critical extension that merely provides = useful information. If you</FONT> <BR><FONT SIZE=3D2>> don't think that the information provided by = baseUpdateTime is useful,</FONT> <BR><FONT SIZE=3D2>> ignore it. Since the extension is non-critical = and can be ignored, its</FONT> <BR><FONT SIZE=3D2>> presence can not complicate the problem.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> At 09:05 AM 5/10/2001 -0400, Housley, Russ = wrote:</FONT> <BR><FONT SIZE=3D2>> >Denis:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >>There is difference between a base CRL = and a full CRL</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >You are quite right. I, for one, will = try to be more careful about the</FONT> <BR><FONT SIZE=3D2>> >use of them.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >>Due to the fact that CRLs numbers are = strictly increasing, two CRLs whether</FONT> <BR><FONT SIZE=3D2>> >>they are a base CRL or delta CRL, = CANNOT have the same CRL number.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >I disagree. A full CRL (that may be a = base CRL for subsequent delta CRLs)</FONT> <BR><FONT SIZE=3D2>> >and a delta CRL issued at the same time as = that full CRL may actually</FONT> <BR><FONT SIZE=3D2>> >represent the same revocation = information. In this case, they are the</FONT> <BR><FONT SIZE=3D2>> >same CRL, and they should have the same = number. There have been several</FONT> <BR><FONT SIZE=3D2>> >tables posted that illustrate this = numbering scheme, and I do not see any</FONT> <BR><FONT SIZE=3D2>> >text in X.509-200 that indicates this = scheme is</FONT> <BR><FONT SIZE=3D2>> [snip - truncate - the message is too long = anyway]</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0DAD5.35616B40-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id MAA07885 for ietf-pkix-bks; Fri, 11 May 2001 12:09:36 -0700 (PDT) Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA07874 for <ietf-pkix@imc.org>; Fri, 11 May 2001 12:09:30 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id PAA29130 for <ietf-pkix@imc.org>; Fri, 11 May 2001 15:09:22 -0400 (EDT) Message-Id: <4.2.0.58.20010511150324.01dc4320@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 11 May 2001 15:07:08 -0400 To: ietf-pkix@imc.org From: Tim Polk <wpolk@nist.gov> Subject: Strawman on Delta CRLs Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Folks, David Cooper, Russ Housley and I have collaborated on a "strawman" describing the use of delta CRLs in PKIX implementations. We believe the functionality we describe is consistent with ISO X.509 as well. The text describes algorithms for using deltas and base CRLs to (a) check the status of a certificate or (b) create a constructed CRL. This is followed by three scenarios for the use of deltas - "traditional deltas", "sliding window deltas", and a variant on sliding window deltas that factors in the real world delays in populating repositories with base and delta CRLs. I have appended the strawman below in ASCII text. The text includes tables for the examples. Please note, these tables *require* a fixed font to be legible. If you would prefer a copy in either Word or PDF, I have posted them at the following URLs: http://csrc.nist.gov/pki/documents/PKIX/PKIXdeltas.doc and http://csrc.nist.gov/pki/documents/PKIX/PKIXdeltas.pdf Hopefully, this strawman will serve to frame further discussions and accelerate consensus. Once we agree on the requirements, Russ and I will draft the necessary changes and we can finish Last Call. (I am nothing if not an optimist.) We would also like to add the examples as an *informative* appendix in son-of-2459. Thanks, Tim Polk --------------------------------strawman--------------------------- Implementing Delta CRLs Using PKIX This paper addresses the use of delta CRLs in PKIX-compliant systems. This paper assumes that delta CRLs include the delta CRL indicator extension (rather than a CRL scope extension) and ignores complications involving combined delta CRLs from indirect CRL issuers. This paper also assumes that CRLs with different scopes are distributed using different distribution points. Terms Revoked: A statement that a particular certificate's status has changed and it should no longer be trusted. Once a certificate is revoked, it is always revoked. Suspension: A statement that a particular certificate may not be trustworthy. Once placed on hold, a certificate may be revoked or the suspension may be lifted. Revocation notice: A statement that a particular certificate has been suspended or revoked. The revocation statement identifies the certificate by the issuer name and serial number. The issuer may be specified explicitly or implicitly. The issuer may be explicitly identified using the certificate issuer extension. If not specified explicitly, the issuer of the certificate is implicitly identified as the issuer of the CRL. A revocation notice includes the date and time the certificate was revoked. A revocation notice may optionally include a revocation reason in the reason code CRL entry extension. [Note: A revocation notice may optionally specify in the invalidity date extension the date from which the certificate should be considered invalid. This date may precede the actual revocation date. The invalidity date extension does not feature in this discussion, so it is not considered further in this paper.] Certificate revocation list (CRL): a list of revocation notices for certificates. CRL scope: the set of certificates that could appear on a given CRL. For example, the scope may be "all certificates issued by CA X", "all CA and end entity certificates issued by CA X", "all certificates issued by CA X that have been revoked for key compromise and CA compromise", or may be a set of certificates based on local information, such as "all certificates issued to the NIST employees located in Boulder". Full CRL: a CRL that lists all unexpired certificates, in its scope, that have been revoked for one of the revocation reasons covered by the scope of the CRL. The scope of a full CRL does not necessarily include all of the certificates issued by a CA or all possible revocation reasons. Base CRL: the particular CRL used as the foundation for a delta CRL. The base must be a full CRL. Delta CRL: a CRL that only lists those unexpired certificates, in its scope, whose revocation status has changed since the issuance of a particular, referenced base CRL. The scope of a delta CRL is must be the same as the base CRL that it references CRL Numbering A CRL issuer may generate full CRLs for more than one scope. The CRL issuer may also generate delta CRLs. Each delta CRLs must have the same scope as the full CRL referenced as its base. For each scope supported by the CRL issuer, a numbering sequence must be maintained. For each scope, the CRLs are numbered in a monotonically increasing sequence. (Wrapping is not permitted in the PKIX profile.) If a CRL issuer generates CRLs for one scope (e.g., full CRLs and deltas CRLs), the issuer must maintain one numbering sequence. If a delta CRL and a full CRL that cover the same scope are issued at the same time, they will have the same CRL number. If a CRL issuer generates CRLs for two scopes (e.g., one covering CA certificates and one covering end entity certificates), then the CRL issuer must maintain two number sequences. The CRLs and deltas for the same scope (e.g., CA certificates) will share one numbering sequence. The CRLs and deltas for the second scope (e.g., end entity certificates) will share one numbering sequence. There is no requirement that these sequences be disjoint. Algorithms for Determining Status from a Full CRL and a Delta CRL Consider a full CRL, F, with CRL number X. A client may obtain BF in either of the following ways: (a) the full CRL F may have been pushed to the client or pulled from a repository; or (b) F may have been constructed from a full CRL and a delta CRL using this algorithm. Consider a delta CRL, D, which specifies base CRL Y and has CRL number Z. This means that all certificates whose statuses have changed since the issuance of CRL Y will be listed on the delta CRL. Note that the PKIX profile requires the CA to issue CRL Y as a full CRL. Determining Whether a Full CRL and Delta CRL May Be Combined F and D may be combined if each of the following conditions are met: (1) X is greater than or equal to Y. That is, the full CRL must (at a minimum) contain all the revocation information held by the referenced base CRL. (2) X is less than Z. That is, the delta CRL must cover some time that was not covered by the full CRL. Determining Status of a Certificate from a Full CRL and a Delta CRL If the PKI client maintains the delta and full CRL, the status of an unexpired certificate C may be determined as follows: (1) If C is listed on the delta CRL, then: a. If C is listed on the delta CRL with reason code "removeFromCRL", then C is not revoked. b. Otherwise, certificate C is revoked. (2) If C was not listed on the delta CRL, then the full CRL is checked, and the status is as follows: a. If C is listed on the full CRL, then C is revoked. b. If C is not listed on the full CRL, then C is not revoked. Combining a Full CRL and Delta CRL into a Constructed CRL If the PKI client maintains the current CRL in a local cache: The revocation information on F is assumed as the initial condition. F is a list of revoked certificates; each certificate is listed with a revocation reason (which may be "unspecified"). The list of revoked certificates L with n entries denoted as L[i] where 1 <= i <= n. (The value n may shrink or grow as the combination process proceeds.) Initialize L to the revocation notices on F. For each certificate C on the delta CRL, update the contents of L as follows. If a certificate C appears on the delta CRL, and C is not currently in the list L, then: (a) if C has a revocation reason other than "removeFromCRL", add C as a new entry in the list of revoked certificates L. (b) If C has revocation reason "removeFromCRL", skip this certificate. No update to the cache is needed. If a certificate C appears on the delta CRL, and C is presently listed in L as entry L[i], then: (a) If C is listed on the delta CRL with a revocation reason of "removeFromCRL", delete entry L[i] (b) If C is listed on the delta CRL without a revocation reason or with a revocation reason other than "removeFromCRL", change the reason code associated with L[i] to the reason code specified in the delta CRL. The combination of F and D forms a new full CRL with CRL number Z. This full CRL has complete information until the time specified in the next update field in the delta CRL is reached. If a relying party is validating a certificate with respect to time T, and T is before the next update field in the delta CRL, they may assume complete information. If an unexpired certificate C within the scope of the constructed CRL is not listed, then certificate C is not revoked for one of the revocation reasons covered by this CRL. If the constructed CRL covers all reasons, then the certificate C is not revoked. Using Deltas to Distribute Revocation Information This section provides three different scenarios for the use of delta CRLs. For the purpose of these examples, assume a goal of providing revocation information to relying parties that is no more than one hour old. The following notation is used to denote a revoked certificate on a CRL: Xr certificate X is listed for reason r, where r in {a,k,h,r} The reason codes {a,k,h,r} correspond to "affiliation changed", "key compromise", "certificate hold", and "remove from CRL" respectively. (Note: The remaining reason codes are omitted for simplicity. The handling of certificates revoked for the reasons "unspecified", "CA compromise", "superseded", and "cessationOfOperation" are identical to "affiliation changed or "key compromise"). Example #1 The example below shows the "traditional" method of issuing delta CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. After that, however, a delta can always use a previously issued full CRL as its base. Notice that starting with cRLNumber 4, the delta CRL issued at the same time as a full CRL uses the previously issued full CRL as its base. However, the delta-CRLs never provide more than 3 hours of history. In this example: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 4 | | | CertificateList = {67a} | | | ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 4 | | | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 4 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = {67k} ---------|--------------|--------------------------|---------------------- Scenario #2 The example below shows the "sliding window" method of issuing delta-CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. However, these delta-CRLs never provide more than 6 hours of history. As in example #1: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 67a} | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = | | | {39r, 67k ---------|--------------|--------------------------|---------------------- Note that the delta CRLs are marginally larger than in the first scenario since they cover a longer time period. On the other hand, a relying party is less likely to download full CRLs in the second scenario. For example, a relying party that validated one certificate at 12:15, then a second certificate at 16:15 would not require a new full CRL in scenario #2. In scenario #1, the relying party would be forced to obtain both full CRL 4 and delta CRL 5. Scenario #3 Allowing for Replication/Propagation Delays In this scenario, full CRLs and delta CRLs are replicated throughout a repository system. Data is replicated through the system at different rates based on the size of the file. The CA operators estimate that full CRLs will be available throughout the system within three hours. Delta CRLs will be available within 15 minutes. (Assume the initial CRL is small and will propagate as if a delta CRL to resolve the bootstrap issues.) The example below uses the "sliding window" method of issuing delta-CRLs, but overlaps the thisUpdate and nextUpdate times to allow for propagation. In this example, full CRLs are issued once every 3 hours and deltas are issued every 45 minutes. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. As in example #2, these delta-CRLs never provide more than 6 hours of history. Similary to examples #1 and #2: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 12:45. Certificate 39 was placed on hold between 14:15 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 15:45 and 16:30. The reason was changed to key compromise between 18:00 and 18:45. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 18:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 12:45 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 12:45 | | | nextUpdate = 13:45 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 13:30 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 13:30 | | | nextUpdate = 14:30 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:15 | {14k, 124k} | | cRLNumber = 4 | | | thisUpdate = 14:15 | | | nextUpdate = 15:15 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 5 | cRLNumber = 5 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 21:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 15:45 | {14k, 124k, | | cRLNumber = 6 | 39h, 67a} | | thisUpdate = 15:45 | | | nextUpdate = 16:45 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 16:30 | {14k, 124k, | | cRLNumber = 7 | 67a} | | thisUpdate = 16:30 | | | nextUpdate = 17:30 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 17:15 | {14k, 124k, | | cRLNumber = 8 | 67a} | | thisUpdate = 17:15 | | | nextUpdate = 18:15 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 9 | cRLNumber = 9 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 24:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 5 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:45 | {14k, 124k, | | cRLNumber = 10 | 67k} | | thisUpdate = 18:45 | | | nextUpdate = 19:45 | | | BaseCRLNumber = 5 | | | CertificateList = | | | {39r, 67k} ---------|--------------|--------------------------|---------------------- Delta CRL number 6 is issued at 15:45. By 16:00, delta CRL number 6 should be available throughout the system. As a result, delta CRL number 5 specified 16:00 as its nextUpdate time. However, full CRL number 5 was issued at 15:00 and may not be available throughout the system until 18:00. As a result, full CRL number 1 specified 18:00 as its nextUpdate time. In addition, delta CRL number 6 must be based on full CRL number 1 which was issued at 12:00. If the relying party finds full CRL number 5 in the repository, they may still apply delta CRL number 6 and achieve the correct answer. Finally, note that a CRL issuer must generate more CRLs to achieve the goal of status information that is no more than one hour old when factoring in the propagation delays. Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id JAA03664 for ietf-pkix-bks; Fri, 11 May 2001 09:59:07 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA03656 for <ietf-pkix@imc.org>; Fri, 11 May 2001 09:59:00 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA11688; Fri, 11 May 2001 18:58:59 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA15220; Fri, 11 May 2001 18:58:23 +0200 Message-ID: <3AFC1A33.5CEEEE09@bull.net> Date: Fri, 11 May 2001 18:58:27 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "Housley, Russ" <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org, Tim Polk <wpolk@nist.gov>, "David A. Cooper" <david.cooper@nist.gov> Subject: Re: delta CRLs References: <3AFA4F09.5AB02392@bull.net> <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> <5.0.1.4.2.20010510143415.01896eb8@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Russ, Thanks for this very detailed collective response. I have been hoping to have a phone call with some of you today, but since this had not been possible, here is an answer to your email. FYI, I will be out of my office during three days, so do no expect a reply before next Thursday. The thread has been focussing on the mechanisms, forgetting what is the rational about them. So let us come back to the rationals. One of them relates top the use of CRLs when applied to a non repudiation service. X.509 has been originally written to use CRLs for other security services and for these other services, the problems are different. We all want to be able to use either CRLs or OSCP responses for non repudiation purposes. In fact we want to allow any of these two techniques to be used in single or in combination. Right ? Having said this, we can now explain some of the rational. When validating a digital signature, for a given time T, for non repudiation purposes, it is important for a verifier to be able to prove that the certificate was NOT revoked. It is also important that two different verifiers come to the same result, for the same time T, because of the goal of non repudiation is to solve disputes. The same properties must be achieved whether OCSP or CRLs are used. When an OCSP response is received with a time T in it, there can be no dispute about it: it contains three possible answers (not revoked, revoked, don't know). If an OCSP responder produces one such answer with a time T and one of the three statuses, no one else can present an answer with the same time T in it with a different answer from the same OCSP responder. Once again, it would not be acceptable that at a given time T two opposite responses could be obtained. This would result in disputes. This means that at time T, there is must be one and only one possible answer. This allows to use OCSP responses for non repudiation purposes. The same property must be supported so that CRLs can be used for non repudiation purposes. So the goal is that when using CRLs in the context of non repudiation, only one response (i.e. not revoked, revoked, don't know) can be obtained. I do know that non repudiation is only one use of the PKI and that there are other usages such as authentication, integrity and confidentiality. So let us now describe what is necessary, if the CRL contains at least one certificate that can be used for non repudiation purposes (e.g. it has the NR bit set). If at time T there is more than one CRL valid, then there is a possibility to miss the most recent, in case there is a denial of service attack on it (i.e. suppression of the latest CRL while in transit). This means that "emergency" CRLs will not necessarily be seen. "Emergency" CRLs may be used for authentication, integrity and confidentiality, but may create problems when used in the context of non repudiation. This has several implications: we should deprecate the use of "emergency" CRLs for being used for a non repudiation service, because they could provide two different responses. People using full CRLs, i.e. without taking advantage of the delta CRLs, would get only one result. People using base CRLs and thus taking advantage of the delta CRLs would also get one single result. For that reason we should also deprecate the use of "emergency" delta CRLs. This now explains why it is important to get one answer, at most, at a time. I do understand that lacking this information, the mechanism seems to be constrained without any "good" reason. Now how can a verifier be sure to get the freshest information ? This depends on the verification rules. Let us restrict the discussion to the leaf certificate. If the validation rules (be careful this has strong relationships with the DPV protocol) say : "use full CRLs only" and there is no "emergency CRL", then everything works nice. If the validation rules say: "use the freshest information that is provided by the CA", then the question is how can a verifier know how the freshest information is obtained ? The answer is: only through extensions. Why ? Let us assume first that no extension either in the certificate or the CRL is being used. The answer would be : make a search for delta CRLs in the directory. The problem is that, in case a denial of service attack, the delta CRLs, even if they exist, will not be "seen". So the verifier will use the base CRL and thus two verifications done at the same time T will provide two different results. :-( So there needs to be some way, so that, in the event of a denial of service attacks, either the right information is obtained or that no information at all is obtained. In the later case, if the revocation information is not found, then the signature is not accepted (in some cases a try can be done later on). A consequence is the following: verifiers must know without ambiguity whether a delta CRL mechanism is supported, so that if delta CRL are supported it is possible to know unambiguously that it is the case. There are two options. 1) Should we use the freshestCRL extension from the leaf certificate ? This means that the CA MUST support delta CRLs at any time during whole the life-time of the certificate. This is quite constraining for the CA, but this is possible. 2) Should we use the freshestCRL extension from the CRL? This means that the CA will only support delta CRLs for that CRL without any engagement to support a delta CRL mechanism for the next one. This is more flexible. What does this means ? That it is very likely that we will not end up wit the same mechanism when using delta CRLs for a certificate used for non repudiation purposes and when using a certificate for other purposes. One of the algorithms may look first at the delta CRLs, whether they exist or not, while the other will only take a look for them after making sure that they must exit. The best guess, if it succeeds, is certainly valid for "other purposes". So I will now focus on the algorithm to be used for non repudiation purposes. An application that is willing to obtain the freshest CRL information for a given certificate used for non repudiation purposes, must know if a delta CRL mechanism is supported. Either the certificate or any CRL that is able to reference that certificate MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point). The application may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. For the constraint about the CA: For any CRL that may reference a certificate used for non repudiation purposes, and for any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one base CRL and one and only delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. There are still other issues to discuss, like the CRL numbering, whether it is unique or not, let us wait for next week for that topic. Regards, Denis > Denis: > > Please excuse the half-done message from this morning. My mailer and I had > a disagreement... > > Anyway, since I was not going to get the full message out before the end of > the business day in France, I took the time to coordinate a response with > Tim Polk and David Cooper. This mail thread is quite long, so hopefully > our coordination on the side will reduce the overall number of messages to > the list and help to reach consensus faster. > > Here goes .... > > >There is difference between a base CRL and a full CRL : a base CRL MUST > >include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > >whereas a full CRL may not include that extension. In other words, a base > >CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > There is no requirement in X.509 to include any extension in a certificate > or CRL advertising the availability of delta CRLs. PKIX makes the > freshestCRL extension available for advertising the existence of delta > CRLs, but again does not mandate its use. Furthermore, even if the > freshestCRL extension is used, it may be placed in either the certificate > or the full CRL. If the extension is placed in certificates, there is no > need for it to be in the full CRL (but, it could be). > > Finally, if delta CRLs are being issued, and are being advertised through > the freshestCRL CRL extension, then the extension should be included in all > full CRLs for that scope, not just the base CRLs. If a relying party > obtains the most recently issued full CRL for a scope from a repository, > and that full CRL is not a base CRL, how will the relying party know that > delta CRLs are available? > > >At any time a CA may issue a full CRL, whether or not a base CRL has already > >been issued. This additional CRL SHOULD have nextUpdate equal to the > >nextUpdate of the last issued full CRL. However, there is no guarantee that > >this additional CRL will ever be seen by the relying party (because there > >will be two CRLs matching the thisUpdate and nextUpdate rule and if one is > >deleted, this is not seen by a relying party). > > The nextUpdate field in a full CRL (base or otherwise) should specify the > time by which new revocation information will be available. So, if a new > base CRL is issued once a day, but full CRLs are issued every hour, the > nextUpdate field of each full CRL should one hour after that CRL's > thisUpdate time. > > >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > >they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > >delta CRL and a full CRL that cover the same scope and are issued at the > >same time CANNOT have the same number. > > We disagree. If a full CRL and a delta CRL are issued at the same time for > the same scope, then they ARE the same CRL and MUST have the same CRL number. > > >If a full CRL is issued, its CRL > >number bears no relationship with the previous base CRL, if any. > > Again, we disagree. A sequence of CRLs for a given scope must contain a > monotonically increasing sequence of CRL numbers. Relying parties that do > not process delta CRLs, and thus do not recognize the non-critical > freshestCRL extension, will not be able to distinguish between those full > CRLs that are base CRLs and those full CRLs that are not base CRLs. The CRL > numbers for these full CRLs must be from one monotonically increasing sequence. > > >The only > >relationship between the numbers is defined by the rule that CRLs numbers > >are strictly increasing. As Santosh said : "the CRL number is unique > >whether it is a base or a delta ". > > > >This is fairly important to be able to unambiguously (and thus uniquely) > >refer to a CRL by only providing its CRL number. > > Exactly. If a full CRL and the delta CRL are issued for the same scope at > the same time, they are the same CRL. The CRL number unambiguously and > uniquely refers to this ONE CRL. > > >Besides the fact that a CRL issued later MUST have a higher CRL number, full > >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, > >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > >number (for the same or no stream identifier). > > If you agree that delta thisUpdate > base thisUpdate implies delta CRL > number > base CRL, then you are acknowledging that the CRL numbers of the > full CRLs and delta CRLs are not independent. > > >As Santosh said : "a check based on thisUpdate is more general and > >preferred [to the use of CRL numbers]. " > > > >Related to the three rules mentioned by Russ : > > > >1) the first rule is not understandable to me. > >2) the second rule does not say anything more than the basic rule valid > > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > >3) we will debate the hold condition, once we will have sorted the main > > issue. > > > >Russ said : "If separate number sequence is used, then you will have to > >periodically fetch base CRLs ". This is true. > > > >Tim said that he would *not* like to be forced to download new base CRLs. > >This is the core of the "dispute". > > Our goal should be to allow delta CRL enabled clients to obtain accurate > information in the most efficient manner possible. Forcing clients to > periodically download full CRLs, when this is not necessary, is inefficient. > > > From the definition of what a delta CRL is, it is *not* possible to > >get rid of the fetching of base CRLs. Unless we add a new sentence to > >expand/change that definition, base CRL fetching will remain mandatory. > > True. However, if one performs validations frequently enough, it is > possible to obtain a single full CRL and then subsequently download only > delta CRLs. We need to require that full CRL be issued periodically so that > clients whose locally stored information is not sufficiently up-to-date to > apply the delta CRLs being issued can obtain the full CRLs that they need, > but we should not require clients to download full CRLs when it is not > necessary for them to do so. > > >Remember that the goal of delta CRLs is to provide the freshest information, > >and to my knowledge the goal was not to get rid of the fetching of base CRLs > >(which may less frequent due to the support of delta CRLs). > > Yes, but the goal should be to minimize the fetching of full CRLs. > > >If I understand correctly, Tim/David/Russ would like to *always* achieve the > >following property : it is possible to reconstruct the current CRL by using > >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been > >issued at the same time a base CRL was issued and which contains updates > >made to the *previous* base. > > > >By this way the fetching of base CRLs could be avoided. However, note that > >it is perfectly " legal " to stop issuing base and delta CRLs during some > >period of time and to issue full CRLs instead (see the difference between > >"full" and "base" at the top of this e-mail). In other words there is no > >need to issue a new base CRL at the end of the validity period of the > >previous base CRL. Doing this would mandate to prescribe issuing rules > >for CAs that we have not prescripted. > > You are mixing apples and oranges. Obviously the scheme of keeping > up-to-date by obtaining a base from 1990 and then only downloading deltas > will only work so long as deltas continue to be issued. If the CRL issuer > ceases to issue deltas, then the relying parties will have to revert to > downloading full CRLs. > > >I will now raise a series of questions, for which I believe we have > >different answers. Tim/David/Russ do not hesitate to correct > >if my guess is wrong. ;-) > > > >Common point: > > > >1) What will be the value of the nextUpdate field from the last issued delta > >CRL for a given base CRL ? > > > >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to > >the value of nextUpdate from the base CRL. > > > >Tim/David/Russ: ??? > > The nextUpdate field in a base CRL states when the next full CRL will be > available. This is important for supporting clients that do not handle > delta CRLs. The nextUpdate field in a delta CRL states when the next CRL > (either a delta CRL or a full CRL) will be available. As a general rule, if > the CA is continuing to issue deltas, the nextUpdate in the delta will be > the time by which the next delta will be available. If this is the last > delta that the CA is going to issue, then the nextUpdate in the delta will > be the time by which the next full CRL will be available. ("Available" > SHOULD reflect distribution delays associated with the repository > architecture.) > > >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > > > >Denis: No. > >Tim/David/Russ : ??? > > No. A CA never is required to issue deltas. However, it would be helpful to > delta CRL enabled clients to allow them to construct the full CRL. > > If the full CRL contains a freshestCRL extension, then it is a very good > idea to generate a delta CRL at the same time. In this way, any client will > be able to find a current delta CRL. > > >3) Does a CA needs to issue a new base CRL at the end of the validity of a > >current base CRL ? > > > >Denis: No. > >Tim/David/Russ : ??? > > No. HOWEVER, the CA must issue a new full CRL by the nextUpdate in the > previously issued full CRL (whether that full CRL is a base CRL or not). > There is no requirement that the next full CRL be a base CRL. (The CA could > quit issuing deltas, etc. etc.) > > Every base CRL MUST be a full CRL, but not every full CRL is a base CRL. > But, a CA could make every full CRL a base CRL if they wanted to. > > >4) Does a CA needs to issue a delta CRL at the same time a new base is > >issued ? > > > >Denis: Yes. The delta CRL refers to the *new* base. > >Tim/David/Russ : ??? > > No. HOWEVER, in practice we belive that CAs will do so. The delta CRL needs > to exist so that clients can follow the freshest CRL extension (either in a > certificate or a base CRL). The delta CRL that is issued at the same time > SHOULD point to a previously issued full CRL (which will then, by > definition be a base CRL) whenever possible. There is no information to add > to the new base CRL! By providing the delta as an update to a previous base > CRL, clients can download the delta CRL to construct the new base CRL. > > >The last point highlights the most noticeable difference. Other differences > >appears when considering the guaranty to get the freshest information : > >using the traditional scheme and the thisUpdate and nextUpdate fields the > >guaranty to get the freshest information is obtained, but cannot be obtained > >using the other scheme. :-( > > > >Several people are referring to the X.509 document for arguments to support > >that discussion. However, it is important to remember that we are defining > >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, > >but only what we believe is relevant. > > PKIX is a profile of X.509. PKIX may impose additional requirements beyond > those in X.509 or may exclude features that are optional in X.509, but > otherwise PKIX must be consistent with X.509. In that context, references > to X.509 are appropriate. > > >We first need to clearly define the processing rules applicable to the > >relying parties. These rules will certainly contain SHALL/MUST statements, > >but may also include some MAY statements which may even be conditional to > >what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > > > >Here is a proposal for the MUST statement, based on the previous text I > >produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). > > No. The relying party needs a full CRL (either one that has been downloaded > from a repository or one that has been locally generated) against which the > delta CRL of interest may be applied. There is no requirement that the full > CRL be a base CRL. > > > It may then construct > > an updated CRL for that base, for a specific time T, by combining > > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. > > It may construct an updated CRL by combining the delta CRL with any full > CRL whose CRL number is greater than or equal to the CRL number of the > referenced base. By saying "equal" instead of "greater than or equal" we > would be hiding useful information from implementors. We should not be > hiding useful information. > > > Applications that support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > As stated above, the nextUpdate field in a base CRL specifies the time by > which new revocation information will be available through full CRLs. A > delta CRL may be applied to a base CRL as long as the CRL number in the > base CRL is greater than or equal to the CRL number of the base CRL > referenced by the delta CRL. The nextUpdate time of the base CRL is irrelevant. > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally reconstructed CRL > > based on the current base CRL, and combining it with a delta CRL which > > contains a delta CRL indicator extension with the same CRL number as > > the base CRL. > > Same problem as above. Need to say "greater than or equal to". > > >We also need to clearly separate the issuing rules applicable for the CAs. > >These rules will certainly contain SHALL statements, but could also include > >some MAY statements. (I let Tim/David or Russ provide the MAY statement). > > > >Here is a proposal for the MUST statement, based on the previous text I > >produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, > > This is an unnecessary statement. A delta CRL must include a BaseCRLNumber. > The CRL specified by that BaseCRLNumber is by definition a base CRL. Of > course, the referenced base CRL MUST be a full CRL. > > > i.e. a full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). > > While it might be a good idea to mandate the inclusion of the frestestCRL > extension in full CRLs that are issued for scopes in which delta CRLs are > also being issued, there is currently no such requirement in the draft PKIX > profile. > > > For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > This sentence has several problems: > > 1) The nextUpdate time of a base CRL is the time when the next full CRL > will be available, which may precede the time that the next base CRL will > be issued. > > 2) There is no requirement that a delta CRL use the most recently issued > base CRL as its base. I suppose that we could add this requirement for the > PKIX profile, but why? Does it really simplify the client? Or, does it > just make it a wee bit harder to make a conforming CA that supports delta CRLs? > > 3) If the thisUpdate time of one delta CRL must equal the nextUpdate time > of the previously issued delta CRL, then no time can be allotted to account > for propagation delays between when a delta-CRL is issued and when it is > available in repositories for relying parties to obtain. Thus, there would > be gaps between when the nextUpdate time of one delta-CRL was reached and > when the next delta-CRL was available. > > 4) There is nothing in either X.509 or the PKIX profile that prevents a CA > from issuing an unscheduled (or "emergency") delta CRL. And, there should > not be! Many CAs intend to issue a new CRL (delta or otherwise) > immediately upon the revocation of a certificate due to key compromise. > When such an "emergency" delta CRL is issued, there will be two delta CRLs > for which T falls between thisUpdate and nextUpdate. While it is true that > there is no guarantee that relying parties will obtain the fresher of these > two delta CRLs, that is no reason to prevent the CA from issuing the > "emergency" delta. Some clients will obtain the emergency CRL. > > >In his e-mail from Wednesday, May 9, David said that delta-CRL processing > >rules could be base on time instead of CRL numbers. This is a point of which > >I strongly agree. Let us do it! > > > >(However, there is no need to add to PKIX, as he suggested, the support of > >the baseUpdateTime extension from X.509 which would even more complicate the > >problem.) > > No. In order to base delta CRL processing on time, the baseUpdateTime > extension must be present in the delta CRL. Furthermore, the presence of > this extension would not complicate the problem. baseUpdateTime is a > non-critical extension that merely provides useful information. If you > don't think that the information provided by baseUpdateTime is useful, > ignore it. Since the extension is non-critical and can be ignored, its > presence can not complicate the problem. > > At 09:05 AM 5/10/2001 -0400, Housley, Russ wrote: > >Denis: > > > >>There is difference between a base CRL and a full CRL > > > >You are quite right. I, for one, will try to be more careful about the > >use of them. > > > >>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > >>they are a base CRL or delta CRL, CANNOT have the same CRL number. > > > >I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) > >and a delta CRL issued at the same time as that full CRL may actually > >represent the same revocation information. In this case, they are the > >same CRL, and they should have the same number. There have been several > >tables posted that illustrate this numbering scheme, and I do not see any > >text in X.509-200 that indicates this scheme is > [snip - truncate - the message is too long anyway] Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id HAA22564 for ietf-pkix-bks; Fri, 11 May 2001 07:45:06 -0700 (PDT) Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA22540 for <ietf-pkix@imc.org>; Fri, 11 May 2001 07:44:58 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <KXGS832Y>; Fri, 11 May 2001 10:44:29 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA406F@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: Santosh Chokhani <chokhani@cygnacom.com>, "Housley, Russ" <rhousley@rsasecurity.com>, Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Fri, 11 May 2001 10:44:28 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0DA28.E1DFEE30" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0DA28.E1DFEE30 Content-Type: text/plain; charset="iso-8859-1" I agree as well. Santosh, regarding the term "full" I don't like that term at all. Although it is defined as a crl that is complete for a given scope, I think the human being in us tends sometimes to confuse it with a CRL that is complete for all certs issued by a CA and that is a dangerous confusion. However, since the term is defined, I don't have any strong feeling on its use. I too agree with the email Russ sent after discussing with Tim and Dave. Cheers Sharon -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Thursday, May 10, 2001 6:44 PM To: Housley, Russ; Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Russ: I agree with most of what you say except the following. I think use of the "full" is dangerous. These CRLs are "full" only with respect to the scope as defined in the CRLScope and/or IDP extension. This is simply a nit. You say "Relying parties that do not process delta CRLs, and thus do not recognize the non-critical freshestCRL extension, will not be able to distinguish between those full CRLs that are base CRLs and those full CRLs that are not base CRLs." Do you mean a base could also be a delta as opposed to a full? If so, that distinction can be and will be made through the deltaCRLIndicator extension without. In any case, this point seems to be irrelevant. You also say that "Every base CRL MUST be a full CRL, but not every full CRL is a base CRL." While I agree with most of what you say, your distinction between base and full (for scope) does not seem relevant or germane to me and seems to confuse the issue. But, I think (and hope) I understand this enough to know that I do NOT disagree with the final conclusions. Your rationale comes across more convoluted and confusing than it needs to be due to this needless distinction between base and full. -----Original Message----- From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Thursday, May 10, 2001 2:36 PM To: Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Denis: Please excuse the half-done message from this morning. My mailer and I had a disagreement... Anyway, since I was not going to get the full message out before the end of the business day in France, I took the time to coordinate a response with Tim Polk and David Cooper. This mail thread is quite long, so hopefully our coordination on the side will reduce the overall number of messages to the list and help to reach consensus faster. Here goes .... >There is difference between a base CRL and a full CRL : a base CRL MUST >include a freshestCRL extension (a.k.a. a Delta CRL distribution point), >whereas a full CRL may not include that extension. In other words, a base >CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. There is no requirement in X.509 to include any extension in a certificate or CRL advertising the availability of delta CRLs. PKIX makes the freshestCRL extension available for advertising the existence of delta CRLs, but again does not mandate its use. Furthermore, even if the freshestCRL extension is used, it may be placed in either the certificate or the full CRL. If the extension is placed in certificates, there is no need for it to be in the full CRL (but, it could be). Finally, if delta CRLs are being issued, and are being advertised through the freshestCRL CRL extension, then the extension should be included in all full CRLs for that scope, not just the base CRLs. If a relying party obtains the most recently issued full CRL for a scope from a repository, and that full CRL is not a base CRL, how will the relying party know that delta CRLs are available? >At any time a CA may issue a full CRL, whether or not a base CRL has already >been issued. This additional CRL SHOULD have nextUpdate equal to the >nextUpdate of the last issued full CRL. However, there is no guarantee that >this additional CRL will ever be seen by the relying party (because there >will be two CRLs matching the thisUpdate and nextUpdate rule and if one is >deleted, this is not seen by a relying party). The nextUpdate field in a full CRL (base or otherwise) should specify the time by which new revocation information will be available. So, if a new base CRL is issued once a day, but full CRLs are issued every hour, the nextUpdate field of each full CRL should one hour after that CRL's thisUpdate time. >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >they are a base CRL or delta CRL, CANNOT have the same CRL number. So a >delta CRL and a full CRL that cover the same scope and are issued at the >same time CANNOT have the same number. We disagree. If a full CRL and a delta CRL are issued at the same time for the same scope, then they ARE the same CRL and MUST have the same CRL number. >If a full CRL is issued, its CRL >number bears no relationship with the previous base CRL, if any. Again, we disagree. A sequence of CRLs for a given scope must contain a monotonically increasing sequence of CRL numbers. Relying parties that do not process delta CRLs, and thus do not recognize the non-critical freshestCRL extension, will not be able to distinguish between those full CRLs that are base CRLs and those full CRLs that are not base CRLs. The CRL numbers for these full CRLs must be from one monotonically increasing sequence. >The only >relationship between the numbers is defined by the rule that CRLs numbers >are strictly increasing. As Santosh said : "the CRL number is unique >whether it is a base or a delta ". > >This is fairly important to be able to unambiguously (and thus uniquely) >refer to a CRL by only providing its CRL number. Exactly. If a full CRL and the delta CRL are issued for the same scope at the same time, they are the same CRL. The CRL number unambiguously and uniquely refers to this ONE CRL. >Besides the fact that a CRL issued later MUST have a higher CRL number, full >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL >number (for the same or no stream identifier). If you agree that delta thisUpdate > base thisUpdate implies delta CRL number > base CRL, then you are acknowledging that the CRL numbers of the full CRLs and delta CRLs are not independent. >As Santosh said : "a check based on thisUpdate is more general and >preferred [to the use of CRL numbers]. " > >Related to the three rules mentioned by Russ : > >1) the first rule is not understandable to me. >2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). >3) we will debate the hold condition, once we will have sorted the main > issue. > >Russ said : "If separate number sequence is used, then you will have to >periodically fetch base CRLs ". This is true. > >Tim said that he would *not* like to be forced to download new base CRLs. >This is the core of the "dispute". Our goal should be to allow delta CRL enabled clients to obtain accurate information in the most efficient manner possible. Forcing clients to periodically download full CRLs, when this is not necessary, is inefficient. > From the definition of what a delta CRL is, it is *not* possible to >get rid of the fetching of base CRLs. Unless we add a new sentence to >expand/change that definition, base CRL fetching will remain mandatory. True. However, if one performs validations frequently enough, it is possible to obtain a single full CRL and then subsequently download only delta CRLs. We need to require that full CRL be issued periodically so that clients whose locally stored information is not sufficiently up-to-date to apply the delta CRLs being issued can obtain the full CRLs that they need, but we should not require clients to download full CRLs when it is not necessary for them to do so. >Remember that the goal of delta CRLs is to provide the freshest information, >and to my knowledge the goal was not to get rid of the fetching of base CRLs >(which may less frequent due to the support of delta CRLs). Yes, but the goal should be to minimize the fetching of full CRLs. >If I understand correctly, Tim/David/Russ would like to *always* achieve the >following property : it is possible to reconstruct the current CRL by using >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been >issued at the same time a base CRL was issued and which contains updates >made to the *previous* base. > >By this way the fetching of base CRLs could be avoided. However, note that >it is perfectly " legal " to stop issuing base and delta CRLs during some >period of time and to issue full CRLs instead (see the difference between >"full" and "base" at the top of this e-mail). In other words there is no >need to issue a new base CRL at the end of the validity period of the >previous base CRL. Doing this would mandate to prescribe issuing rules >for CAs that we have not prescripted. You are mixing apples and oranges. Obviously the scheme of keeping up-to-date by obtaining a base from 1990 and then only downloading deltas will only work so long as deltas continue to be issued. If the CRL issuer ceases to issue deltas, then the relying parties will have to revert to downloading full CRLs. >I will now raise a series of questions, for which I believe we have >different answers. Tim/David/Russ do not hesitate to correct >if my guess is wrong. ;-) > >Common point: > >1) What will be the value of the nextUpdate field from the last issued delta >CRL for a given base CRL ? > >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to >the value of nextUpdate from the base CRL. > >Tim/David/Russ: ??? The nextUpdate field in a base CRL states when the next full CRL will be available. This is important for supporting clients that do not handle delta CRLs. The nextUpdate field in a delta CRL states when the next CRL (either a delta CRL or a full CRL) will be available. As a general rule, if the CA is continuing to issue deltas, the nextUpdate in the delta will be the time by which the next delta will be available. If this is the last delta that the CA is going to issue, then the nextUpdate in the delta will be the time by which the next full CRL will be available. ("Available" SHOULD reflect distribution delays associated with the repository architecture.) >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > >Denis: No. >Tim/David/Russ : ??? No. A CA never is required to issue deltas. However, it would be helpful to delta CRL enabled clients to allow them to construct the full CRL. If the full CRL contains a freshestCRL extension, then it is a very good idea to generate a delta CRL at the same time. In this way, any client will be able to find a current delta CRL. >3) Does a CA needs to issue a new base CRL at the end of the validity of a >current base CRL ? > >Denis: No. >Tim/David/Russ : ??? No. HOWEVER, the CA must issue a new full CRL by the nextUpdate in the previously issued full CRL (whether that full CRL is a base CRL or not). There is no requirement that the next full CRL be a base CRL. (The CA could quit issuing deltas, etc. etc.) Every base CRL MUST be a full CRL, but not every full CRL is a base CRL. But, a CA could make every full CRL a base CRL if they wanted to. >4) Does a CA needs to issue a delta CRL at the same time a new base is >issued ? > >Denis: Yes. The delta CRL refers to the *new* base. >Tim/David/Russ : ??? No. HOWEVER, in practice we belive that CAs will do so. The delta CRL needs to exist so that clients can follow the freshest CRL extension (either in a certificate or a base CRL). The delta CRL that is issued at the same time SHOULD point to a previously issued full CRL (which will then, by definition be a base CRL) whenever possible. There is no information to add to the new base CRL! By providing the delta as an update to a previous base CRL, clients can download the delta CRL to construct the new base CRL. >The last point highlights the most noticeable difference. Other differences >appears when considering the guaranty to get the freshest information : >using the traditional scheme and the thisUpdate and nextUpdate fields the >guaranty to get the freshest information is obtained, but cannot be obtained >using the other scheme. :-( > >Several people are referring to the X.509 document for arguments to support >that discussion. However, it is important to remember that we are defining >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, >but only what we believe is relevant. PKIX is a profile of X.509. PKIX may impose additional requirements beyond those in X.509 or may exclude features that are optional in X.509, but otherwise PKIX must be consistent with X.509. In that context, references to X.509 are appropriate. >We first need to clearly define the processing rules applicable to the >relying parties. These rules will certainly contain SHALL/MUST statements, >but may also include some MAY statements which may even be conditional to >what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). No. The relying party needs a full CRL (either one that has been downloaded from a repository or one that has been locally generated) against which the delta CRL of interest may be applied. There is no requirement that the full CRL be a base CRL. > It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. It may construct an updated CRL by combining the delta CRL with any full CRL whose CRL number is greater than or equal to the CRL number of the referenced base. By saying "equal" instead of "greater than or equal" we would be hiding useful information from implementors. We should not be hiding useful information. > Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. As stated above, the nextUpdate field in a base CRL specifies the time by which new revocation information will be available through full CRLs. A delta CRL may be applied to a base CRL as long as the CRL number in the base CRL is greater than or equal to the CRL number of the base CRL referenced by the delta CRL. The nextUpdate time of the base CRL is irrelevant. > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. Same problem as above. Need to say "greater than or equal to". >We also need to clearly separate the issuing rules applicable for the CAs. >These rules will certainly contain SHALL statements, but could also include >some MAY statements. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, This is an unnecessary statement. A delta CRL must include a BaseCRLNumber. The CRL specified by that BaseCRLNumber is by definition a base CRL. Of course, the referenced base CRL MUST be a full CRL. > i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). While it might be a good idea to mandate the inclusion of the frestestCRL extension in full CRLs that are issued for scopes in which delta CRLs are also being issued, there is currently no such requirement in the draft PKIX profile. > For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. This sentence has several problems: 1) The nextUpdate time of a base CRL is the time when the next full CRL will be available, which may precede the time that the next base CRL will be issued. 2) There is no requirement that a delta CRL use the most recently issued base CRL as its base. I suppose that we could add this requirement for the PKIX profile, but why? Does it really simplify the client? Or, does it just make it a wee bit harder to make a conforming CA that supports delta CRLs? 3) If the thisUpdate time of one delta CRL must equal the nextUpdate time of the previously issued delta CRL, then no time can be allotted to account for propagation delays between when a delta-CRL is issued and when it is available in repositories for relying parties to obtain. Thus, there would be gaps between when the nextUpdate time of one delta-CRL was reached and when the next delta-CRL was available. 4) There is nothing in either X.509 or the PKIX profile that prevents a CA from issuing an unscheduled (or "emergency") delta CRL. And, there should not be! Many CAs intend to issue a new CRL (delta or otherwise) immediately upon the revocation of a certificate due to key compromise. When such an "emergency" delta CRL is issued, there will be two delta CRLs for which T falls between thisUpdate and nextUpdate. While it is true that there is no guarantee that relying parties will obtain the fresher of these two delta CRLs, that is no reason to prevent the CA from issuing the "emergency" delta. Some clients will obtain the emergency CRL. >In his e-mail from Wednesday, May 9, David said that delta-CRL processing >rules could be base on time instead of CRL numbers. This is a point of which >I strongly agree. Let us do it! > >(However, there is no need to add to PKIX, as he suggested, the support of >the baseUpdateTime extension from X.509 which would even more complicate the >problem.) No. In order to base delta CRL processing on time, the baseUpdateTime extension must be present in the delta CRL. Furthermore, the presence of this extension would not complicate the problem. baseUpdateTime is a non-critical extension that merely provides useful information. If you don't think that the information provided by baseUpdateTime is useful, ignore it. Since the extension is non-critical and can be ignored, its presence can not complicate the problem. At 09:05 AM 5/10/2001 -0400, Housley, Russ wrote: >Denis: > >>There is difference between a base CRL and a full CRL > >You are quite right. I, for one, will try to be more careful about the >use of them. > >>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >>they are a base CRL or delta CRL, CANNOT have the same CRL number. > >I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) >and a delta CRL issued at the same time as that full CRL may actually >represent the same revocation information. In this case, they are the >same CRL, and they should have the same number. There have been several >tables posted that illustrate this numbering scheme, and I do not see any >text in X.509-200 that indicates this scheme is [snip - truncate - the message is too long anyway] ------_=_NextPart_001_01C0DA28.E1DFEE30 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: delta CRLs</TITLE> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2>I agree as well. Santosh, regarding the term "full" I don't like that term at all. Although it is defined as a crl that is complete for a given scope, I think </FONT></SPAN></DIV> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2>the human being in us tends sometimes to confuse it with a CRL that is complete for all certs issued by a CA and that is a dangerous confusion.</FONT></SPAN></DIV> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2>However, since the term is defined, I don't have any strong feeling on its use. I too agree with the email Russ sent after discussing with Tim and Dave.</FONT></SPAN></DIV> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2>Cheers</FONT></SPAN></DIV> <DIV><SPAN class=982334214-11052001><FONT face=Arial color=#0000ff size=2>Sharon</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Thursday, May 10, 2001 6:44 PM<BR><B>To:</B> Housley, Russ; Denis.Pinkas@bull.net<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV> <P><FONT size=2>Russ:</FONT> </P> <P><FONT size=2>I agree with most of what you say except the following.</FONT> </P> <P><FONT size=2>I think use of the "full" is dangerous. These CRLs are "full" only with respect to the scope as defined in the CRLScope and/or IDP extension. This is simply a nit.</FONT></P> <P><FONT size=2>You say "Relying parties that do </FONT><BR><FONT size=2>not process delta CRLs, and thus do not recognize the non-critical </FONT><BR><FONT size=2>freshestCRL extension, will not be able to distinguish between those full </FONT><BR><FONT size=2>CRLs that are base CRLs and those full CRLs that are not base CRLs." Do you mean a base could also be a delta as opposed to a full? If so, that distinction can be and will be made through the deltaCRLIndicator extension without. In any case, this point seems to be irrelevant.</FONT></P> <P><FONT size=2>You also say that "Every base CRL MUST be a full CRL, but not every full CRL is a base CRL." </FONT></P> <P><FONT size=2>While I agree with most of what you say, your distinction between base and full (for scope) does not seem relevant or germane to me and seems to confuse the issue. But, I think (and hope) I understand this enough to know that I do NOT disagree with the final conclusions. Your rationale comes across more convoluted and confusing than it needs to be due to this needless distinction between base and full.</FONT></P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Housley, Russ [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT size=2>Sent: Thursday, May 10, 2001 2:36 PM</FONT> <BR><FONT size=2>To: Denis.Pinkas@bull.net</FONT> <BR><FONT size=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>Subject: Re: delta CRLs</FONT> </P><BR> <P><FONT size=2>Denis:</FONT> </P> <P><FONT size=2>Please excuse the half-done message from this morning. My mailer and I had </FONT><BR><FONT size=2>a disagreement...</FONT> </P> <P><FONT size=2>Anyway, since I was not going to get the full message out before the end of </FONT><BR><FONT size=2>the business day in France, I took the time to coordinate a response with </FONT><BR><FONT size=2>Tim Polk and David Cooper. This mail thread is quite long, so hopefully </FONT><BR><FONT size=2>our coordination on the side will reduce the overall number of messages to </FONT><BR><FONT size=2>the list and help to reach consensus faster.</FONT> </P> <P><FONT size=2>Here goes ....</FONT> </P> <P><FONT size=2> >There is difference between a base CRL and a full CRL : a base CRL MUST</FONT> <BR><FONT size=2> >include a freshestCRL extension (a.k.a. a Delta CRL distribution point),</FONT> <BR><FONT size=2> >whereas a full CRL may not include that extension. In other words, a base</FONT> <BR><FONT size=2> >CRL is a also a full CRL, but a full CRL is not necessarily a base CRL.</FONT> </P> <P><FONT size=2>There is no requirement in X.509 to include any extension in a certificate </FONT><BR><FONT size=2>or CRL advertising the availability of delta CRLs. PKIX makes the </FONT><BR><FONT size=2>freshestCRL extension available for advertising the existence of delta </FONT><BR><FONT size=2>CRLs, but again does not mandate its use. Furthermore, even if the </FONT><BR><FONT size=2>freshestCRL extension is used, it may be placed in either the certificate </FONT><BR><FONT size=2>or the full CRL. If the extension is placed in certificates, there is no </FONT><BR><FONT size=2>need for it to be in the full CRL (but, it could be).</FONT> </P> <P><FONT size=2>Finally, if delta CRLs are being issued, and are being advertised through </FONT><BR><FONT size=2>the freshestCRL CRL extension, then the extension should be included in all </FONT><BR><FONT size=2>full CRLs for that scope, not just the base CRLs. If a relying party </FONT><BR><FONT size=2>obtains the most recently issued full CRL for a scope from a repository, </FONT><BR><FONT size=2>and that full CRL is not a base CRL, how will the relying party know that </FONT><BR><FONT size=2>delta CRLs are available?</FONT> </P> <P><FONT size=2> >At any time a CA may issue a full CRL, whether or not a base CRL has already</FONT> <BR><FONT size=2> >been issued. This additional CRL SHOULD have nextUpdate equal to the</FONT> <BR><FONT size=2> >nextUpdate of the last issued full CRL. However, there is no guarantee that</FONT> <BR><FONT size=2> >this additional CRL will ever be seen by the relying party (because there</FONT> <BR><FONT size=2> >will be two CRLs matching the thisUpdate and nextUpdate rule and if one is</FONT> <BR><FONT size=2> >deleted, this is not seen by a relying party).</FONT> </P> <P><FONT size=2>The nextUpdate field in a full CRL (base or otherwise) should specify the </FONT><BR><FONT size=2>time by which new revocation information will be available. So, if a new </FONT><BR><FONT size=2>base CRL is issued once a day, but full CRLs are issued every hour, the </FONT><BR><FONT size=2>nextUpdate field of each full CRL should one hour after that CRL's </FONT><BR><FONT size=2>thisUpdate time.</FONT> </P> <P><FONT size=2> >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether</FONT> <BR><FONT size=2> >they are a base CRL or delta CRL, CANNOT have the same CRL number. So a</FONT> <BR><FONT size=2> >delta CRL and a full CRL that cover the same scope and are issued at the</FONT> <BR><FONT size=2> >same time CANNOT have the same number.</FONT> </P> <P><FONT size=2>We disagree. If a full CRL and a delta CRL are issued at the same time for </FONT><BR><FONT size=2>the same scope, then they ARE the same CRL and MUST have the same CRL number.</FONT> </P> <P><FONT size=2> >If a full CRL is issued, its CRL</FONT> <BR><FONT size=2> >number bears no relationship with the previous base CRL, if any.</FONT> </P> <P><FONT size=2>Again, we disagree. A sequence of CRLs for a given scope must contain a </FONT><BR><FONT size=2>monotonically increasing sequence of CRL numbers. Relying parties that do </FONT><BR><FONT size=2>not process delta CRLs, and thus do not recognize the non-critical </FONT><BR><FONT size=2>freshestCRL extension, will not be able to distinguish between those full </FONT><BR><FONT size=2>CRLs that are base CRLs and those full CRLs that are not base CRLs. The CRL </FONT><BR><FONT size=2>numbers for these full CRLs must be from one monotonically increasing sequence.</FONT> </P> <P><FONT size=2> >The only</FONT> <BR><FONT size=2> >relationship between the numbers is defined by the rule that CRLs numbers</FONT> <BR><FONT size=2> >are strictly increasing. As Santosh said : "the CRL number is unique</FONT> <BR><FONT size=2> >whether it is a base or a delta ".</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >This is fairly important to be able to unambiguously (and thus uniquely)</FONT> <BR><FONT size=2> >refer to a CRL by only providing its CRL number.</FONT> </P> <P><FONT size=2>Exactly. If a full CRL and the delta CRL are issued for the same scope at </FONT><BR><FONT size=2>the same time, they are the same CRL. The CRL number unambiguously and </FONT><BR><FONT size=2>uniquely refers to this ONE CRL.</FONT> </P> <P><FONT size=2> >Besides the fact that a CRL issued later MUST have a higher CRL number, full</FONT> <BR><FONT size=2> >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh,</FONT> <BR><FONT size=2> >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT size=2> >number (for the same or no stream identifier).</FONT> </P> <P><FONT size=2>If you agree that delta thisUpdate > base thisUpdate implies delta CRL </FONT><BR><FONT size=2>number > base CRL, then you are acknowledging that the CRL numbers of the </FONT><BR><FONT size=2>full CRLs and delta CRLs are not independent.</FONT> </P> <P><FONT size=2> >As Santosh said : "a check based on thisUpdate is more general and</FONT> <BR><FONT size=2> >preferred [to the use of CRL numbers]. "</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Related to the three rules mentioned by Russ :</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >1) the first rule is not understandable to me.</FONT> <BR><FONT size=2> >2) the second rule does not say anything more than the basic rule valid</FONT> <BR><FONT size=2> > for any CRL (i.e. a CRL issued later MUST have a higher CRL number).</FONT> <BR><FONT size=2> >3) we will debate the hold condition, once we will have sorted the main</FONT> <BR><FONT size=2> > issue.</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Russ said : "If separate number sequence is used, then you will have to</FONT> <BR><FONT size=2> >periodically fetch base CRLs ". This is true.</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Tim said that he would *not* like to be forced to download new base CRLs.</FONT> <BR><FONT size=2> >This is the core of the "dispute".</FONT> </P> <P><FONT size=2>Our goal should be to allow delta CRL enabled clients to obtain accurate </FONT><BR><FONT size=2>information in the most efficient manner possible. Forcing clients to </FONT><BR><FONT size=2>periodically download full CRLs, when this is not necessary, is inefficient.</FONT> </P> <P><FONT size=2> > From the definition of what a delta CRL is, it is *not* possible to</FONT> <BR><FONT size=2> >get rid of the fetching of base CRLs. Unless we add a new sentence to</FONT> <BR><FONT size=2> >expand/change that definition, base CRL fetching will remain mandatory.</FONT> </P> <P><FONT size=2>True. However, if one performs validations frequently enough, it is </FONT><BR><FONT size=2>possible to obtain a single full CRL and then subsequently download only </FONT><BR><FONT size=2>delta CRLs. We need to require that full CRL be issued periodically so that </FONT><BR><FONT size=2>clients whose locally stored information is not sufficiently up-to-date to </FONT><BR><FONT size=2>apply the delta CRLs being issued can obtain the full CRLs that they need, </FONT><BR><FONT size=2>but we should not require clients to download full CRLs when it is not </FONT><BR><FONT size=2>necessary for them to do so.</FONT> </P> <P><FONT size=2> >Remember that the goal of delta CRLs is to provide the freshest information,</FONT> <BR><FONT size=2> >and to my knowledge the goal was not to get rid of the fetching of base CRLs</FONT> <BR><FONT size=2> >(which may less frequent due to the support of delta CRLs).</FONT> </P> <P><FONT size=2>Yes, but the goal should be to minimize the fetching of full CRLs.</FONT> </P> <P><FONT size=2> >If I understand correctly, Tim/David/Russ would like to *always* achieve the</FONT> <BR><FONT size=2> >following property : it is possible to reconstruct the current CRL by using</FONT> <BR><FONT size=2> >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been</FONT> <BR><FONT size=2> >issued at the same time a base CRL was issued and which contains updates</FONT> <BR><FONT size=2> >made to the *previous* base.</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >By this way the fetching of base CRLs could be avoided. However, note that</FONT> <BR><FONT size=2> >it is perfectly " legal " to stop issuing base and delta CRLs during some</FONT> <BR><FONT size=2> >period of time and to issue full CRLs instead (see the difference between</FONT> <BR><FONT size=2> >"full" and "base" at the top of this e-mail). In other words there is no</FONT> <BR><FONT size=2> >need to issue a new base CRL at the end of the validity period of the</FONT> <BR><FONT size=2> >previous base CRL. Doing this would mandate to prescribe issuing rules</FONT> <BR><FONT size=2> >for CAs that we have not prescripted.</FONT> </P> <P><FONT size=2>You are mixing apples and oranges. Obviously the scheme of keeping </FONT><BR><FONT size=2>up-to-date by obtaining a base from 1990 and then only downloading deltas </FONT><BR><FONT size=2>will only work so long as deltas continue to be issued. If the CRL issuer </FONT><BR><FONT size=2>ceases to issue deltas, then the relying parties will have to revert to </FONT><BR><FONT size=2>downloading full CRLs.</FONT> </P> <P><FONT size=2> >I will now raise a series of questions, for which I believe we have</FONT> <BR><FONT size=2> >different answers. Tim/David/Russ do not hesitate to correct</FONT> <BR><FONT size=2> >if my guess is wrong. ;-)</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Common point:</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >1) What will be the value of the nextUpdate field from the last issued delta</FONT> <BR><FONT size=2> >CRL for a given base CRL ?</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to</FONT> <BR><FONT size=2> >the value of nextUpdate from the base CRL.</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Tim/David/Russ: ???</FONT> </P> <P><FONT size=2>The nextUpdate field in a base CRL states when the next full CRL will be </FONT><BR><FONT size=2>available. This is important for supporting clients that do not handle </FONT><BR><FONT size=2>delta CRLs. The nextUpdate field in a delta CRL states when the next CRL </FONT><BR><FONT size=2>(either a delta CRL or a full CRL) will be available. As a general rule, if </FONT><BR><FONT size=2>the CA is continuing to issue deltas, the nextUpdate in the delta will be </FONT><BR><FONT size=2>the time by which the next delta will be available. If this is the last </FONT><BR><FONT size=2>delta that the CA is going to issue, then the nextUpdate in the delta will </FONT><BR><FONT size=2>be the time by which the next full CRL will be available. ("Available" </FONT><BR><FONT size=2>SHOULD reflect distribution delays associated with the repository </FONT><BR><FONT size=2>architecture.)</FONT> </P> <P><FONT size=2> >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ?</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Denis: No.</FONT> <BR><FONT size=2> >Tim/David/Russ : ???</FONT> </P> <P><FONT size=2>No. A CA never is required to issue deltas. However, it would be helpful to </FONT><BR><FONT size=2>delta CRL enabled clients to allow them to construct the full CRL.</FONT> </P> <P><FONT size=2>If the full CRL contains a freshestCRL extension, then it is a very good </FONT><BR><FONT size=2>idea to generate a delta CRL at the same time. In this way, any client will </FONT><BR><FONT size=2>be able to find a current delta CRL.</FONT> </P> <P><FONT size=2> >3) Does a CA needs to issue a new base CRL at the end of the validity of a</FONT> <BR><FONT size=2> >current base CRL ?</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Denis: No.</FONT> <BR><FONT size=2> >Tim/David/Russ : ???</FONT> </P> <P><FONT size=2>No. HOWEVER, the CA must issue a new full CRL by the nextUpdate in the </FONT><BR><FONT size=2>previously issued full CRL (whether that full CRL is a base CRL or not). </FONT><BR><FONT size=2>There is no requirement that the next full CRL be a base CRL. (The CA could </FONT><BR><FONT size=2>quit issuing deltas, etc. etc.)</FONT> </P> <P><FONT size=2>Every base CRL MUST be a full CRL, but not every full CRL is a base CRL. </FONT><BR><FONT size=2>But, a CA could make every full CRL a base CRL if they wanted to.</FONT> </P> <P><FONT size=2> >4) Does a CA needs to issue a delta CRL at the same time a new base is</FONT> <BR><FONT size=2> >issued ?</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Denis: Yes. The delta CRL refers to the *new* base.</FONT> <BR><FONT size=2> >Tim/David/Russ : ???</FONT> </P> <P><FONT size=2>No. HOWEVER, in practice we belive that CAs will do so. The delta CRL needs </FONT><BR><FONT size=2>to exist so that clients can follow the freshest CRL extension (either in a </FONT><BR><FONT size=2>certificate or a base CRL). The delta CRL that is issued at the same time </FONT><BR><FONT size=2>SHOULD point to a previously issued full CRL (which will then, by </FONT><BR><FONT size=2>definition be a base CRL) whenever possible. There is no information to add </FONT><BR><FONT size=2>to the new base CRL! By providing the delta as an update to a previous base </FONT><BR><FONT size=2>CRL, clients can download the delta CRL to construct the new base CRL.</FONT> </P> <P><FONT size=2> >The last point highlights the most noticeable difference. Other differences</FONT> <BR><FONT size=2> >appears when considering the guaranty to get the freshest information :</FONT> <BR><FONT size=2> >using the traditional scheme and the thisUpdate and nextUpdate fields the</FONT> <BR><FONT size=2> >guaranty to get the freshest information is obtained, but cannot be obtained</FONT> <BR><FONT size=2> >using the other scheme. :-(</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Several people are referring to the X.509 document for arguments to support</FONT> <BR><FONT size=2> >that discussion. However, it is important to remember that we are defining</FONT> <BR><FONT size=2> >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509,</FONT> <BR><FONT size=2> >but only what we believe is relevant.</FONT> </P> <P><FONT size=2>PKIX is a profile of X.509. PKIX may impose additional requirements beyond </FONT><BR><FONT size=2>those in X.509 or may exclude features that are optional in X.509, but </FONT><BR><FONT size=2>otherwise PKIX must be consistent with X.509. In that context, references </FONT><BR><FONT size=2>to X.509 are appropriate.</FONT> </P> <P><FONT size=2> >We first need to clearly define the processing rules applicable to the</FONT> <BR><FONT size=2> >relying parties. These rules will certainly contain SHALL/MUST statements,</FONT> <BR><FONT size=2> >but may also include some MAY statements which may even be conditional to</FONT> <BR><FONT size=2> >what the CA is doing. (I let Tim/David or Russ provide the MAY statement).</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT size=2> >produced:</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> > An application that is wishing to take advantage of delta CRLs</FONT> <BR><FONT size=2> > for a given scope, MUST first find a base CRL for that scope,</FONT> <BR><FONT size=2> > i.e. a full CRL that that contains a freshestCRL extension</FONT> <BR><FONT size=2> > (a.k.a. a Delta CRL distribution point).</FONT> </P> <P><FONT size=2>No. The relying party needs a full CRL (either one that has been downloaded </FONT><BR><FONT size=2>from a repository or one that has been locally generated) against which the </FONT><BR><FONT size=2>delta CRL of interest may be applied. There is no requirement that the full </FONT><BR><FONT size=2>CRL be a base CRL.</FONT> </P> <P><FONT size=2> > It may then construct</FONT> <BR><FONT size=2> > an updated CRL for that base, for a specific time T, by combining</FONT> <BR><FONT size=2> > it with a delta CRL which contains a delta CRL indicator extension</FONT> <BR><FONT size=2> > with the same CRL number as the base CRL.</FONT> </P> <P><FONT size=2>It may construct an updated CRL by combining the delta CRL with any full </FONT><BR><FONT size=2>CRL whose CRL number is greater than or equal to the CRL number of the </FONT><BR><FONT size=2>referenced base. By saying "equal" instead of "greater than or equal" we </FONT><BR><FONT size=2>would be hiding useful information from implementors. We should not be </FONT><BR><FONT size=2>hiding useful information.</FONT> </P> <P><FONT size=2> > Applications that support</FONT> <BR><FONT size=2> > delta CRLs MUST ensure that time T falls between thisUpdate and</FONT> <BR><FONT size=2> > nextUpdate for both the base CRL and the delta CRL.</FONT> </P> <P><FONT size=2>As stated above, the nextUpdate field in a base CRL specifies the time by </FONT><BR><FONT size=2>which new revocation information will be available through full CRLs. A </FONT><BR><FONT size=2>delta CRL may be applied to a base CRL as long as the CRL number in the </FONT><BR><FONT size=2>base CRL is greater than or equal to the CRL number of the base CRL </FONT><BR><FONT size=2>referenced by the delta CRL. The nextUpdate time of the base CRL is irrelevant.</FONT> </P> <P><FONT size=2> > Note: An application could also reconstruct an updated CRL, for</FONT> <BR><FONT size=2> > a specific time T, by using a previously locally reconstructed CRL</FONT> <BR><FONT size=2> > based on the current base CRL, and combining it with a delta CRL which</FONT> <BR><FONT size=2> > contains a delta CRL indicator extension with the same CRL number as</FONT> <BR><FONT size=2> > the base CRL.</FONT> </P> <P><FONT size=2>Same problem as above. Need to say "greater than or equal to".</FONT> </P> <P><FONT size=2> >We also need to clearly separate the issuing rules applicable for the CAs.</FONT> <BR><FONT size=2> >These rules will certainly contain SHALL statements, but could also include</FONT> <BR><FONT size=2> >some MAY statements. (I let Tim/David or Russ provide the MAY statement).</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT size=2> >produced:</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> > A CA that supports delta-CRLs, MUST issue a base CRL,</FONT> </P> <P><FONT size=2>This is an unnecessary statement. A delta CRL must include a BaseCRLNumber. </FONT><BR><FONT size=2>The CRL specified by that BaseCRLNumber is by definition a base CRL. Of </FONT><BR><FONT size=2>course, the referenced base CRL MUST be a full CRL.</FONT> </P> <P><FONT size=2> > i.e. a full</FONT> <BR><FONT size=2> > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT size=2> > distribution point).</FONT> </P> <P><FONT size=2>While it might be a good idea to mandate the inclusion of the frestestCRL </FONT><BR><FONT size=2>extension in full CRLs that are issued for scopes in which delta CRLs are </FONT><BR><FONT size=2>also being issued, there is currently no such requirement in the draft PKIX </FONT><BR><FONT size=2>profile.</FONT> </P> <P><FONT size=2> > For any time T until the nextUpdate time</FONT> <BR><FONT size=2> > indicated in a base CRL, the CA MUST provide one and only one</FONT> <BR><FONT size=2> > delta CRL that refers to that base CRL and for which time T</FONT> <BR><FONT size=2> > falls between thisUpdate and nextUpdate from the delta CRL.</FONT> </P> <P><FONT size=2>This sentence has several problems:</FONT> </P> <P><FONT size=2>1) The nextUpdate time of a base CRL is the time when the next full CRL </FONT><BR><FONT size=2>will be available, which may precede the time that the next base CRL will </FONT><BR><FONT size=2>be issued.</FONT> </P> <P><FONT size=2>2) There is no requirement that a delta CRL use the most recently issued </FONT><BR><FONT size=2>base CRL as its base. I suppose that we could add this requirement for the </FONT><BR><FONT size=2>PKIX profile, but why? Does it really simplify the client? Or, does it </FONT><BR><FONT size=2>just make it a wee bit harder to make a conforming CA that supports delta CRLs?</FONT> </P> <P><FONT size=2>3) If the thisUpdate time of one delta CRL must equal the nextUpdate time </FONT><BR><FONT size=2>of the previously issued delta CRL, then no time can be allotted to account </FONT><BR><FONT size=2>for propagation delays between when a delta-CRL is issued and when it is </FONT><BR><FONT size=2>available in repositories for relying parties to obtain. Thus, there would </FONT><BR><FONT size=2>be gaps between when the nextUpdate time of one delta-CRL was reached and </FONT><BR><FONT size=2>when the next delta-CRL was available.</FONT> </P> <P><FONT size=2>4) There is nothing in either X.509 or the PKIX profile that prevents a CA </FONT><BR><FONT size=2>from issuing an unscheduled (or "emergency") delta CRL. And, there should </FONT><BR><FONT size=2>not be! Many CAs intend to issue a new CRL (delta or otherwise) </FONT><BR><FONT size=2>immediately upon the revocation of a certificate due to key compromise. </FONT><BR><FONT size=2>When such an "emergency" delta CRL is issued, there will be two delta CRLs </FONT><BR><FONT size=2>for which T falls between thisUpdate and nextUpdate. While it is true that </FONT><BR><FONT size=2>there is no guarantee that relying parties will obtain the fresher of these </FONT><BR><FONT size=2>two delta CRLs, that is no reason to prevent the CA from issuing the </FONT><BR><FONT size=2>"emergency" delta. Some clients will obtain the emergency CRL.</FONT> </P> <P><FONT size=2> >In his e-mail from Wednesday, May 9, David said that delta-CRL processing</FONT> <BR><FONT size=2> >rules could be base on time instead of CRL numbers. This is a point of which</FONT> <BR><FONT size=2> >I strongly agree. Let us do it!</FONT> <BR><FONT size=2> ></FONT> <BR><FONT size=2> >(However, there is no need to add to PKIX, as he suggested, the support of</FONT> <BR><FONT size=2> >the baseUpdateTime extension from X.509 which would even more complicate the</FONT> <BR><FONT size=2> >problem.)</FONT> </P> <P><FONT size=2>No. In order to base delta CRL processing on time, the baseUpdateTime </FONT><BR><FONT size=2>extension must be present in the delta CRL. Furthermore, the presence of </FONT><BR><FONT size=2>this extension would not complicate the problem. baseUpdateTime is a </FONT><BR><FONT size=2>non-critical extension that merely provides useful information. If you </FONT><BR><FONT size=2>don't think that the information provided by baseUpdateTime is useful, </FONT><BR><FONT size=2>ignore it. Since the extension is non-critical and can be ignored, its </FONT><BR><FONT size=2>presence can not complicate the problem.</FONT> </P> <P><FONT size=2>At 09:05 AM 5/10/2001 -0400, Housley, Russ wrote:</FONT> <BR><FONT size=2>>Denis:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>>There is difference between a base CRL and a full CRL</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>You are quite right. I, for one, will try to be more careful about the </FONT><BR><FONT size=2>>use of them.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether</FONT> <BR><FONT size=2>>>they are a base CRL or delta CRL, CANNOT have the same CRL number.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) </FONT><BR><FONT size=2>>and a delta CRL issued at the same time as that full CRL may actually </FONT><BR><FONT size=2>>represent the same revocation information. In this case, they are the </FONT><BR><FONT size=2>>same CRL, and they should have the same number. There have been several </FONT><BR><FONT size=2>>tables posted that illustrate this numbering scheme, and I do not see any </FONT><BR><FONT size=2>>text in X.509-200 that indicates this scheme is</FONT> <BR><FONT size=2>[snip - truncate - the message is too long anyway]</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0DA28.E1DFEE30-- Received: (from majordomo@localhost) by above.proper.com (8.9.3/8.9.3) id FAA14984 for ietf-pkix-bks; Fri, 11 May 2001 05:35:40 -0700 (PDT) Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA14953 for <ietf-pkix@imc.org>; Fri, 11 May 2001 05:35:31 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id OAA20535; Fri, 11 May 2001 14:35:29 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Fri, 11 May 2001 14:35:29 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id OAA21576; Fri, 11 May 2001 14:35:26 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@edelweb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id OAA01044; Fri, 11 May 2001 14:35:26 +0200 (MET DST) Date: Fri, 11 May 2001 14:35:26 +0200 (MET DST) Message-Id: <200105111235.OAA01044@emeriau.edelweb.fr> To: drh@celocom.com, ietf-pkix@imc.org, chokhani@cygnacom.com Subject: RE: delta CRLs Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> > charset="iso-8859-1" > > Dr. Henson: > > The rules for handling hold and release from hold are different when a delta > is applied to a base issued after the delta (I let you figure out the > rules). But, if you have to know if the base was issued after the delta or > not, why apply the delta at all; just use the new base. > > Thus if thisUpdate of base > = thisUpdate of delta, just use the base and do > not process the delta. This is obviously right. If you have a full CRL that is younger than a delta, then one can just use the full, but the point made by drh was that a delta can reference a base which is not necessarily the youngest full crl that can be used, i.e. any base/full that is between the base indicated in the dcrl and which is not younger that the dcrl can be used. So one is in the situation of have a dcrl with a base reference, and some full crl that may be a candidate for a dcrl update since the thisUpdate of that file is older than that of the dCRL; What has to be ensured is that this full crl is not older than the referenced base in order not to miss information. And since the basereference is just a number, i.e. one doesn't know the thisUpdate of the base, one can only use the crlnumber assuming that they are non-decreasing. > > -----Original Message----- > From: Dr S N Henson [mailto:drh@celocom.com] > Sent: Wednesday, May 09, 2001 6:37 PM > To: ietf-pkix@imc.org > Subject: Re: delta CRLs > > > > > Peter Sylvester wrote: > > > > > > Is is necessary that the crlNumber of base URLs are strictly > > increasing? I am not convinced. The numbers are only used to > > create references to a chain of crls that can be used to create > > final 'virtual' base crl with an appropriate ThisUpdate. > > > > Well since you can combine any full CRL whose number is greater than or > equal to the base CRL number in the delta it has to be increasing. > > If the full CRL has a number greater than the base CRL in the delta it > can still be combined but the delta CRL may contain some revocation data > already present in the base. > > If the CRL number isn't strictly increasing then there's no way for the > CRL number of deltas to reference which full CRL the constructed CRL > represents. > > This only applies if the only way to reference constructed and base CRLs > is the CRL number. If baseUpdateTime is used instead then it isn't > necessary except for the fact that some clients may not use > baseUpdateTime. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: shenson@drh-consultancy.demon.co.uk > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: drh@celocom.com PGP key: via homepage. > > ------_=_NextPart_001_01C0D8FD.23508960 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > <HTML> > <HEAD> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3Diso-8859-1"> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = > 5.5.2652.35"> > <TITLE>RE: delta CRLs</TITLE> > </HEAD> > <BODY> > > <P><FONT SIZE=3D2>Dr. Henson:</FONT> > </P> > > <P><FONT SIZE=3D2>The rules for handling hold and release from hold are = > different when a delta is applied to a base issued after the delta (I = > let you figure out the rules). But, if you have to know if the = > base was issued after the delta or not, why apply the delta at all; = > just use the new base.</FONT></P> > > <P><FONT SIZE=3D2>Thus if thisUpdate of base > =3D thisUpdate of = > delta, just use the base and do not process the delta.</FONT> > </P> > > <P><FONT SIZE=3D2>-----Original Message-----</FONT> > <BR><FONT SIZE=3D2>From: Dr S N Henson [<A = > HREF=3D"mailto:drh@celocom.com">mailto:drh@celocom.com</A>]</FONT> > <BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 6:37 PM</FONT> > <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> > <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> > </P> > <BR> > <BR> > <BR> > > <P><FONT SIZE=3D2>Peter Sylvester wrote:</FONT> > <BR><FONT SIZE=3D2>> </FONT> > <BR><FONT SIZE=3D2>> </FONT> > <BR><FONT SIZE=3D2>> Is is necessary that the crlNumber of base URLs = > are strictly</FONT> > <BR><FONT SIZE=3D2>> increasing? I am not convinced. The numbers are = > only used to</FONT> > <BR><FONT SIZE=3D2>> create references to a chain of crls that can = > be used to create</FONT> > <BR><FONT SIZE=3D2>> final 'virtual' base crl with an appropriate = > ThisUpdate.</FONT> > <BR><FONT SIZE=3D2>> </FONT> > </P> > > <P><FONT SIZE=3D2>Well since you can combine any full CRL whose number = > is greater than or</FONT> > <BR><FONT SIZE=3D2>equal to the base CRL number in the delta it has to = > be increasing.</FONT> > </P> > > <P><FONT SIZE=3D2>If the full CRL has a number greater than the base = > CRL in the delta it</FONT> > <BR><FONT SIZE=3D2>can still be combined but the delta CRL may contain = > some revocation data</FONT> > <BR><FONT SIZE=3D2>already present in the base.</FONT> > </P> > > <P><FONT SIZE=3D2>If the CRL number isn't strictly increasing then = > there's no way for the</FONT> > <BR><FONT SIZE=3D2>CRL number of deltas to reference which full CRL the = > constructed CRL</FONT> > <BR><FONT SIZE=3D2>represents.</FONT> > </P> > > <P><FONT SIZE=3D2>This only applies if the only way to reference = > constructed and base CRLs</FONT> > <BR><FONT SIZE=3D2>is the CRL number. If baseUpdateTime is used instead = > then it isn't</FONT> > <BR><FONT SIZE=3D2>necessary except for the fact that some clients may = > not use</FONT> > <BR><FONT SIZE=3D2>baseUpdateTime.</FONT> > </P> > > <P><FONT SIZE=3D2>Steve.</FONT> > <BR><FONT SIZE=3D2>-- </FONT> > <BR><FONT SIZE=3D2>Dr Stephen N. Henson. <A = > HREF=3D"http://www.drh-consultancy.demon.co.uk/" = > TARGET=3D"_blank">http://www.drh-consultancy.demon.co.uk/</A></FONT> > <BR><FONT SIZE=3D2>Personal Email: shenson@drh-consultancy.demon.co.uk = > </FONT> > <BR><FONT SIZE=3D2>Senior crypto engineer, Celo Communications: <A = > HREF=3D"http://www.celocom.com/" = > TARGET=3D"_blank">http://www.celocom.com/</A></FONT> > <BR><FONT SIZE=3D2>Core developer of the OpenSSL project: = > <A HREF=3D"http://www.openssl.org/" = > TARGET=3D"_blank">http://www.openssl.org/</A></FONT> > <BR><FONT SIZE=3D2>Business Email: drh@celocom.com PGP key: via = > homepage.</FONT> > </P> > > </BODY> > </HTML> > ------_=_NextPart_001_01C0D8FD.23508960-- > Received: by above.proper.com (8.9.3/8.9.3) id RAA13914 for ietf-pkix-bks; Thu, 10 May 2001 17:25:04 -0700 (PDT) Received: from [165.227.249.20] (ip20.proper.com [165.227.249.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA13909 for <ietf-pkix@imc.org>; Thu, 10 May 2001 17:24:59 -0700 (PDT) Mime-Version: 1.0 X-Sender: phoffman@mail.imc.org Message-Id: <p0510032ab720e140894d@[165.227.249.20]> Date: Thu, 10 May 2001 17:24:51 -0700 To: ietf-pkix@imc.org From: Paul Hoffman / IMC <phoffman@imc.org> Subject: ADMINISTRIVIA: Reduction in spam on this list Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-ietf-pkix@mail.imc.org Precedence: bulk List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/> List-ID: <ietf-pkix.imc.org> List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe> List-ID: <ietf-pkix.imc.org> Due to the high volume of complaints about spam, this list is now restricted for posting. This should not affect the discussion much, as I will try to quickly add anyone whose (non-spam) mail bounces. Please report any list problems directly to me, not to the mailing list. Thanks! --Paul Hoffman, Director --Internet Mail Consortium Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA08618 for <ietf-pkix@imc.org>; Thu, 10 May 2001 15:53:28 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K4X9NPZK>; Thu, 10 May 2001 18:53:00 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE9F3@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 18:43:46 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D9A2.AC5D2A10" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D9A2.AC5D2A10 Content-Type: text/plain; charset="iso-8859-1" Russ: I agree with most of what you say except the following. I think use of the "full" is dangerous. These CRLs are "full" only with respect to the scope as defined in the CRLScope and/or IDP extension. This is simply a nit. You say "Relying parties that do not process delta CRLs, and thus do not recognize the non-critical freshestCRL extension, will not be able to distinguish between those full CRLs that are base CRLs and those full CRLs that are not base CRLs." Do you mean a base could also be a delta as opposed to a full? If so, that distinction can be and will be made through the deltaCRLIndicator extension without. In any case, this point seems to be irrelevant. You also say that "Every base CRL MUST be a full CRL, but not every full CRL is a base CRL." While I agree with most of what you say, your distinction between base and full (for scope) does not seem relevant or germane to me and seems to confuse the issue. But, I think (and hope) I understand this enough to know that I do NOT disagree with the final conclusions. Your rationale comes across more convoluted and confusing than it needs to be due to this needless distinction between base and full. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Thursday, May 10, 2001 2:36 PM To: Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Denis: Please excuse the half-done message from this morning. My mailer and I had a disagreement... Anyway, since I was not going to get the full message out before the end of the business day in France, I took the time to coordinate a response with Tim Polk and David Cooper. This mail thread is quite long, so hopefully our coordination on the side will reduce the overall number of messages to the list and help to reach consensus faster. Here goes .... >There is difference between a base CRL and a full CRL : a base CRL MUST >include a freshestCRL extension (a.k.a. a Delta CRL distribution point), >whereas a full CRL may not include that extension. In other words, a base >CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. There is no requirement in X.509 to include any extension in a certificate or CRL advertising the availability of delta CRLs. PKIX makes the freshestCRL extension available for advertising the existence of delta CRLs, but again does not mandate its use. Furthermore, even if the freshestCRL extension is used, it may be placed in either the certificate or the full CRL. If the extension is placed in certificates, there is no need for it to be in the full CRL (but, it could be). Finally, if delta CRLs are being issued, and are being advertised through the freshestCRL CRL extension, then the extension should be included in all full CRLs for that scope, not just the base CRLs. If a relying party obtains the most recently issued full CRL for a scope from a repository, and that full CRL is not a base CRL, how will the relying party know that delta CRLs are available? >At any time a CA may issue a full CRL, whether or not a base CRL has already >been issued. This additional CRL SHOULD have nextUpdate equal to the >nextUpdate of the last issued full CRL. However, there is no guarantee that >this additional CRL will ever be seen by the relying party (because there >will be two CRLs matching the thisUpdate and nextUpdate rule and if one is >deleted, this is not seen by a relying party). The nextUpdate field in a full CRL (base or otherwise) should specify the time by which new revocation information will be available. So, if a new base CRL is issued once a day, but full CRLs are issued every hour, the nextUpdate field of each full CRL should one hour after that CRL's thisUpdate time. >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >they are a base CRL or delta CRL, CANNOT have the same CRL number. So a >delta CRL and a full CRL that cover the same scope and are issued at the >same time CANNOT have the same number. We disagree. If a full CRL and a delta CRL are issued at the same time for the same scope, then they ARE the same CRL and MUST have the same CRL number. >If a full CRL is issued, its CRL >number bears no relationship with the previous base CRL, if any. Again, we disagree. A sequence of CRLs for a given scope must contain a monotonically increasing sequence of CRL numbers. Relying parties that do not process delta CRLs, and thus do not recognize the non-critical freshestCRL extension, will not be able to distinguish between those full CRLs that are base CRLs and those full CRLs that are not base CRLs. The CRL numbers for these full CRLs must be from one monotonically increasing sequence. >The only >relationship between the numbers is defined by the rule that CRLs numbers >are strictly increasing. As Santosh said : "the CRL number is unique >whether it is a base or a delta ". > >This is fairly important to be able to unambiguously (and thus uniquely) >refer to a CRL by only providing its CRL number. Exactly. If a full CRL and the delta CRL are issued for the same scope at the same time, they are the same CRL. The CRL number unambiguously and uniquely refers to this ONE CRL. >Besides the fact that a CRL issued later MUST have a higher CRL number, full >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL >number (for the same or no stream identifier). If you agree that delta thisUpdate > base thisUpdate implies delta CRL number > base CRL, then you are acknowledging that the CRL numbers of the full CRLs and delta CRLs are not independent. >As Santosh said : "a check based on thisUpdate is more general and >preferred [to the use of CRL numbers]. " > >Related to the three rules mentioned by Russ : > >1) the first rule is not understandable to me. >2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). >3) we will debate the hold condition, once we will have sorted the main > issue. > >Russ said : "If separate number sequence is used, then you will have to >periodically fetch base CRLs ". This is true. > >Tim said that he would *not* like to be forced to download new base CRLs. >This is the core of the "dispute". Our goal should be to allow delta CRL enabled clients to obtain accurate information in the most efficient manner possible. Forcing clients to periodically download full CRLs, when this is not necessary, is inefficient. > From the definition of what a delta CRL is, it is *not* possible to >get rid of the fetching of base CRLs. Unless we add a new sentence to >expand/change that definition, base CRL fetching will remain mandatory. True. However, if one performs validations frequently enough, it is possible to obtain a single full CRL and then subsequently download only delta CRLs. We need to require that full CRL be issued periodically so that clients whose locally stored information is not sufficiently up-to-date to apply the delta CRLs being issued can obtain the full CRLs that they need, but we should not require clients to download full CRLs when it is not necessary for them to do so. >Remember that the goal of delta CRLs is to provide the freshest information, >and to my knowledge the goal was not to get rid of the fetching of base CRLs >(which may less frequent due to the support of delta CRLs). Yes, but the goal should be to minimize the fetching of full CRLs. >If I understand correctly, Tim/David/Russ would like to *always* achieve the >following property : it is possible to reconstruct the current CRL by using >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been >issued at the same time a base CRL was issued and which contains updates >made to the *previous* base. > >By this way the fetching of base CRLs could be avoided. However, note that >it is perfectly " legal " to stop issuing base and delta CRLs during some >period of time and to issue full CRLs instead (see the difference between >"full" and "base" at the top of this e-mail). In other words there is no >need to issue a new base CRL at the end of the validity period of the >previous base CRL. Doing this would mandate to prescribe issuing rules >for CAs that we have not prescripted. You are mixing apples and oranges. Obviously the scheme of keeping up-to-date by obtaining a base from 1990 and then only downloading deltas will only work so long as deltas continue to be issued. If the CRL issuer ceases to issue deltas, then the relying parties will have to revert to downloading full CRLs. >I will now raise a series of questions, for which I believe we have >different answers. Tim/David/Russ do not hesitate to correct >if my guess is wrong. ;-) > >Common point: > >1) What will be the value of the nextUpdate field from the last issued delta >CRL for a given base CRL ? > >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to >the value of nextUpdate from the base CRL. > >Tim/David/Russ: ??? The nextUpdate field in a base CRL states when the next full CRL will be available. This is important for supporting clients that do not handle delta CRLs. The nextUpdate field in a delta CRL states when the next CRL (either a delta CRL or a full CRL) will be available. As a general rule, if the CA is continuing to issue deltas, the nextUpdate in the delta will be the time by which the next delta will be available. If this is the last delta that the CA is going to issue, then the nextUpdate in the delta will be the time by which the next full CRL will be available. ("Available" SHOULD reflect distribution delays associated with the repository architecture.) >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > >Denis: No. >Tim/David/Russ : ??? No. A CA never is required to issue deltas. However, it would be helpful to delta CRL enabled clients to allow them to construct the full CRL. If the full CRL contains a freshestCRL extension, then it is a very good idea to generate a delta CRL at the same time. In this way, any client will be able to find a current delta CRL. >3) Does a CA needs to issue a new base CRL at the end of the validity of a >current base CRL ? > >Denis: No. >Tim/David/Russ : ??? No. HOWEVER, the CA must issue a new full CRL by the nextUpdate in the previously issued full CRL (whether that full CRL is a base CRL or not). There is no requirement that the next full CRL be a base CRL. (The CA could quit issuing deltas, etc. etc.) Every base CRL MUST be a full CRL, but not every full CRL is a base CRL. But, a CA could make every full CRL a base CRL if they wanted to. >4) Does a CA needs to issue a delta CRL at the same time a new base is >issued ? > >Denis: Yes. The delta CRL refers to the *new* base. >Tim/David/Russ : ??? No. HOWEVER, in practice we belive that CAs will do so. The delta CRL needs to exist so that clients can follow the freshest CRL extension (either in a certificate or a base CRL). The delta CRL that is issued at the same time SHOULD point to a previously issued full CRL (which will then, by definition be a base CRL) whenever possible. There is no information to add to the new base CRL! By providing the delta as an update to a previous base CRL, clients can download the delta CRL to construct the new base CRL. >The last point highlights the most noticeable difference. Other differences >appears when considering the guaranty to get the freshest information : >using the traditional scheme and the thisUpdate and nextUpdate fields the >guaranty to get the freshest information is obtained, but cannot be obtained >using the other scheme. :-( > >Several people are referring to the X.509 document for arguments to support >that discussion. However, it is important to remember that we are defining >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, >but only what we believe is relevant. PKIX is a profile of X.509. PKIX may impose additional requirements beyond those in X.509 or may exclude features that are optional in X.509, but otherwise PKIX must be consistent with X.509. In that context, references to X.509 are appropriate. >We first need to clearly define the processing rules applicable to the >relying parties. These rules will certainly contain SHALL/MUST statements, >but may also include some MAY statements which may even be conditional to >what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). No. The relying party needs a full CRL (either one that has been downloaded from a repository or one that has been locally generated) against which the delta CRL of interest may be applied. There is no requirement that the full CRL be a base CRL. > It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. It may construct an updated CRL by combining the delta CRL with any full CRL whose CRL number is greater than or equal to the CRL number of the referenced base. By saying "equal" instead of "greater than or equal" we would be hiding useful information from implementors. We should not be hiding useful information. > Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. As stated above, the nextUpdate field in a base CRL specifies the time by which new revocation information will be available through full CRLs. A delta CRL may be applied to a base CRL as long as the CRL number in the base CRL is greater than or equal to the CRL number of the base CRL referenced by the delta CRL. The nextUpdate time of the base CRL is irrelevant. > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. Same problem as above. Need to say "greater than or equal to". >We also need to clearly separate the issuing rules applicable for the CAs. >These rules will certainly contain SHALL statements, but could also include >some MAY statements. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, This is an unnecessary statement. A delta CRL must include a BaseCRLNumber. The CRL specified by that BaseCRLNumber is by definition a base CRL. Of course, the referenced base CRL MUST be a full CRL. > i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). While it might be a good idea to mandate the inclusion of the frestestCRL extension in full CRLs that are issued for scopes in which delta CRLs are also being issued, there is currently no such requirement in the draft PKIX profile. > For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. This sentence has several problems: 1) The nextUpdate time of a base CRL is the time when the next full CRL will be available, which may precede the time that the next base CRL will be issued. 2) There is no requirement that a delta CRL use the most recently issued base CRL as its base. I suppose that we could add this requirement for the PKIX profile, but why? Does it really simplify the client? Or, does it just make it a wee bit harder to make a conforming CA that supports delta CRLs? 3) If the thisUpdate time of one delta CRL must equal the nextUpdate time of the previously issued delta CRL, then no time can be allotted to account for propagation delays between when a delta-CRL is issued and when it is available in repositories for relying parties to obtain. Thus, there would be gaps between when the nextUpdate time of one delta-CRL was reached and when the next delta-CRL was available. 4) There is nothing in either X.509 or the PKIX profile that prevents a CA from issuing an unscheduled (or "emergency") delta CRL. And, there should not be! Many CAs intend to issue a new CRL (delta or otherwise) immediately upon the revocation of a certificate due to key compromise. When such an "emergency" delta CRL is issued, there will be two delta CRLs for which T falls between thisUpdate and nextUpdate. While it is true that there is no guarantee that relying parties will obtain the fresher of these two delta CRLs, that is no reason to prevent the CA from issuing the "emergency" delta. Some clients will obtain the emergency CRL. >In his e-mail from Wednesday, May 9, David said that delta-CRL processing >rules could be base on time instead of CRL numbers. This is a point of which >I strongly agree. Let us do it! > >(However, there is no need to add to PKIX, as he suggested, the support of >the baseUpdateTime extension from X.509 which would even more complicate the >problem.) No. In order to base delta CRL processing on time, the baseUpdateTime extension must be present in the delta CRL. Furthermore, the presence of this extension would not complicate the problem. baseUpdateTime is a non-critical extension that merely provides useful information. If you don't think that the information provided by baseUpdateTime is useful, ignore it. Since the extension is non-critical and can be ignored, its presence can not complicate the problem. At 09:05 AM 5/10/2001 -0400, Housley, Russ wrote: >Denis: > >>There is difference between a base CRL and a full CRL > >You are quite right. I, for one, will try to be more careful about the >use of them. > >>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >>they are a base CRL or delta CRL, CANNOT have the same CRL number. > >I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) >and a delta CRL issued at the same time as that full CRL may actually >represent the same revocation information. In this case, they are the >same CRL, and they should have the same number. There have been several >tables posted that illustrate this numbering scheme, and I do not see any >text in X.509-200 that indicates this scheme is [snip - truncate - the message is too long anyway] ------_=_NextPart_001_01C0D9A2.AC5D2A10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>I agree with most of what you say except the = following.</FONT> </P> <P><FONT SIZE=3D2>I think use of the "full" is = dangerous. These CRLs are "full" only with respect to = the scope as defined in the CRLScope and/or IDP extension. This = is simply a nit.</FONT></P> <P><FONT SIZE=3D2>You say "Relying parties that do </FONT> <BR><FONT SIZE=3D2>not process delta CRLs, and thus do not recognize = the non-critical </FONT> <BR><FONT SIZE=3D2>freshestCRL extension, will not be able to = distinguish between those full </FONT> <BR><FONT SIZE=3D2>CRLs that are base CRLs and those full CRLs that are = not base CRLs." Do you mean a base could also be a delta as = opposed to a full? If so, that distinction can be and will be = made through the deltaCRLIndicator extension without. In any = case, this point seems to be irrelevant.</FONT></P> <P><FONT SIZE=3D2>You also say that "Every base CRL MUST be a full = CRL, but not every full CRL is a base CRL." </FONT> </P> <P><FONT SIZE=3D2>While I agree with most of what you say, your = distinction between base and full (for scope) does not seem relevant or = germane to me and seems to confuse the issue. But, I think (and = hope) I understand this enough to know that I do NOT disagree with the = final conclusions. Your rationale comes across more convoluted = and confusing than it needs to be due to this needless distinction = between base and full.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 2:36 PM</FONT> <BR><FONT SIZE=3D2>To: Denis.Pinkas@bull.net</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Denis:</FONT> </P> <P><FONT SIZE=3D2>Please excuse the half-done message from this = morning. My mailer and I had </FONT> <BR><FONT SIZE=3D2>a disagreement...</FONT> </P> <P><FONT SIZE=3D2>Anyway, since I was not going to get the full message = out before the end of </FONT> <BR><FONT SIZE=3D2>the business day in France, I took the time to = coordinate a response with </FONT> <BR><FONT SIZE=3D2>Tim Polk and David Cooper. This mail thread is = quite long, so hopefully </FONT> <BR><FONT SIZE=3D2>our coordination on the side will reduce the overall = number of messages to </FONT> <BR><FONT SIZE=3D2>the list and help to reach consensus faster.</FONT> </P> <P><FONT SIZE=3D2>Here goes ....</FONT> </P> <P><FONT SIZE=3D2> >There is difference between a base CRL and = a full CRL : a base CRL MUST</FONT> <BR><FONT SIZE=3D2> >include a freshestCRL extension (a.k.a. a = Delta CRL distribution point),</FONT> <BR><FONT SIZE=3D2> >whereas a full CRL may not include that = extension. In other words, a base</FONT> <BR><FONT SIZE=3D2> >CRL is a also a full CRL, but a full CRL = is not necessarily a base CRL.</FONT> </P> <P><FONT SIZE=3D2>There is no requirement in X.509 to include any = extension in a certificate </FONT> <BR><FONT SIZE=3D2>or CRL advertising the availability of delta CRLs. = PKIX makes the </FONT> <BR><FONT SIZE=3D2>freshestCRL extension available for advertising the = existence of delta </FONT> <BR><FONT SIZE=3D2>CRLs, but again does not mandate its use. = Furthermore, even if the </FONT> <BR><FONT SIZE=3D2>freshestCRL extension is used, it may be placed in = either the certificate </FONT> <BR><FONT SIZE=3D2>or the full CRL. If the extension is placed in = certificates, there is no </FONT> <BR><FONT SIZE=3D2>need for it to be in the full CRL (but, it could = be).</FONT> </P> <P><FONT SIZE=3D2>Finally, if delta CRLs are being issued, and are = being advertised through </FONT> <BR><FONT SIZE=3D2>the freshestCRL CRL extension, then the extension = should be included in all </FONT> <BR><FONT SIZE=3D2>full CRLs for that scope, not just the base CRLs. If = a relying party </FONT> <BR><FONT SIZE=3D2>obtains the most recently issued full CRL for a = scope from a repository, </FONT> <BR><FONT SIZE=3D2>and that full CRL is not a base CRL, how will the = relying party know that </FONT> <BR><FONT SIZE=3D2>delta CRLs are available?</FONT> </P> <P><FONT SIZE=3D2> >At any time a CA may issue a full CRL, = whether or not a base CRL has already</FONT> <BR><FONT SIZE=3D2> >been issued. This additional CRL SHOULD = have nextUpdate equal to the</FONT> <BR><FONT SIZE=3D2> >nextUpdate of the last issued full CRL. = However, there is no guarantee that</FONT> <BR><FONT SIZE=3D2> >this additional CRL will ever be seen by = the relying party (because there</FONT> <BR><FONT SIZE=3D2> >will be two CRLs matching the thisUpdate = and nextUpdate rule and if one is</FONT> <BR><FONT SIZE=3D2> >deleted, this is not seen by a relying = party).</FONT> </P> <P><FONT SIZE=3D2>The nextUpdate field in a full CRL (base or = otherwise) should specify the </FONT> <BR><FONT SIZE=3D2>time by which new revocation information will be = available. So, if a new </FONT> <BR><FONT SIZE=3D2>base CRL is issued once a day, but full CRLs are = issued every hour, the </FONT> <BR><FONT SIZE=3D2>nextUpdate field of each full CRL should one hour = after that CRL's </FONT> <BR><FONT SIZE=3D2>thisUpdate time.</FONT> </P> <P><FONT SIZE=3D2> >Due to the fact that CRLs numbers are = strictly increasing, two CRLs whether</FONT> <BR><FONT SIZE=3D2> >they are a base CRL or delta CRL, CANNOT = have the same CRL number. So a</FONT> <BR><FONT SIZE=3D2> >delta CRL and a full CRL that cover the = same scope and are issued at the</FONT> <BR><FONT SIZE=3D2> >same time CANNOT have the same = number.</FONT> </P> <P><FONT SIZE=3D2>We disagree. If a full CRL and a delta CRL are = issued at the same time for </FONT> <BR><FONT SIZE=3D2>the same scope, then they ARE the same CRL and MUST = have the same CRL number.</FONT> </P> <P><FONT SIZE=3D2> >If a full CRL is issued, its CRL</FONT> <BR><FONT SIZE=3D2> >number bears no relationship with the = previous base CRL, if any.</FONT> </P> <P><FONT SIZE=3D2>Again, we disagree. A sequence of CRLs for a given = scope must contain a </FONT> <BR><FONT SIZE=3D2>monotonically increasing sequence of CRL numbers. = Relying parties that do </FONT> <BR><FONT SIZE=3D2>not process delta CRLs, and thus do not recognize = the non-critical </FONT> <BR><FONT SIZE=3D2>freshestCRL extension, will not be able to = distinguish between those full </FONT> <BR><FONT SIZE=3D2>CRLs that are base CRLs and those full CRLs that are = not base CRLs. The CRL </FONT> <BR><FONT SIZE=3D2>numbers for these full CRLs must be from one = monotonically increasing sequence.</FONT> </P> <P><FONT SIZE=3D2> >The only</FONT> <BR><FONT SIZE=3D2> >relationship between the numbers is = defined by the rule that CRLs numbers</FONT> <BR><FONT SIZE=3D2> >are strictly increasing. As Santosh said : = "the CRL number is unique</FONT> <BR><FONT SIZE=3D2> >whether it is a base or a delta = ".</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >This is fairly important to be able to = unambiguously (and thus uniquely)</FONT> <BR><FONT SIZE=3D2> >refer to a CRL by only providing its CRL = number.</FONT> </P> <P><FONT SIZE=3D2>Exactly. If a full CRL and the delta CRL are issued = for the same scope at </FONT> <BR><FONT SIZE=3D2>the same time, they are the same CRL. The CRL number = unambiguously and </FONT> <BR><FONT SIZE=3D2>uniquely refers to this ONE CRL.</FONT> </P> <P><FONT SIZE=3D2> >Besides the fact that a CRL issued later = MUST have a higher CRL number, full</FONT> <BR><FONT SIZE=3D2> >CRLs and delta CRLs have independent = numbering rules. As noticed by Santosh,</FONT> <BR><FONT SIZE=3D2> >" if the delta thisUpdate > base = thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT SIZE=3D2> >number (for the same or no stream = identifier).</FONT> </P> <P><FONT SIZE=3D2>If you agree that delta thisUpdate > base = thisUpdate implies delta CRL </FONT> <BR><FONT SIZE=3D2>number > base CRL, then you are acknowledging = that the CRL numbers of the </FONT> <BR><FONT SIZE=3D2>full CRLs and delta CRLs are not independent.</FONT> </P> <P><FONT SIZE=3D2> >As Santosh said : "a check based on = thisUpdate is more general and</FONT> <BR><FONT SIZE=3D2> >preferred [to the use of CRL numbers]. = "</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Related to the three rules mentioned by = Russ :</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >1) the first rule is not understandable to = me.</FONT> <BR><FONT SIZE=3D2> >2) the second rule does not say anything = more than the basic rule valid</FONT> <BR><FONT SIZE=3D2> > for any CRL (i.e. a CRL = issued later MUST have a higher CRL number).</FONT> <BR><FONT SIZE=3D2> >3) we will debate the hold condition, once = we will have sorted the main</FONT> <BR><FONT SIZE=3D2> > issue.</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Russ said : "If separate number = sequence is used, then you will have to</FONT> <BR><FONT SIZE=3D2> >periodically fetch base CRLs ". This = is true.</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Tim said that he would *not* like to be = forced to download new base CRLs.</FONT> <BR><FONT SIZE=3D2> >This is the core of the = "dispute".</FONT> </P> <P><FONT SIZE=3D2>Our goal should be to allow delta CRL enabled clients = to obtain accurate </FONT> <BR><FONT SIZE=3D2>information in the most efficient manner possible. = Forcing clients to </FONT> <BR><FONT SIZE=3D2>periodically download full CRLs, when this is not = necessary, is inefficient.</FONT> </P> <P><FONT SIZE=3D2> > From the definition of what a delta CRL = is, it is *not* possible to</FONT> <BR><FONT SIZE=3D2> >get rid of the fetching of base CRLs. = Unless we add a new sentence to</FONT> <BR><FONT SIZE=3D2> >expand/change that definition, base CRL = fetching will remain mandatory.</FONT> </P> <P><FONT SIZE=3D2>True. However, if one performs validations frequently = enough, it is </FONT> <BR><FONT SIZE=3D2>possible to obtain a single full CRL and then = subsequently download only </FONT> <BR><FONT SIZE=3D2>delta CRLs. We need to require that full CRL be = issued periodically so that </FONT> <BR><FONT SIZE=3D2>clients whose locally stored information is not = sufficiently up-to-date to </FONT> <BR><FONT SIZE=3D2>apply the delta CRLs being issued can obtain the = full CRLs that they need, </FONT> <BR><FONT SIZE=3D2>but we should not require clients to download full = CRLs when it is not </FONT> <BR><FONT SIZE=3D2>necessary for them to do so.</FONT> </P> <P><FONT SIZE=3D2> >Remember that the goal of delta CRLs is to = provide the freshest information,</FONT> <BR><FONT SIZE=3D2> >and to my knowledge the goal was not to = get rid of the fetching of base CRLs</FONT> <BR><FONT SIZE=3D2> >(which may less frequent due to the = support of delta CRLs).</FONT> </P> <P><FONT SIZE=3D2>Yes, but the goal should be to minimize the fetching = of full CRLs.</FONT> </P> <P><FONT SIZE=3D2> >If I understand correctly, Tim/David/Russ = would like to *always* achieve the</FONT> <BR><FONT SIZE=3D2> >following property : it is possible to = reconstruct the current CRL by using</FONT> <BR><FONT SIZE=3D2> >a base CRL from, e.g. 1990, i.e. by = capturing every delta CRL that has been</FONT> <BR><FONT SIZE=3D2> >issued at the same time a base CRL was = issued and which contains updates</FONT> <BR><FONT SIZE=3D2> >made to the *previous* base.</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >By this way the fetching of base CRLs = could be avoided. However, note that</FONT> <BR><FONT SIZE=3D2> >it is perfectly " legal " to = stop issuing base and delta CRLs during some</FONT> <BR><FONT SIZE=3D2> >period of time and to issue full CRLs = instead (see the difference between</FONT> <BR><FONT SIZE=3D2> >"full" and "base" at = the top of this e-mail). In other words there is no</FONT> <BR><FONT SIZE=3D2> >need to issue a new base CRL at the end of = the validity period of the</FONT> <BR><FONT SIZE=3D2> >previous base CRL. Doing this would = mandate to prescribe issuing rules</FONT> <BR><FONT SIZE=3D2> >for CAs that we have not = prescripted.</FONT> </P> <P><FONT SIZE=3D2>You are mixing apples and oranges. Obviously the = scheme of keeping </FONT> <BR><FONT SIZE=3D2>up-to-date by obtaining a base from 1990 and then = only downloading deltas </FONT> <BR><FONT SIZE=3D2>will only work so long as deltas continue to be = issued. If the CRL issuer </FONT> <BR><FONT SIZE=3D2>ceases to issue deltas, then the relying parties = will have to revert to </FONT> <BR><FONT SIZE=3D2>downloading full CRLs.</FONT> </P> <P><FONT SIZE=3D2> >I will now raise a series of questions, for = which I believe we have</FONT> <BR><FONT SIZE=3D2> >different answers. Tim/David/Russ do not = hesitate to correct</FONT> <BR><FONT SIZE=3D2> >if my guess is wrong. ;-)</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Common point:</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >1) What will be the value of the = nextUpdate field from the last issued delta</FONT> <BR><FONT SIZE=3D2> >CRL for a given base CRL ?</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Denis: the nextUpdate field from the last = issued delta CRL MUST be equal to</FONT> <BR><FONT SIZE=3D2> >the value of nextUpdate from the base = CRL.</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Tim/David/Russ: ???</FONT> </P> <P><FONT SIZE=3D2>The nextUpdate field in a base CRL states when the = next full CRL will be </FONT> <BR><FONT SIZE=3D2>available. This is important for supporting clients = that do not handle </FONT> <BR><FONT SIZE=3D2>delta CRLs. The nextUpdate field in a delta CRL = states when the next CRL </FONT> <BR><FONT SIZE=3D2>(either a delta CRL or a full CRL) will be = available. As a general rule, if </FONT> <BR><FONT SIZE=3D2>the CA is continuing to issue deltas, the nextUpdate = in the delta will be </FONT> <BR><FONT SIZE=3D2>the time by which the next delta will be available. = If this is the last </FONT> <BR><FONT SIZE=3D2>delta that the CA is going to issue, then the = nextUpdate in the delta will </FONT> <BR><FONT SIZE=3D2>be the time by which the next full CRL will be = available. ("Available" </FONT> <BR><FONT SIZE=3D2>SHOULD reflect distribution delays associated with = the repository </FONT> <BR><FONT SIZE=3D2>architecture.)</FONT> </P> <P><FONT SIZE=3D2> >2) Does a CA needs to issue a delta CRL at = the time a full CRL is issued ?</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Denis: No.</FONT> <BR><FONT SIZE=3D2> >Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=3D2>No. A CA never is required to issue deltas. However, = it would be helpful to </FONT> <BR><FONT SIZE=3D2>delta CRL enabled clients to allow them to construct = the full CRL.</FONT> </P> <P><FONT SIZE=3D2>If the full CRL contains a freshestCRL extension, = then it is a very good </FONT> <BR><FONT SIZE=3D2>idea to generate a delta CRL at the same time. In = this way, any client will </FONT> <BR><FONT SIZE=3D2>be able to find a current delta CRL.</FONT> </P> <P><FONT SIZE=3D2> >3) Does a CA needs to issue a new base CRL = at the end of the validity of a</FONT> <BR><FONT SIZE=3D2> >current base CRL ?</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Denis: No.</FONT> <BR><FONT SIZE=3D2> >Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=3D2>No. HOWEVER, the CA must issue a new full CRL by the = nextUpdate in the </FONT> <BR><FONT SIZE=3D2>previously issued full CRL (whether that full CRL is = a base CRL or not). </FONT> <BR><FONT SIZE=3D2>There is no requirement that the next full CRL be a = base CRL. (The CA could </FONT> <BR><FONT SIZE=3D2>quit issuing deltas, etc. etc.)</FONT> </P> <P><FONT SIZE=3D2>Every base CRL MUST be a full CRL, but not every full = CRL is a base CRL. </FONT> <BR><FONT SIZE=3D2>But, a CA could make every full CRL a base CRL if = they wanted to.</FONT> </P> <P><FONT SIZE=3D2> >4) Does a CA needs to issue a delta CRL at = the same time a new base is</FONT> <BR><FONT SIZE=3D2> >issued ?</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Denis: Yes. The delta CRL refers to the = *new* base.</FONT> <BR><FONT SIZE=3D2> >Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=3D2>No. HOWEVER, in practice we belive that CAs will do = so. The delta CRL needs </FONT> <BR><FONT SIZE=3D2>to exist so that clients can follow the freshest CRL = extension (either in a </FONT> <BR><FONT SIZE=3D2>certificate or a base CRL). The delta CRL that is = issued at the same time </FONT> <BR><FONT SIZE=3D2>SHOULD point to a previously issued full CRL (which = will then, by </FONT> <BR><FONT SIZE=3D2>definition be a base CRL) whenever possible. There = is no information to add </FONT> <BR><FONT SIZE=3D2>to the new base CRL! By providing the delta as an = update to a previous base </FONT> <BR><FONT SIZE=3D2>CRL, clients can download the delta CRL to construct = the new base CRL.</FONT> </P> <P><FONT SIZE=3D2> >The last point highlights the most = noticeable difference. Other differences</FONT> <BR><FONT SIZE=3D2> >appears when considering the guaranty to = get the freshest information :</FONT> <BR><FONT SIZE=3D2> >using the traditional scheme and the = thisUpdate and nextUpdate fields the</FONT> <BR><FONT SIZE=3D2> >guaranty to get the freshest information = is obtained, but cannot be obtained</FONT> <BR><FONT SIZE=3D2> >using the other scheme. :-(</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Several people are referring to the X.509 = document for arguments to support</FONT> <BR><FONT SIZE=3D2> >that discussion. However, it is important = to remember that we are defining</FONT> <BR><FONT SIZE=3D2> >PKIX, not X.509, so we DO NOT need to copy = and paste everything from X.509,</FONT> <BR><FONT SIZE=3D2> >but only what we believe is = relevant.</FONT> </P> <P><FONT SIZE=3D2>PKIX is a profile of X.509. PKIX may impose = additional requirements beyond </FONT> <BR><FONT SIZE=3D2>those in X.509 or may exclude features that are = optional in X.509, but </FONT> <BR><FONT SIZE=3D2>otherwise PKIX must be consistent with X.509. In = that context, references </FONT> <BR><FONT SIZE=3D2>to X.509 are appropriate.</FONT> </P> <P><FONT SIZE=3D2> >We first need to clearly define the = processing rules applicable to the</FONT> <BR><FONT SIZE=3D2> >relying parties. These rules will = certainly contain SHALL/MUST statements,</FONT> <BR><FONT SIZE=3D2> >but may also include some MAY statements = which may even be conditional to</FONT> <BR><FONT SIZE=3D2> >what the CA is doing. (I let Tim/David or = Russ provide the MAY statement).</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Here is a proposal for the MUST statement, = based on the previous text I</FONT> <BR><FONT SIZE=3D2> >produced:</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> > An application that is = wishing to take advantage of delta CRLs</FONT> <BR><FONT SIZE=3D2> > for a given scope, MUST = first find a base CRL for that scope,</FONT> <BR><FONT SIZE=3D2> > i.e. a full CRL that = that contains a freshestCRL extension</FONT> <BR><FONT SIZE=3D2> > (a.k.a. a Delta CRL = distribution point).</FONT> </P> <P><FONT SIZE=3D2>No. The relying party needs a full CRL (either one = that has been downloaded </FONT> <BR><FONT SIZE=3D2>from a repository or one that has been locally = generated) against which the </FONT> <BR><FONT SIZE=3D2>delta CRL of interest may be applied. There is no = requirement that the full </FONT> <BR><FONT SIZE=3D2>CRL be a base CRL.</FONT> </P> <P><FONT SIZE=3D2> > It may then = construct</FONT> <BR><FONT SIZE=3D2> > an updated CRL for that = base, for a specific time T, by combining</FONT> <BR><FONT SIZE=3D2> > it with a delta CRL = which contains a delta CRL indicator extension</FONT> <BR><FONT SIZE=3D2> > with the same CRL = number as the base CRL.</FONT> </P> <P><FONT SIZE=3D2>It may construct an updated CRL by combining the = delta CRL with any full </FONT> <BR><FONT SIZE=3D2>CRL whose CRL number is greater than or equal to the = CRL number of the </FONT> <BR><FONT SIZE=3D2>referenced base. By saying "equal" = instead of "greater than or equal" we </FONT> <BR><FONT SIZE=3D2>would be hiding useful information from = implementors. We should not be </FONT> <BR><FONT SIZE=3D2>hiding useful information.</FONT> </P> <P><FONT SIZE=3D2> > Applications that = support</FONT> <BR><FONT SIZE=3D2> > delta CRLs MUST ensure = that time T falls between thisUpdate and</FONT> <BR><FONT SIZE=3D2> > nextUpdate for both the = base CRL and the delta CRL.</FONT> </P> <P><FONT SIZE=3D2>As stated above, the nextUpdate field in a base CRL = specifies the time by </FONT> <BR><FONT SIZE=3D2>which new revocation information will be available = through full CRLs. A </FONT> <BR><FONT SIZE=3D2>delta CRL may be applied to a base CRL as long as = the CRL number in the </FONT> <BR><FONT SIZE=3D2>base CRL is greater than or equal to the CRL number = of the base CRL </FONT> <BR><FONT SIZE=3D2>referenced by the delta CRL. The nextUpdate time of = the base CRL is irrelevant.</FONT> </P> <P><FONT SIZE=3D2> > Note: An application = could also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=3D2> > a specific time T, by = using a previously locally reconstructed CRL</FONT> <BR><FONT SIZE=3D2> > based on the current = base CRL, and combining it with a delta CRL which</FONT> <BR><FONT SIZE=3D2> > contains a delta CRL = indicator extension with the same CRL number as</FONT> <BR><FONT SIZE=3D2> > the base CRL.</FONT> </P> <P><FONT SIZE=3D2>Same problem as above. Need to say = "greater than or equal to".</FONT> </P> <P><FONT SIZE=3D2> >We also need to clearly separate the = issuing rules applicable for the CAs.</FONT> <BR><FONT SIZE=3D2> >These rules will certainly contain SHALL = statements, but could also include</FONT> <BR><FONT SIZE=3D2> >some MAY statements. (I let Tim/David or = Russ provide the MAY statement).</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >Here is a proposal for the MUST statement, = based on the previous text I</FONT> <BR><FONT SIZE=3D2> >produced:</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> > A CA that supports = delta-CRLs, MUST issue a base CRL,</FONT> </P> <P><FONT SIZE=3D2>This is an unnecessary statement. A delta CRL must = include a BaseCRLNumber. </FONT> <BR><FONT SIZE=3D2>The CRL specified by that BaseCRLNumber is by = definition a base CRL. Of </FONT> <BR><FONT SIZE=3D2>course, the referenced base CRL MUST be a full = CRL.</FONT> </P> <P><FONT SIZE=3D2> > i.e. a full</FONT> <BR><FONT SIZE=3D2> > CRL that contains a = freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT SIZE=3D2> > distribution = point).</FONT> </P> <P><FONT SIZE=3D2>While it might be a good idea to mandate the = inclusion of the frestestCRL </FONT> <BR><FONT SIZE=3D2>extension in full CRLs that are issued for scopes in = which delta CRLs are </FONT> <BR><FONT SIZE=3D2>also being issued, there is currently no such = requirement in the draft PKIX </FONT> <BR><FONT SIZE=3D2>profile.</FONT> </P> <P><FONT SIZE=3D2> > For any time T until the = nextUpdate time</FONT> <BR><FONT SIZE=3D2> > indicated in a base = CRL, the CA MUST provide one and only one</FONT> <BR><FONT SIZE=3D2> > delta CRL that refers = to that base CRL and for which time T</FONT> <BR><FONT SIZE=3D2> > falls between = thisUpdate and nextUpdate from the delta CRL.</FONT> </P> <P><FONT SIZE=3D2>This sentence has several problems:</FONT> </P> <P><FONT SIZE=3D2>1) The nextUpdate time of a base CRL is the time when = the next full CRL </FONT> <BR><FONT SIZE=3D2>will be available, which may precede the time that = the next base CRL will </FONT> <BR><FONT SIZE=3D2>be issued.</FONT> </P> <P><FONT SIZE=3D2>2) There is no requirement that a delta CRL use the = most recently issued </FONT> <BR><FONT SIZE=3D2>base CRL as its base. I suppose that we could = add this requirement for the </FONT> <BR><FONT SIZE=3D2>PKIX profile, but why? Does it really simplify = the client? Or, does it </FONT> <BR><FONT SIZE=3D2>just make it a wee bit harder to make a conforming = CA that supports delta CRLs?</FONT> </P> <P><FONT SIZE=3D2>3) If the thisUpdate time of one delta CRL must equal = the nextUpdate time </FONT> <BR><FONT SIZE=3D2>of the previously issued delta CRL, then no time can = be allotted to account </FONT> <BR><FONT SIZE=3D2>for propagation delays between when a delta-CRL is = issued and when it is </FONT> <BR><FONT SIZE=3D2>available in repositories for relying parties to = obtain. Thus, there would </FONT> <BR><FONT SIZE=3D2>be gaps between when the nextUpdate time of one = delta-CRL was reached and </FONT> <BR><FONT SIZE=3D2>when the next delta-CRL was available.</FONT> </P> <P><FONT SIZE=3D2>4) There is nothing in either X.509 or the PKIX = profile that prevents a CA </FONT> <BR><FONT SIZE=3D2>from issuing an unscheduled (or = "emergency") delta CRL. And, there should </FONT> <BR><FONT SIZE=3D2>not be! Many CAs intend to issue a new CRL = (delta or otherwise) </FONT> <BR><FONT SIZE=3D2>immediately upon the revocation of a certificate due = to key compromise. </FONT> <BR><FONT SIZE=3D2>When such an "emergency" delta CRL is = issued, there will be two delta CRLs </FONT> <BR><FONT SIZE=3D2>for which T falls between thisUpdate and nextUpdate. = While it is true that </FONT> <BR><FONT SIZE=3D2>there is no guarantee that relying parties will = obtain the fresher of these </FONT> <BR><FONT SIZE=3D2>two delta CRLs, that is no reason to prevent the CA = from issuing the </FONT> <BR><FONT SIZE=3D2>"emergency" delta. Some clients will = obtain the emergency CRL.</FONT> </P> <P><FONT SIZE=3D2> >In his e-mail from Wednesday, May 9, David = said that delta-CRL processing</FONT> <BR><FONT SIZE=3D2> >rules could be base on time instead of CRL = numbers. This is a point of which</FONT> <BR><FONT SIZE=3D2> >I strongly agree. Let us do it!</FONT> <BR><FONT SIZE=3D2> ></FONT> <BR><FONT SIZE=3D2> >(However, there is no need to add to PKIX, = as he suggested, the support of</FONT> <BR><FONT SIZE=3D2> >the baseUpdateTime extension from X.509 = which would even more complicate the</FONT> <BR><FONT SIZE=3D2> >problem.)</FONT> </P> <P><FONT SIZE=3D2>No. In order to base delta CRL processing on time, = the baseUpdateTime </FONT> <BR><FONT SIZE=3D2>extension must be present in the delta CRL. = Furthermore, the presence of </FONT> <BR><FONT SIZE=3D2>this extension would not complicate the problem. = baseUpdateTime is a </FONT> <BR><FONT SIZE=3D2>non-critical extension that merely provides useful = information. If you </FONT> <BR><FONT SIZE=3D2>don't think that the information provided by = baseUpdateTime is useful, </FONT> <BR><FONT SIZE=3D2>ignore it. Since the extension is non-critical and = can be ignored, its </FONT> <BR><FONT SIZE=3D2>presence can not complicate the problem.</FONT> </P> <P><FONT SIZE=3D2>At 09:05 AM 5/10/2001 -0400, Housley, Russ = wrote:</FONT> <BR><FONT SIZE=3D2>>Denis:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>>There is difference between a base CRL and a = full CRL</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>You are quite right. I, for one, will try = to be more careful about the </FONT> <BR><FONT SIZE=3D2>>use of them.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>>Due to the fact that CRLs numbers are = strictly increasing, two CRLs whether</FONT> <BR><FONT SIZE=3D2>>>they are a base CRL or delta CRL, CANNOT = have the same CRL number.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I disagree. A full CRL (that may be a base = CRL for subsequent delta CRLs) </FONT> <BR><FONT SIZE=3D2>>and a delta CRL issued at the same time as that = full CRL may actually </FONT> <BR><FONT SIZE=3D2>>represent the same revocation information. = In this case, they are the </FONT> <BR><FONT SIZE=3D2>>same CRL, and they should have the same = number. There have been several </FONT> <BR><FONT SIZE=3D2>>tables posted that illustrate this numbering = scheme, and I do not see any </FONT> <BR><FONT SIZE=3D2>>text in X.509-200 that indicates this scheme = is</FONT> <BR><FONT SIZE=3D2>[snip - truncate - the message is too long = anyway]</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D9A2.AC5D2A10-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA01604 for <ietf-pkix@imc.org>; Thu, 10 May 2001 14:12:54 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA23893 for <ietf-pkix@imc.org>; Thu, 10 May 2001 17:12:54 -0400 (EDT) Message-Id: <4.2.2.20010510170851.00b1ebc0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 10 May 2001 17:12:16 -0400 To: ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> (by way of "David A. Cooper" <david.cooper@nist.gov>) Subject: Fwd: Strawman on Delta CRLs Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_32329696==_" --=====================_32329696==_ Content-Type: text/plain; charset="us-ascii" Folks, David Cooper, Russ Housley and I have collaborated on a "strawman" describing the use of delta CRLs in PKIX implementations. We believe the functionality we describe is consistent with ISO X.509 as well. The text describes algorithms for using deltas and base CRLs to (a) check the status of a certificate or (b) create a constructed CRL. This is followed by three scenarios for the use of deltas - "traditional deltas", "sliding window deltas", and a variant on sliding window deltas that factors in the real world delays in populating repositories with base and delta CRLs. I have appended the strawman below in ASCII text. The text includes tables for the examples. Please note, these tables *require* a fixed font to be legible. I have also attached a copy of the document in Word, for those that would prefer that format. The Word version may be easier to read. Hopefully, this strawman will serve to frame further discussions and accelerate consensus. Once we agree on the requirements, Russ and I will draft the necessary changes and we can finish Last Call. (I am nothing if not an optimist.) We would also like to add the examples as an *informative* appendix in son-of-2459. Thanks, Tim Polk --------------------------------strawman--------------------------- Implementing Delta CRLs Using PKIX This paper addresses the use of delta CRLs in PKIX-compliant systems. This paper assumes that delta CRLs include the delta CRL indicator extension (rather than a CRL scope extension) and ignores complications involving combined delta CRLs from indirect CRL issuers. This paper also assumes that CRLs with different scopes are distributed using different distribution points. Terms Revoked: A statement that a particular certificate's status has changed and it should no longer be trusted. Once a certificate is revoked, it is always revoked. Suspension: A statement that a particular certificate may not be trustworthy. Once placed on hold, a certificate may be revoked or the suspension may be lifted. Revocation notice: A statement that a particular certificate has been suspended or revoked. The revocation statement identifies the certificate by the issuer name and serial number. The issuer may be specified explicitly or implicitly. The issuer may be explicitly identified using the certificate issuer extension. If not specified explicitly, the issuer of the certificate is implicitly identified as the issuer of the CRL. A revocation notice includes the date and time the certificate was revoked. A revocation notice may optionally include a revocation reason in the reason code CRL entry extension. [Note: A revocation notice may optionally specify in the invalidity date extension the date from which the certificate should be considered invalid. This date may precede the actual revocation date. The invalidity date extension does not feature in this discussion, so it is not considered further in this paper.] Certificate revocation list (CRL): a list of revocation notices for certificates. CRL scope: the set of certificates that could appear on a given CRL. For example, the scope may be "all certificates issued by CA X", "all CA and end entity certificates issued by CA X", "all certificates issued by CA X that have been revoked for key compromise and CA compromise", or may be a set of certificates based on local information, such as "all certificates issued to the NIST employees located in Boulder". Full CRL: a CRL that lists all unexpired certificates, in its scope, that have been revoked for one of the revocation reasons covered by the scope of the CRL. The scope of a full CRL does not necessarily include all of the certificates issued by a CA or all possible revocation reasons. Base CRL: the particular CRL used as the foundation for a delta CRL. The base must be a full CRL. Delta CRL: a CRL that only lists those unexpired certificates, in its scope, whose revocation status has changed since the issuance of a particular, referenced base CRL. The scope of a delta CRL is must be the same as the base CRL that it references CRL Numbering A CRL issuer may generate full CRLs for more than one scope. The CRL issuer may also generate delta CRLs. Each delta CRLs must have the same scope as the full CRL referenced as its base. For each scope supported by the CRL issuer, a numbering sequence must be maintained. For each scope, the CRLs are numbered in a monotonically increasing sequence. (Wrapping is not permitted in the PKIX profile.) If a CRL issuer generates CRLs for one scope (e.g., full CRLs and deltas CRLs), the issuer must maintain one numbering sequence. If a delta CRL and a full CRL that cover the same scope are issued at the same time, they will have the same CRL number. If a CRL issuer generates CRLs for two scopes (e.g., one covering CA certificates and one covering end entity certificates), then the CRL issuer must maintain two number sequences. The CRLs and deltas for the same scope (e.g., CA certificates) will share one numbering sequence. The CRLs and deltas for the second scope (e.g., end entity certificates) will share one numbering sequence. There is no requirement that these sequences be disjoint. Algorithms for Determining Status from a Full CRL and a Delta CRL Consider a full CRL, F, with CRL number X. A client may obtain BF in either of the following ways: (a) the full CRL F may have been pushed to the client or pulled from a repository; or (b) F may have been constructed from a full CRL and a delta CRL using this algorithm. Consider a delta CRL, D, which specifies base CRL Y and has CRL number Z. This means that all certificates whose statuses have changed since the issuance of CRL Y will be listed on the delta CRL. Note that the PKIX profile requires the CA to issue CRL Y as a full CRL. Determining Whether a Full CRL and Delta CRL May Be Combined F and D may be combined if each of the following conditions are met: (1) X is greater than or equal to Y. That is, the full CRL must (at a minimum) contain all the revocation information held by the referenced base CRL. (2) X is less than Z. That is, the delta CRL must cover some time that was not covered by the full CRL. Determining Status of a Certificate from a Full CRL and a Delta CRL If the PKI client maintains the delta and full CRL, the status of an unexpired certificate C may be determined as follows: (1) If C is listed on the delta CRL, then: a. If C is listed on the delta CRL with reason code "removeFromCRL", then C is not revoked. b. Otherwise, certificate C is revoked. (2) If C was not listed on the delta CRL, then the full CRL is checked, and the status is as follows: a. If C is listed on the full CRL, then C is revoked. b. If C is not listed on the full CRL, then C is not revoked. Combining a Full CRL and Delta CRL into a Constructed CRL If the PKI client maintains the current CRL in a local cache: The revocation information on F is assumed as the initial condition. F is a list of revoked certificates; each certificate is listed with a revocation reason (which may be "unspecified"). The list of revoked certificates L with n entries denoted as L[i] where 1 <= i <= n. (The value n may shrink or grow as the combination process proceeds.) Initialize L to the revocation notices on F. For each certificate C on the delta CRL, update the contents of L as follows. If a certificate C appears on the delta CRL, and C is not currently in the list L, then: (a) if C has a revocation reason other than "removeFromCRL", add C as a new entry in the list of revoked certificates L. (b) If C has revocation reason "removeFromCRL", skip this certificate. No update to the cache is needed. If a certificate C appears on the delta CRL, and C is presently listed in L as entry L[i], then: (a) If C is listed on the delta CRL with a revocation reason of "removeFromCRL", delete entry L[i] (b) If C is listed on the delta CRL without a revocation reason or with a revocation reason other than "removeFromCRL", change the reason code associated with L[i] to the reason code specified in the delta CRL. The combination of F and D forms a new full CRL with CRL number Z. This full CRL has complete information until the time specified in the next update field in the delta CRL is reached. If a relying party is validating a certificate with respect to time T, and T is before the next update field in the delta CRL, they may assume complete information. If an unexpired certificate C within the scope of the constructed CRL is not listed, then certificate C is not revoked for one of the revocation reasons covered by this CRL. If the constructed CRL covers all reasons, then the certificate C is not revoked. Using Deltas to Distribute Revocation Information This section provides three different scenarios for the use of delta CRLs. For the purpose of these examples, assume a goal of providing revocation information to relying parties that is no more than one hour old. The following notation is used to denote a revoked certificate on a CRL: Xr certificate X is listed for reason r, where r in {a,k,h,r} The reason codes {a,k,h,r} correspond to "affiliation changed", "key compromise", "certificate hold", and "remove from CRL" respectively. (Note: The remaining reason codes are omitted for simplicity. The handling of certificates revoked for the reasons "unspecified", "CA compromise", "superseded", and "cessationOfOperation" are identical to "affiliation changed or "key compromise"). Example #1 The example below shows the "traditional" method of issuing delta CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. After that, however, a delta can always use a previously issued full CRL as its base. Notice that starting with cRLNumber 4, the delta CRL issued at the same time as a full CRL uses the previously issued full CRL as its base. However, the delta-CRLs never provide more than 3 hours of history. In this example: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 4 | | | CertificateList = {67a} | | | ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 4 | | | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 4 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = {67k} ---------|--------------|--------------------------|---------------------- Scenario #2 The example below shows the "sliding window" method of issuing delta-CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. However, these delta-CRLs never provide more than 6 hours of history. As in example #1: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 67a} | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = | | | {39r, 67k ---------|--------------|--------------------------|---------------------- Note that the delta CRLs are marginally larger than in the first scenario since they cover a longer time period. On the other hand, a relying party is less likely to download full CRLs in the second scenario. For example, a relying party that validated one certificate at 12:15, then a second certificate at 16:15 would not require a new full CRL in scenario #2. In scenario #1, the relying party would be forced to obtain both full CRL 4 and delta CRL 5. Scenario #3 Allowing for Replication/Propagation Delays In this scenario, full CRLs and delta CRLs are replicated throughout a repository system. Data is replicated through the system at different rates based on the size of the file. The CA operators estimate that full CRLs will be available throughout the system within three hours. Delta CRLs will be available within 15 minutes. (Assume the initial CRL is small and will propagate as if a delta CRL to resolve the bootstrap issues.) The example below uses the "sliding window" method of issuing delta-CRLs, but overlaps the thisUpdate and nextUpdate times to allow for propagation. In this example, full CRLs are issued once every 3 hours and deltas are issued every 45 minutes. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. As in example #2, these delta-CRLs never provide more than 6 hours of history. Similary to examples #1 and #2: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 12:45. Certificate 39 was placed on hold between 14:15 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 15:45 and 16:30. The reason was changed to key compromise between 18:00 and 18:45. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 18:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 12:45 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 12:45 | | | nextUpdate = 13:45 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 13:30 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 13:30 | | | nextUpdate = 14:30 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:15 | {14k, 124k} | | cRLNumber = 4 | | | thisUpdate = 14:15 | | | nextUpdate = 15:15 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 5 | cRLNumber = 5 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 21:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 15:45 | {14k, 124k, | | cRLNumber = 6 | 39h, 67a} | | thisUpdate = 15:45 | | | nextUpdate = 16:45 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 16:30 | {14k, 124k, | | cRLNumber = 7 | 67a} | | thisUpdate = 16:30 | | | nextUpdate = 17:30 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 17:15 | {14k, 124k, | | cRLNumber = 8 | 67a} | | thisUpdate = 17:15 | | | nextUpdate = 18:15 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 9 | cRLNumber = 9 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 24:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 5 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:45 | {14k, 124k, | | cRLNumber = 10 | 67k} | | thisUpdate = 18:45 | | | nextUpdate = 19:45 | | | BaseCRLNumber = 5 | | | CertificateList = | | | {39r, 67k} ---------|--------------|--------------------------|---------------------- Delta CRL number 6 is issued at 15:45. By 16:00, delta CRL number 6 should be available throughout the system. As a result, delta CRL number 5 specified 16:00 as its nextUpdate time. However, full CRL number 5 was issued at 15:00 and may not be available throughout the system until 18:00. As a result, full CRL number 1 specified 18:00 as its nextUpdate time. In addition, delta CRL number 6 must be based on full CRL number 1 which was issued at 12:00. If the relying party finds full CRL number 5 in the repository, they may still apply delta CRL number 6 and achieve the correct answer. Finally, note that a CRL issuer must generate more CRLs to achieve the goal of status information that is no more than one hour old when factoring in the propagation delays. --=====================_32329696==_ Content-Type: application/msword; name="PKIX deltas.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="PKIX deltas.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAnAAAAAAAAAAA EAAAngAAAAEAAAD+////AAAAAJoAAACbAAAA//////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////s pcEATSAJBAAA8BK/AAAAAAAAEAAAAAAABAAAXmMAAA4AYmpiauI94j0AAAAAAAAAAAAAAAAAAAAA AAAJBBYAIsoAAIBXAACAVwAA8F0AAG0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAA AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAAGwAAAAAAAgCAAAAAAAACAIAAAgC AAAKAAAAEgIAAAwAAAAeAgAAAAAAAB4CAAAAAAAAHgIAABQAAAAAAAAAAAAAADICAAAAAAAAHiAA AAAAAAAeIAAAAAAAAB4gAAAAAAAAHiAAAIwAAACqIAAADAEAADICAAAAAAAAy0IAAPYAAADCIQAA AAAAAMIhAAAAAAAAwiEAAAAAAADCIQAAAAAAAMIhAAAAAAAAwiEAAAAAAADCIQAAAAAAAMIhAAAA AAAAqkEAAAIAAACsQQAAAAAAAKxBAAAAAAAArEEAAAAAAACsQQAAAAAAAKxBAAAAAAAArEEAACQA AADBQwAAIAIAAOFFAADIAAAA0EEAABUAAAAAAAAAAAAAAAAAAAAAAAAAHgIAAAAAAADCIQAAAAAA AAAAAAAAAAAAAAAAAAAAAADCIQAAAAAAAMIhAAAAAAAAwiEAAAAAAADCIQAAAAAAANBBAAAAAAAA Ci0AAAAAAAAeAgAAAAAAAB4CAAAAAAAAwiEAAAAAAAAAAAAAAAAAAMIhAAAAAAAA5UEAAIYAAAAK LQAAAAAAAAotAAAAAAAACi0AAAAAAADCIQAATAkAAB4CAAAAAAAAwiEAAAAAAAAeAgAAAAAAAMIh AAAAAAAAqkEAAAAAAAAAAAAAAAAAAAotAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAwiEAAAAAAACqQQAAAAAAAAotAACmBgAACi0AAAAAAACwMwAA cgAAAF48AABUAAAAHgIAAAAAAAAeAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzjwAAAAAAADCIQAAAAAAALYhAAAMAAAAoKEqD3/Z wAEyAgAA7B0AAB4gAAAAAAAADisAAPwBAACyPAAADgAAAAAAAAAAAAAAzjwAANwEAABrQgAAYAAA AMtCAAAAAAAAwDwAAA4AAACpRgAAAAAAAAotAAAAAAAAqUYAAAAAAADOPAAAAAAAAAotAAAAAAAA MgIAAAAAAAAyAgAAAAAAAB4CAAAAAAAAHgIAAAAAAAAeAgAAAAAAAB4CAAAAAAAAAgDZAAAAIERl bHRhIENSTHMNDVRoaXMgcGFwZXIgYWRkcmVzc2VzIHRoZSB1c2Ugb2YgZGVsdGEgQ1JMcyBpbiBQ S0lYLWNvbXBsaWFudCBzeXN0ZW1zLiAgVGhpcyBwYXBlciBhc3N1bWVzIHRoYXQgZGVsdGEgQ1JM cyBpbmNsdWRlIHRoZSBkZWx0YSBDUkwgaW5kaWNhdG9yIGV4dGVuc2lvbiAocmF0aGVyIHRoYW4g YSBDUkwgc2NvcGUgZXh0ZW5zaW9uKSBhbmQgaWdub3JlcyBjb21wbGljYXRpb25zIGludm9sdmlu ZyBjb21iaW5lZCBkZWx0YSBDUmxzIENSTHMgZnJvbSBpbmRpcmVjdCBDUkwgaXNzdWVycy4NDVRo aXMgcGFwZXIgYWxzbyBhc3N1bWVzIHRoYXQgQ1JMcyB3aXRoIGRpZmZlcmVudCBzY29wZXMgYXJl IGRpc3RyaWJ1dGVkIHVzaW5nIGRpZmZlcmVudCBkaXN0cmlidXRpb24gcG9pbnRzLg0NVGVybXMN DVJldm9rZWQ6IEEgc3RhdGVtZW50IHRoYXQgYSBwYXJ0aWN1bGFyIGNlcnRpZmljYXRlknMgc3Rh dHVzIGhhcyBjaGFuZ2VkIGFuZCBpdCBzaG91bGQgbm8gbG9uZ2VyIGJlIHRydXN0ZWQuICBPbmNl IGEgY2VydGlmaWNhdGUgaXMgcmV2b2tlZCwgaXQgaXMgYWx3YXlzIHJldm9rZWQuDQ1TdXNwZW5z aW9uOiBBIHN0YXRlbWVudCB0aGF0IGEgcGFydGljdWxhciBjZXJ0aWZpY2F0ZSBtYXkgbm90IGJl IHRydXN0d29ydGh5LiAgT25jZSBwbGFjZWQgb24gaG9sZCwgYSBjZXJ0aWZpY2F0ZSBtYXkgYmUg cmV2b2tlZCBvciB0aGUgc3VzcGVuc2lvbiBtYXkgYmUgbGlmdGVkLg0NUmV2b2NhdGlvbiBub3Rp Y2U6IEEgc3RhdGVtZW50IHRoYXQgYSBwYXJ0aWN1bGFyIGNlcnRpZmljYXRlIGhhcyBiZWVuIHN1 c3BlbmRlZCBvciByZXZva2VkLiAgVGhlIHJldm9jYXRpb24gc3RhdGVtZW50IGlkZW50aWZpZXMg dGhlIGNlcnRpZmljYXRlIGJ5IHRoZSBpc3N1ZXIgbmFtZSBhbmQgc2VyaWFsIG51bWJlci4gIFRo ZSBpc3N1ZXIgbWF5IGJlIHNwZWNpZmllZCBleHBsaWNpdGx5IG9yIGltcGxpY2l0bHkuICBUaGUg aXNzdWVyIG1heSBiZSBleHBsaWNpdGx5IGlkZW50aWZpZWQgdXNpbmcgdGhlIGNlcnRpZmljYXRl IGlzc3VlciBleHRlbnNpb24uIElmIG5vdCBzcGVjaWZpZWQgZXhwbGljaXRseSwgdGhlIGlzc3Vl ciBvZiB0aGUgY2VydGlmaWNhdGUgaXMgaW1wbGljaXRseSBpZGVudGlmaWVkIGFzIHRoZSBpc3N1 ZXIgb2YgdGhlIENSTC4gQSByZXZvY2F0aW9uIG5vdGljZSBpbmNsdWRlcyB0aGUgZGF0ZSBhbmQg dGltZSB0aGUgY2VydGlmaWNhdGUgd2FzIHJldm9rZWQuICBBIHJldm9jYXRpb24gbm90aWNlIG1h eSBvcHRpb25hbGx5IGluY2x1ZGUgYSByZXZvY2F0aW9uIHJlYXNvbiBpbiB0aGUgcmVhc29uIGNv ZGUgQ1JMIGVudHJ5IGV4dGVuc2lvbi4CDQ1DZXJ0aWZpY2F0ZSByZXZvY2F0aW9uIGxpc3QgKENS TCk6ICBhIGxpc3Qgb2YgcmV2b2NhdGlvbiBub3RpY2VzIGZvciBjZXJ0aWZpY2F0ZXMuDQ1DUkwg c2NvcGU6IHRoZSBzZXQgb2YgY2VydGlmaWNhdGVzIHRoYXQgY291bGQgYXBwZWFyIG9uIGEgZ2l2 ZW4gQ1JMLiAgRm9yIGV4YW1wbGUsIHRUaGUgc2NvcGUgbWF5IGJlIJNhbGwgY2VydGlmaWNhdGVz IGlzc3VlZCBieSBDQSBYlCwgk2FsbCBbQ0EgYW5kfCBlbmQgZW50aXR5XSBjZXJ0aWZpY2F0ZXMg aXNzdWVkIGJ5IENBIFiULCCTYWxsIGNlcnRpZmljYXRlcyBpc3N1ZWQgYnkgQ0EgWCB0aGF0IGhh dmUgYmVlbiByZXZva2VkIGZvciBba2V5IGNvbXByb21pc2UgfCBldGMuXWFuZCBDQSBjb21wcm9t aXNllCwgb3IgbWF5IGJlIGEgc2V0IG9mIGNlcnRpZmljYXRlcyBiYXNlZCBvbiBsb2NhbCBpbmZv cm1hdGlvbiwgc3VjaCBhcyCTYWxsIGNlcnRpZmljYXRlcyBpc3N1ZWQgdG8gdGhlIE5JU1QgZW1w bG95ZWVzIGxvY2F0ZWQgaW4gQm91bGRlcpQuDQ1GdWxsIENSTDogYSBDUkwgdGhhdCBsaXN0cyBh bGwgdW4tZXhwaXJlZHVuZXhwaXJlZCBjZXJ0aWZpY2F0ZXMsIGluIGl0cyBzY29wZSwgdGhhdCBo YXZlIGJlZW4gcmV2b2tlZCBmb3Igb25lIG9mIHRoZSByZXZvY2F0aW9uIHJlYXNvbnMgY292ZXJl ZCBieSB0aGUgc2NvcGUgb2YgdGhlIENSTC4gIFRoZSBzY29wZSBvZiBhIGZ1bGwgQ1JMIGRvZXMg bm90IG5lY2Vzc2FyaWx5IGluY2x1ZGUgYWxsIG9mIHRoZSBjZXJ0aWZpY2F0ZXMgaXNzdWVkIGJ5 IGEgQ0Egb3IgYWxsIHBvc3NpYmxlIHJldm9jYXRpb24gcmVhc29ucy4gIHRoZSBzY29wZSBvZiBh IGZ1bGwgQ1JMIGlzIHNldCBvZiB1bi1leHBpcmVkIGNlcnRpZmljYXRlcyB3aG9zZSBjdXJyZW50 IHN0YXR1cyBpcyBub3QgZnVsbHkgdHJ1c3RlZC4gIFRoZSBmdWxsIENSTCBtYXkgY292ZXIgYWxs IGNlcnRpZmljYXRlcyBpc3N1ZWQgYnkgYSBDQSwgb3IgYSBzdWJzZXQgdGhvc2UgY2VydGlmaWNh dGVzIChlLmcuLCBhIENSTCBzZWdtZW50KSBiYXNlZCBvbiBjZXJ0aWZpY2F0ZSBzdWJqZWN0IHR5 cGUsIHJldm9jYXRpb24gcmVhc29ucywgb3Igb3RoZXIgbG9jYWwgcmVhc29ucyAoZS5nLiwgk2Fs bCBjZXJ0aWZpY2F0ZXMgaXNzdWVkIHRvIE5JU1SScyBCb3VsZGVyIGVtcGxveWVlc5QpLg0NQmFz ZSBDUkw6ICB0aGUgcGFydGljdWxhciBDUkwgdXNlZCBhcyB0aGUgZm91bmRhdGlvbiBmb3IgYSBk ZWx0YSBDUkwuICBUaGUgYmFzZSBtdXN0IGhhdmUgYmVlbiBpc3N1ZWQgYXMgYSBmdWxsIENSTC4N DURlbHRhIENSTDogIGEgQ1JMIHRoYXQgb25seSBsaXN0cyB0aG9zZSB1bi1leHBpcmVkdW5leHBp cmVkIGNlcnRpZmljYXRlcywgaW4gaXRzIHNjb3BlLCB3aG9zZSByZXZvY2F0aW9uIHN0YXR1cyBo YXMgY2hhbmdlZCBzaW5jZSB0aGUgaXNzdWFuY2Ugb2YgYSBwYXJ0aWN1bGFyLCByZWZlcmVuY2Vk IGJhc2UgQ1JMLiBUaGUgc2NvcGUgb2YgYSBkZWx0YSBDUkwgaXMgbXVzdCBiZSB0aGUgc2FtZSBh cyB0aGUgYmFzZSBDUkwgdGhhdCBpdCByZWZlcmVuY2VzIFRoZSBzY29wZSBvZiBhIGRlbHRhIENS TCBpcyB0aGUgc2FtZSBhcyB0aGUgYmFzZSBDUkwsIGJ1dCB0aGUgY29udGVudHMgYXJlIGxpbWl0 ZWQgdG8gdGhlIGxpc3Qgb2YgY2VydGlmaWNhdGVzIHdob3NlIHN0YXR1cyBoYXMgY2hhbmdlZCBz aW5jZSB0aGUgaXNzdWFuY2Ugb2YgdGhlIGJhc2UgQ1JMLg0NQmFzZSBDUkw6ICBUaGUgcGFydGlj dWxhciBDUkwgdXNlZCBhcyB0aGUgZm91bmRhdGlvbiBmb3IgYSBkZWx0YSBDUkwuICBUaGUgYmFz ZSBtdXN0IGhhdmUgYmVlbiBpc3N1ZWQgYXMgYSBmdWxsIENSTC4NDUNvbnN0cnVjdGVkIENSTDog dGhlIGNvbWJpbmF0aW9uIG9mIGEgZGVsdGEgQ1JMIGFuZCBhIGJhc2UgQ1JMDQ1DUkwgTnVtYmVy aW5nDQ1BIENSTCBpc3N1ZXIgbWF5IGlzc3VlIGdlbmVyYXRlIGZ1bGwgQ1JMcyBmb3IgbW9yZSB0 aGFuIG9uZSBzY29wZS5hbnkgY29tYmluYXRpb24gb2YgZnVsbCBzZWdtZW50ZWQgQ1JMcyBhbmQg dW5zZWdtZW50ZWQgQ1JMcyB7e3sgVGhlc2UgdHdvIHRlcm1zIGFyZSBub3QgZGVmaW5lZCBhYm92 ZS4gSSBob3BlIHRoYXQgeW91IGNhbiBzdGljayB0byB0aGUgZGVmaW5lZCB0ZXJtIJNzY29wZS6U IH19fS4gIFRoZSBDUkwgaXNzdWVyIG1heSBhbHNvIGlzc3VlIGdlbmVyYXRlIGRlbHRhIENSTHMu ICBFYWNoOyB0aGUgZGVsdGEgQ1JMcyB3aWxsIG11c3QgaGF2ZSB0aGUgc2FtZSBzY29wZXMgYXMg ZWl0aGVyIGF0aGUgZnVsbCBzZWdtZW50ZWQgQ1JMIG9yIHVuYSBzZWdtZW50ZWRmdWxsIENSTHMg aXNzdWVkIGJ5IHRoZSBDUkwgaXNzdWVydGhhdCB0aGV5IHIgcmVmZXJlbmNlZCBhcyB0aGVpcml0 cyBiYXNlcy4NDUZvciBlYWNoIHNjb3BlIHN1cHBvcnRlZCBieSB0aGUgQ1JMIGlzc3VlciwgYSBz ZXBhcmF0ZSBudW1iZXJpbmcgc2VxdWVuY2UgbXVzdCBiZSBtYWludGFpbmVkLiAgRm9yIGVhY2gg c2NvcGUsIHRoZSBDUkxzIGFyZSBudW1iZXJlZCBpbiBhIG1vbm90b25pY2FsbHkgaW5jcmVhc2lu ZyBzZXF1ZW5jZS4gIChXcmFwcGluZyBpcyBub3QgcGVybWl0dGVkIGluIHRoZSBQS0lYIHByb2Zp bGUuICBJZiB0aGUgYSBkZWx0YSBDUkwgYW5kIGEgY29tcGxldGUgZnVsbCBDUkwgdGhhdCBjb3Zl ciB0aGUgc2FtZSBzY29wZSBhcmUgaXNzdWVkIGF0IHRoZSBzYW1lIHRpbWUsIGVhY2ggdGhleSB3 aWxsIGhhdmUgdGhlIHNhbWUgQ1JMIG51bWJlci4pICANDUlUaGF0IGlzLCBpZiBhIENSTCBpc3N1 ZXIgaXNzdWVzIGdlbmVyYXRlcyBDUkxzIGZvciBvbmUgc2NvcGUgKGUuZy4sIGZ1bGwgQ1JMcyBh bmQgZGVsdGFzIGZvciBmdWxsIENDUkxzKSwgdGhlIGlzc3VlciBtdXN0IG1haW50YWluIG9uZSBu dW1iZXJpbmcgc2VxdWVuY2UuICBJZiBhIGRlbHRhIENSTCBhbmQgYSBmdWxsIENSTCB0aGF0IGNv dmVyIHRoZSBzYW1lIHNjb3BlIGFyZSBpc3N1ZWQgYXQgdGhlIHNhbWUgdGltZSwgdGhleSB3aWxs IGhhdmUgdGhlIHNhbWUgQ1JMIG51bWJlci4NDUlmIGEgQ1JMIGlzc3VlciBpc3N1ZXMgZ2VuZXJh dGVzIENSTHMgZm9yIHR3byBzY29wZXMgKGUuZy4sIGFsbCBvbmUgY292ZXJpbmcgQ0EgY2VydGlm aWNhdGVzIGFuZCBhbGwgb25lIGNvdmVyaW5nIGVuZCBlbnRpdHkgY2VydGlmaWNhdGVzKSwgdGhl biB0aGUgQ1JMIGlzc3VlciBtdXN0IG1haW50YWluIHR3byBudW1iZXIgc2VxdWVuY2VzLiAgVGhl IENSTHMgYW5kIGRlbHRhcyBmb3IgdGhlIHNhbWUgc2NvcGUgKGUuZy4sIENBIGNlcnRpZmljYXRl cykgd2lsbCBzaGFyZSBvbmUgbnVtYmVyaW5nIHNlcXVlbmNlLiAgVGhlIENSTHMgYW5kIGRlbHRh cyBmb3IgdGhlIHNlY29uZCBzY29wZSAoZS5nLiwgZW5kIGVudGl0eSBjZXJ0aWZpY2F0ZXMpIHdp bGwgc2hhcmUgb25lIG51bWJlcmluZyBzZXF1ZW5jZS4gICBUaGVyZSBpcyBubyByZXF1aXJlbWVu dCB0aGF0IHRoZXNlIHNlcXVlbmNlcyBiZSBkaXNqb2ludC4NDUFsZ29yaXRobXMgZm9yIERldGVy bWluaW5nIFN0YXR1cyBmcm9tIGEgQmFzZSBGdWxsIENSTCBhbmQgYSBEZWx0YSBDUkwNDUNvbnNp ZGVyIGEgY29tcGxldGUgZnVsbCBDUkwsIEJGLCB3aXRoIENSTCBudW1iZXIgWC4gIEEgVGhlIFBL SVggcHJvZmlsZSByZXF1aXJlcyB0aGUgQ0EgdG8gaXNzdWUgQiBhcyBhIGZ1bGwgQ1JMLCBidXQg YSBjbGllbnQoQiBtYXkgYmUgb2J0YWluIEJGZWQgaW4gZWl0aGVyIG9mIHRoZSBmb2xsb3dpbmcg d2F5czogKGEpIHRoZSBmdWxsIENSTCBCIEYgbWF5IGhhdmUgYmVlbiBwdXNoZWQgdG8gdGhlIGNs aWVudCBvZnIgcHVsbGVkIGZyb20gYSByZXBvc2l0b3J5O2lzc3VlZCBhcyBhIGNvbXBsZXRlIGZ1 bGwgQ1JMIHdoaWNoIGNvbnRhaW5zIGEgQ1JMIG51bWJlciBleHRlbnNpb24gd2l0aCB2YWx1ZSBY LiBvciAoYikgQWx0ZXJuYXRpdmVseSwgRkIgbWF5IGhhdmUgYmVlbiBjb25zdHJ1Y3RlZCBmcm9t IGEgYmFzZSBmdWxsIENSTCBhbmQgYSBkZWx0YSBDUkwgdXNpbmcgdGhpcyBhbGdvcml0aG0uDS4N Q29uc2lkZXIgYSBkZWx0YSBDUkwsIEQsIHdoaWNoIHNwZWNpZmllcyBiYXNlIENSTCBZIGFuZCBo YXMgQ1JMIG51bWJlciBaLiAgVGhpcyBtZWFucyB0aGF0IGFsbCBjZXJ0aWZpY2F0ZXMgd2hvc2Ug c3RhdHVzZXMgaGF2ZSBjaGFuZ2VkIHNpbmNlIHRoZSBpc3N1YW5jZSBvZiBDUkwgWSB3aWxsIGJl IGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMLiAgTm90ZSB0aGF0IHRoZSBQS0lYIHByb2ZpbGUgcmVx dWlyZXMgdGhlIENBIHRvIGlzc3VlIENSTCBZIGFzIGEgZnVsbCBDUkwuDQ1EZXRlcm1pbmluZyBX aGV0aGVyIGEgQmFzZSBGdWxsIENSTCBhbmQgRGVsdGEgQ1JMIE1heSBCZSBDb21iaW5lZA0NQ29u c2lkZXIgYSBkZWx0YSBDUkwsIEQsIHdoaWNoIHNwZWNpZmllcyBiYXNlIENSTCBZIGFuZCBoYXMg Q1JMIG51bWJlciBaLiAgVGhpcyBtZWFucyB0aGF0IGFsbCBjZXJ0aWZpY2F0ZXMgd2hvc2Ugc3Rh dHVzZXMgaGF2ZXMgY2hhbmdlZCBzaW5jZSB0aGUgaXNzdWFuY2Ugb2YgQ1JMIFkgd2lsbCBiZSBs aXN0ZWQgb24gdGhlIGRlbHRhIENSTC4NDUJGIGFuZCBEIG1heSBiZSBjb21iaW5lZCBpZiBlYWNo IG9mIHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUgbWV0Og0NWCBpcyBncmVhdGVyIHRoYW4g b3IgZXF1YWwgdG8gWS4gIFRoYXQgaXMsIHRoZSBjb21wbGV0ZSBmdWxsIENSTCBtdXN0IChhdCBh IG1pbmltdW0pIGNvbnRhaW4gYWxsIHRoZSByZXZvY2F0aW9uIGluZm9ybWF0aW9uIGhlbGQgYnkg dGhlIHJlZmVyZW5jZWQgYmFzZSBDUkwuDVggaXMgbGVzcyB0aGFuIFouICBUaGF0IGlzLCB0aGUg ZGVsdGEgQ1JMIG11c3QgY292ZXIgc29tZSB0aW1lIHRoYXQgd2FzIG5vdCBjb3ZlcmVkIGJ5IHRo ZSBjb21wbGV0ZSBmdWxsIENSTC4gDQ1EZXRlcm1pbmluZyBTdGF0dXMgb2YgYSBjZXJ0aWZpY2F0 ZSBDZXJ0aWZpY2F0ZSBmcm9tIGEgYmFzZSBGdWxsIENSTCBhbmQgYSBEZGVsdGEgQ1JMDQ1JZiB0 aGUgUEtJIGNsaWVudCBtYWludGFpbnMgdGhlIGRlbHRhIGFuZCBiYXNlIGZ1bGwgQ1JMLCB0aGUg c3RhdHVzIG9mIGFuIHVuZXhwaXJlZCBjZXJ0aWZpY2F0ZSBDIGlzIG1heSBiZSBkZXRlcm1pbmVk IGFzIGZvbGxvd3M6DQ1JZiBDIGlzIGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMLCB0aGVuOg1JZiBD IGlzIGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMIHdpdGggcmVhc29uIGNvZGUgInJlbW92ZUZvcnJv bUNSTCIsIHRoZW4gQyBpcyBub3QgcmV2b2tlZC5JZiBDIHdhcyBsaXN0ZWQgd2l0aG91dCBhbiBh c3NvY2lhdGVkIHJldm9jYXRpb24gcmVhc29uIG9yIGEgcmV2b2NhdGlvbiByZWFzb24gb3RoZXIg dGhhbiBjZXJ0aWZpY2F0ZSBob2xkLCB0aGVuIGNlcnRpZmljYXRlIEMgaXMgY29uc2lkZXJlZCBy ZXZva2VkLg1PdGhlcndpc2UsIGNlcnRpZmljYXRlIEMgaXMgcmV2b2tlZC5JZiBDIGlzIGxpc3Rl ZCBvbiB0aGUgZGVsdGEgQ1JMIHdpdGggcmVhc29uIGNvZGUgInJlbW92ZSBmb3JtIGNybENSTCIs IHRoZW4gQyBpcyBub3QgcmV2b2tlZC4NSWYgQyB3YXMgbm90IGxpc3RlZCBvbiB0aGUgZGVsdGEg Q1JMLCB0aGVuIHRoZSBiYXNlIGZ1bGwgQ1JMIGlzIGNoZWNrZWQsIGFuZCB0aGUgc3RhdHVzIGlz IGFzIGZvbGxvd3M6DUlmIEMgaXMgbGlzdGVkIG9uIHRoZSBiYXNlIGZ1bGwgQ1JMLCB0aGVuIEMg aXMgcmV2b2tlZC4NSWYgQyBpcyBub3QgbGlzdGVkIG9uIHRoZSBiYXNlIGZ1bGwgQ1JMLCB0aGVu IEMgaXMgbm90IHJldm9rZWQuDQ1Db21iaW5pbmcgYSBCYXNlIEZ1bGwgQ1JMIGFuZCBEZWx0YSBD UkwgaW50byBhIENvbnN0cnVjdGVkIENSTA0NSWYgdGhlIFBLSSBjbGllbnQgbWFpbnRhaW5zIHRo ZSBjdXJyZW50IENSTCBpbiBlbGVjdHJvbmljIGZvcm1hIGxvY2FsIGNhY2hlOg0NVGhlIHJldm9j YXRpb24gaW5mb3JtYXRpb24gb24gQkYgaXMgYXNzdW1lZCBhcyB0aGUgaW5pdGlhbCBjb25kaXRp b24uICBCRiBpcyBhIGxpc3Qgb2YgcmV2b2tlZCBjZXJ0aWZpY2F0ZXM7IGVhY2ggY2VydGlmaWNh dGUgaXMgbGlzdGVkIHdpdGggYSByZXZvY2F0aW9uIHJlYXNvbiAod2hpY2ggbWF5IGJlIJN1bnNw ZWNpZmllZJQpLiAgDQ1UaGUgbGlzdCBvZiByZXZva2VkIGNlcnRpZmljYXRlcyBMIHdpdGggbiBl bnRyaWVzIGRlbm90ZWQgYXMgTGkgd2hlcmUgMSA8PSBpIDw9IG4uICAoVGhlIHZhbHVlIG4gbWF5 IHNocmluayBvciBncm93IGFzIHRoZSBjb21iaW5hdGlvbiBwcm9jZXNzIHByb2NlZWRzLikNDUlu aXRpYWxpemUgTCB0byB0aGUgcmV2b2NhdGlvbiBub3RpY2VzIG9uIEJGLiAgRm9yIGVhY2ggY2Vy dGlmaWNhdGUgQyBvbiB0aGUgZGVsdGEgQ1JMLCB1cGRhdGUgdGhlIGNvbnRlbnRzIG9mIEwgYXMg Zm9sbG93cy4NDUEgY2VydGlmaWNhdGUgQyBpcyBhZGRlZCB0byB0aGUgbGlzdCBvZiByZXZva2Vk IGNlcnRpZmljYXRlcyBMIGFzIGZvbGxvd3M6DUlmICBhIGNlcnRpZmljYXRlIEMgYXBwZWFycyBv biB0aGUgZGVsdGEgQ1JMIEQsIGFuZCBDIGlzIG5vdCBjdXJyZW50bHkgaW4gdGhlIGxpc3QgTCwg dGhlbjoNaWYgQyBoYXMgYSByZXZvY2F0aW9uIHJlYXNvbiBvdGhlciB0aGFuIJNyZW1vdmVGcm9t Q1JMlCwgYWRkIEMgYXMgYSBuZXcgZW50cnkgaW4gIHRoZSBsaXN0IG9mIHJldm9rZWQgY2VydGlm aWNhdGVzIEwuDUlmIEMgaGFzIHJldm9jYXRpb24gcmVhc29uIJNyZW1vdmVGcm9tQ1JMlCwgc2tp cCB0aGlzIGNlcnRpZmljYXRlLiAgTm8gdXBkYXRlIHRvIHRoZSBjYWNoZSBpcyBuZWVkZWQuDUlm IGEgY2VydGlmaWNhdGUgQyBhcHBlYXJzIG9uIHRoZSBkZWx0YSBDUkwgRCwgYW5kIEMgaXMgcHJl c2VudGx5IGxpc3RlZCBpbiBMIGFzIGVudHJ5IExpLCB0aGVuOg1JZiBDIGhhcyByZXZvY2F0aW9u IHJlYXNvbmlzIGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMIHdpdGggYSByZXZvY2F0aW9uIHJlYXNv biBvZiCTcmVtb3ZlRnJvbUNSTJQsIHRoZW4gZGVsZXRlIGVudHJ5IExpIA1JZiAgQyBoYXMgaXMg bGlzdGVkIG9uIHRoZSBkZWx0YSBDUkwgd2l0aG91dCBhIHJldm9jYXRpb24gcmVhc29uIG9yIHdp dGggYSByZXZvY2F0aW9uIHJlYXNvbiBvdGhlciB0aGFuIJNyZW1vdmVGcm9tQ1JMLJQsIHRoZW4g dXBkYXRlIGNoYW5nZSB0aGUgcmVhc29uIGNvZGUgYXNzb2NpYXRlZCB3aXRoIExpIHRvIHRoZSBy ZWFzb24gY29kZSBzcGVjaWZpZWQgaW4gdGhlIGRlbHRhIENSTC4NDVRoZSBjb21iaW5hdGlvbiBv ZiBCRiBhbmQgRCBmb3JtcyBhIG5ldyBjb21wbGV0ZSBmdWxsIENSTCB3aXRoIENSTCBudW1iZXIg Wi4gIFRoaXMgY29tcGxldGUgZnVsbCBDUkwgaXMgYXNzdW1lZCB0byBoYXZlcyBjb21wbGV0ZSBp bmZvcm1hdGlvbiB1bnRpbCB0aGUgdGltZSBzcGVjaWZpZWQgaW4gdGhlIG5leHQgdXBkYXRlIGZp ZWxkIGluIHRoZSBkZWx0YSBDUkwgaXMgcmVhY2hlZC4gIElmIGEgcmVseWluZyBwYXJ0eSBpcyB2 YWxpZGF0aW5nIGEgY2VydGlmaWNhdGUgd2l0aCByZXNwZWN0IHRvIHRpbWUgVCwgIGFuZCBUIGlz IGJlZm9yZSB0aGUgbmV4dCB1cGRhdGUgZmllbGQgaW4gdGhlIGRlbHRhIENSTCwgdGhleSBtYXkg YXNzdW1lIGNvbXBsZXRlIGluZm9ybWF0aW9uLg0NSWYgYW4gdW5leHBpcmVkIGNlcnRpZmljYXRl IEMgd2l0aGluIHRoZSBzY29wZSBvZiAgdGhlIGNvbnN0cnVjdGVkIENSTCBpcyBub3QgbGlzdGVk LCB0aGVuIGNlcnRpZmljYXRlIEMgaXMgbm90IHJldm9rZWQgZm9yIG9uZSBvZiB0aGUgcmV2b2Nh dGlvbiByZWFzb25zIGNvdmVyZWQgYnkgdGhpcyBDUkwuICBJZiB0aGUgY29uc3RydWN0ZWQgQ1JM IGNvdmVycyBhbGwgcmVhc29ucywgdGhlbiB0aGUgY2VydGlmaWNhdGUgQyBpcyBub3QgcmV2b2tl ZC4NDVVzaW5nIERlbHRhcyB0byBEaXN0cmlidXRlIFJldm9jYXRpb24gSW5mb3JtYXRpb24NDVRo aXMgc2VjdGlvbiBwcm92aWRlcyB0aHJlZSBkaWZmZXJlbnQgc2NlbmFyaW9zIGZvciB0aGUgdXNl IG9mIGRlbHRhIENSTHMuICBGb3IgdGhlIHB1cnBvc2Ugb2YgdGhlc2UgZXhhbXBsZXMsIGFzc3Vt ZSBhIGdvYWwgb2YgaGUgZ29hbCBpcyB0byBwcm92aWRpbmdlIHJldm9jYXRpb24gaW5mb3JtYXRp b24gdG8gcmVseWluZyBwYXJ0aWVzIHRoYXQgaXMgbm8gbW9yZSB0aGFuIG9uZSBob3VyIG9sZC4g e3t7IFdoZXJlIGRvZXMgdGhpcyBjb21lIGZyb20/ICBFeGFtcGxlPyAgSXQgaXMgY2VydGFpbmx5 IG5vdCBhIFBLSVggcmVxdWlyZW1lbnQhIH19fQ0NDVRoZSBmb2xsb3dpbmcgbm90YXRpb24gaXMg dXNlZCB0byBkZW5vdGUgYSByZXZva2VkIGNlcnRpZmljYXRlIG9uIGEgQ1JMOiAgDQkJWHIJY2Vy dGlmaWNhdGUgWCBpcyBsaXN0ZWQgZm9yIHJlYXNvbiByLCB3aGVyZSByIGluIHthLGssaCxyfSAN VGhlIHJlYXNvbiBjb2RlcyB7YSxrLGgscn0gY29ycmVzcG9uZCB0byCTYWZmaWxpYXRpb24gY2hh bmdlZJQsIJNrZXkgY29tcHJvbWlzZZQsIJNjZXJ0aWZpY2F0ZSBob2xklCwgYW5kIJNyZW1vdmUg ZnJvbSBDUkyUIHJlc3BlY3RpdmVseS4NDShOb3RlOiAgVGhlIHJlbWFpbmluZyByZWFzb24gY29k ZXMgYXJlIG9taXR0ZWQgZm9yIHNpbXBsaWNpdHkuICBUaGUgaGFuZGxpbmcgb2YgY2VydGlmaWNh dGVzIHJldm9rZWQgZm9yICB0aGUgcmVhc29ucyCTdW5zcGVjaWZpZWSULCCTQ0EgY29tcHJvbWlz ZZQsIJNzdXBlcnNlZGVklCwgYW5kIJNjZXNzYXRpb25PZk9wZXJhdGlvbpQgYXJlIGlkZW50aWNh bCB0byCTYWZmaWxpYXRpb24gY2hhbmdlZCBvciCTa2V5IGNvbXByb21pc2WUKS4NDQ0Ne3t7DVdo ZXJlIGFyZSB0aGUgcmVzdD8gIEFnYWluLCBtYXliZSB0aGlzIGlzIGJlY2F1c2Ugd2UgbWFkZSBh IGNsdW1zeSB0cmFuc2l0aW9uIGludG8gYW4gZXhhbXBsZS4NDSAgIENSTFJlYXNvbiA6Oj0gRU5V TUVSQVRFRCB7DSAgICAgICAgdW5zcGVjaWZpZWQgICAgICAgICAgICAgKDApLA0gICAgICAgIGtl eUNvbXByb21pc2UgICAgICAgICAgICgxKSwNICAgICAgICBjQUNvbXByb21pc2UgICAgICAgICAg ICAoMiksDSAgICAgICAgYWZmaWxpYXRpb25DaGFuZ2VkICAgICAgKDMpLA0gICAgICAgIHN1cGVy c2VkZWQgICAgICAgICAgICAgICg0KSwNICAgICAgICBjZXNzYXRpb25PZk9wZXJhdGlvbiAgICAo NSksDSAgICAgICAgY2VydGlmaWNhdGVIb2xkICAgICAgICAgKDYpLA0gICAgICAgIHJlbW92ZUZy b21DUkwgICAgICAgICAgICg4KSB9DX19fQ0NRXhhbXBsZSAjMQ0NVGhlIGV4YW1wbGUgYmVsb3cg c2hvd3MgdGhlICJ0cmFkaXRpb25hbCIgbWV0aG9kIG9mIGlzc3VpbmcgZGVsdGEgLUNSTHMuIElu IHRoaXMgZXhhbXBsZSwgZnVsbCBDUkxzIGFyZSBpc3N1ZWQgb25jZSBldmVyeSAzIGhvdXJzIGFu ZCBkZWx0YXMgYXJlIGlzc3VlZCBvbmNlIGFuIGhvdXIuIEZvciBjb25zaXN0ZW5jeSwgdGhlIGlz c3VlciBiZWdpbnMgaXNzdWluZyBkZWx0YXMgYXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgdmVyeSBm aXJzdCBmdWxsIENSTC4gQWZ0ZXIgdGhhdCwgaG93ZXZlciwgYSBkZWx0YSBjYW4gYWx3YXlzIHVz ZSBhIHByZXZpb3VzbHkgaXNzdWVkIGZ1bGwgQ1JMIGFzIGl0cyBiYXNlLiBOb3RpY2UgdGhhdCBz dGFydGluZyB3aXRoIGNSTE51bWJlciA0LCB0aGUgZGVsdGEgQ1JMIGlzc3VlZCBhdCB0aGUgc2Ft ZSB0aW1lIGFzIGEgZnVsbCBDUkwgdXNlcyB0aGUgcHJldmlvdXNseSBpc3N1ZWQgZnVsbCBDUkwg YXMgaXRzIGJhc2UuIEhvd2V2ZXIsIHRoZSBkZWx0YS1DUkxzIG5ldmVyIHByb3ZpZGUgbW9yZSB0 aGFuIDMgaG91cnMgb2YgaGlzdG9yeS4NDUluIHRoaXMgZXhhbXBsZToNQ2VydGlmaWNhdGUgMTQg d2FzIHJldm9rZWQgZm9yIGtleSBjb21wcm9taXNlIGJlZm9yZSAxMjowMCB3aGVuIHRoZSBmaXJz dCBDUkwgd2FzIGlzc3VlZC4NQ2VydGlmaWNhdGUgMTI0IHdhcyByZXZva2VkIGZvciBrZXkgY29t cHJvbWlzZSBiZXR3ZWVuIDEyOjAwIGFuZCAxMzowMC4NQ2VydGlmaWNhdGUgMzkgd2FzIHBsYWNl ZCBvbiBob2xkIGJldHdlZW4gMTQ6MDAgYW5kIDE1OjAwLCBhbmQgaXRzIHN1c3BlbnNpb24gd2Fz IGxpZnRlZCBiZXR3ZWVuIDE2OjAwIGFuZCAxNzowMC4NQ2VydGlmaWNhdGUgNjcgd2FzIHJldm9r ZWQgZm9yIGFuIGFmZmlsaWF0aW9uIGNoYW5nZSBiZXR3ZWVuIDE2MTU6MDAgYW5kIDE3MTY6MDAu ICBUaGUgcmVhc29uIHdhcyBjaGFuZ2VkIHRvIGtleSBjb21wcm9taXNlIGJldHdlZW4gMTg2OjAw IGFuZCAxOTc6MDAue3t7IFRoZXNlIHR3byB0aW1lIHNwYW5zIGNhbm5vdCBiZSB0aGUgc2FtZSEg fX19Lg0NY3VycmVudCB0aW1lICAgICAHUmV2b2tlZCBjZXJ0aWZpY2F0ZXMHRnVsbCBDUkwHRGVs dGEtQ1JMBwcxMjowMAd7MTRrfSAgICAgICAgICAgIAdjUkxOdW1iZXIgPSAxICAgICAgICAgICAg ICAgICAgIHRoaXNVcGRhdGUgPSAxMjowMCAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE1OjAw ICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTRrfQdjUkxOdW1iZXIgPSAxICAgICAg ICAgICAgICAgICAgIHRoaXNVcGRhdGUgPSAxMjowMA1uZXh0VXBkYXRlID0gMTM6MDAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBC YXNlQ1JMTnVtYmVyID0gMQ1DZXJ0aWZpY2F0ZUxpc3QgPSB7fSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAcHMTM6MDAHezE0aywgMTI0a30gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDIgICAgICAgICAg ICAgICAgICAgdGhpc1VwZGF0ZSA9IDEzOjAwDW5leHRVcGRhdGUgPSAxNDowMCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxDUNlcnRpZmljYXRlTGlzdCA9IHsxMjRrfSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAcHMTQ6MDAHezE0aywgMTI0a30gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDMgICAgICAgICAg ICAgICAgICAgdGhpc1VwZGF0ZSA9IDE0OjAwDW5leHRVcGRhdGUgPSAxNTowMCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxDUNlcnRpZmljYXRlTGlzdCA9IHsxMjRrfSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAcHMTU6MDAHezE0aywgMTI0aywgMzlofSAg IAdjUkxOdW1iZXIgPSA0ICAgICAgICAgICAgICAgICAgIHRoaXNVcGRhdGUgPSAxNTowMCAgICAg ICAgICAgICAgbmV4dFVwZGF0ZSA9IDE4OjAwICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3Qg PSB7MTRrLCAxMjRrLCAzOWh9B2NSTE51bWJlciA9IDQNdGhpc1VwZGF0ZSA9IDE1NjowMCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE2Nzow MCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVy ID0gMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0 ZUxpc3QgPSB7MTI0aywgMzlofQcHMTY6MDAHezE0aywgMTI0aywgMzloLCA2N2F9ICAgBwdjUkxO dW1iZXIgPSA1DXRoaXNVcGRhdGUgPSAxNjowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE3OjAwICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSA0ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHszOWgsIDY3YX1XaHkgaXMg MzloIGhlcmU/ICBJdCBpcyBvbiB0aGUgYmFzZSEHBzE3OjAwB3sxNGssIDEyNGssIDY3YX0gICAH B2NSTE51bWJlciA9IDYNdGhpc1VwZGF0ZSA9IDE3OjAwICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MDAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9IDQgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNhdGVMaXN0ID0gezM5ciwgNjdhfQcH MTg6MDAHezE0aywgMTI0aywgNjdhfSAgIAdjUkxOdW1iZXIgPSA3ICAgICAgICAgICAgICAgICAg IHRoaXNVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDIxOjAwICAgICAg ICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTRrLCAxMjRrLCA2N2F9B2NSTE51bWJlciA9IDcN dGhpc1VwZGF0ZSA9IDE4OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBuZXh0VXBkYXRlID0gMTk6MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgQmFzZUNSTE51bWJlciA9IDQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgQ2VydGlmaWNhdGVMaXN0ID0gezM5ciwgNjdhfQcHMTk6MDAHezE0aywgMTI0 aywgNjdrfSAgIAcHY1JMTnVtYmVyID0gOA10aGlzVXBkYXRlID0gMTk6MDAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5leHRVcGRhdGUgPSAyMDowMCAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gNyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7 NjdrfQcHDQ1Db25zZXF1ZW5jZXMgb2YgdGhpcyANDQ1TY2VuYXJpbyAjMg0NVGhlIGV4YW1wbGUg YmVsb3cgc2hvd3MgdGhlICJzbGlkaW5nIHdpbmRvdyIgbWV0aG9kIG9mIGlzc3VpbmcgZGVsdGEt Q1JMcy4gSW4gdGhpcyBleGFtcGxlLCBmdWxsIENSTHMgYXJlIGlzc3VlZCBvbmNlIGV2ZXJ5IDMg aG91cnMgYW5kIGRlbHRhcyBhcmUgaXNzdWVkIG9uY2UgYW4gaG91ci4gRm9yIGNvbnNpc3RlbmN5 LCB0aGUgaXNzdWVyIGJlZ2lucyBpc3N1aW5nIGRlbHRhcyBhdCB0aGUgc2FtZSB0aW1lIGFzIHRo ZSB2ZXJ5IGZpcnN0IGZ1bGwgQ1JMLiBOb3RpY2UgdGhhdCBzdGFydGluZyB3aXRoIGNSTE51bWJl ciA3LCB0aGUgZGVsdGEgQ1JMIGlzc3VlZCBhdCB0aGUgc2FtZSB0aW1lIGFzIGEgZnVsbCBDUkwg ZG9lcyBub3QgdXNlIHRoZSBwcmV2aW91c2x5IGlzc3VlZCBmdWxsIENSTCBhcyBpdHMgYmFzZSBi dXQgdGhlIHByZWNlZGluZyBDUkwgaW5zdGVhZC4gIEhvd2V2ZXIsIHRoZXNlIGRlbHRhLUNSTHMg bmV2ZXIgcHJvdmlkZSBtb3JlIHRoYW4gNiBob3VycyBvZiBoaXN0b3J5Lg0NQXMgaW4gZXhhbXBs ZSAjMToNQ2VydGlmaWNhdGUgMTQgd2FzIHJldm9rZWQgZm9yIGtleSBjb21wcm9taXNlIGJlZm9y ZSAxMjowMCB3aGVuIHRoZSBmaXJzdCBDUkwgd2FzIGlzc3VlZC4NQ2VydGlmaWNhdGUgMTI0IHdh cyByZXZva2VkIGZvciBrZXkgY29tcHJvbWlzZSBiZXR3ZWVuIDEyOjAwIGFuZCAxMzowMC4NQ2Vy dGlmaWNhdGUgMzkgd2FzIHBsYWNlZCBvbiBob2xkIGJldHdlZW4gMTQ6MDAgYW5kIDE1OjAwLCBh bmQgaXRzIHN1c3BlbnNpb24gd2FzIGxpZnRlZCBiZXR3ZWVuIDE2OjAwIGFuZCAxNzowMC4NQ2Vy dGlmaWNhdGUgNjcgd2FzIHJldm9rZWQgZm9yIGFuIGFmZmlsaWF0aW9uIGNoYW5nZSBiZXR3ZWVu IDE2MTU6MDAgYW5kIDE3MTY6MDAuICBUaGUgcmVhc29uIHdhcyBjaGFuZ2VkIHRvIGtleSBjb21w cm9taXNlIGJldHdlZW4gMTg2OjAwIGFuZCAxOTc6MDAuIHt7eyBBZ2FpbiwgdGhlc2UgY2Fubm90 IGhhdmUgdGhlIHNhbWUgdGltZSBzcGFuISB9fX0NDQ1jdXJyZW50IHRpbWUgICAgIAdSZXZva2Vk IGNlcnRpZmljYXRlcwdGdWxsIENSTAdEZWx0YS1DUkwHBzEyOjAwB3sxNGt9ICAgICAgICAgICAg B2NSTE51bWJlciA9IDEgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDEyOjAwICAgICAg ICAgICAgICBuZXh0VXBkYXRlID0gMTU6MDAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9 IHsxNGt9B2NSTE51bWJlciA9IDEgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDEyOjAw DW5leHRVcGRhdGUgPSAxMzowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxDUNlcnRpZmljYXRlTGlz dCA9IHt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwcxMzowMAd7MTRrLCAxMjRrfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IAcHY1JMTnVtYmVyID0gMiAgICAgICAgICAgICAgICAgICB0aGlzVXBkYXRlID0gMTM6MDANbmV4 dFVwZGF0ZSA9IDE0OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0g ezEyNGt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwcxNDowMAd7MTRrLCAxMjRrfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IAcHY1JMTnVtYmVyID0gMyAgICAgICAgICAgICAgICAgICB0aGlzVXBkYXRlID0gMTQ6MDANbmV4 dFVwZGF0ZSA9IDE1OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0g ezEyNGt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwcxNTowMAd7MTRrLCAxMjRrLCAzOWh9ICAgB2NSTE51bWJlciA9IDQgICAgICAgICAgICAgICAg ICAgdGhpc1VwZGF0ZSA9IDE1OjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MDAgICAg ICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxNGssIDEyNGssIDM5aH0HY1JMTnVtYmVyID0g NA10aGlzVXBkYXRlID0gMTU2OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBuZXh0VXBkYXRlID0gMTY3OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxMjRrLCAzOWh9BwcxNjowMAd7MTRr LCAxMjRrLCAzOWgsIDY3YX0gICAHB2NSTE51bWJlciA9IDUNdGhpc1VwZGF0ZSA9IDE2OjAwICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTc6 MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJl ciA9IDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNh dGVMaXN0ID0gezEyNGssIDM5aCwgNjdhfQcHMTc6MDAHezE0aywgMTI0aywgNjdhfSAgIAcHY1JM TnVtYmVyID0gNg10aGlzVXBkYXRlID0gMTc6MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIG5leHRVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gMSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTI0aywgMzlyLCA2N2F9 BwcxODowMAd7MTRrLCAxMjRrLCA2N2F9ICAgB2NSTE51bWJlciA9IDcgICAgICAgICAgICAgICAg ICAgdGhpc1VwZGF0ZSA9IDE4OjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMjE6MDAgICAg ICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxNGssIDEyNGssIDY3YX0HY1JMTnVtYmVyID0g Nw10aGlzVXBkYXRlID0gMTg6MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIG5leHRVcGRhdGUgPSAxOTowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTI0aywgMzlyLCA2N2F9BwcxOTowMAd7 MTRrLCAxMjRrLCA2N2t9ICAgBwdjUkxOdW1iZXIgPSA4DXRoaXNVcGRhdGUgPSAxOTowMCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDIwOjAw ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIg PSA0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRl TGlzdCA9IHszOXIsIDY3a30HBw1Ob3RlIHRoYXQgdGhlIGRlbHRhIENSTHMgYXJlIG1hcmdpbmFs bHkgbGFyZ2VyIHRoYW4gaW4gdGhlIGZpcnN0IHNjZW5hcmlvIHNpbmNlIHRoZXkgY292ZXIgYSBs b25nZXIgdGltZSBwZXJpb2QuICBPbiB0aGUgb3RoZXIgaGFuZCwgYSByZWx5aW5nIHBhcnR5IGlz IGxlc3MgbGlrZWx5IHRvIGRvd25sb2FkIGZ1bGwgQ1JMcyBpbiB0aGUgc2Vjb25kIHNjZW5hcmlv Lg0NRm9yIGV4YW1wbGUsIGEgcmVseWluZyBwYXJ0eSB0aGF0IHZhbGlkYXRlZCBvbmUgY2VydGlm aWNhdGUgYXQgMTI6MTUsIHRoZW4gYSBzZWNvbmQgY2VydGlmaWNhdGUgYXQgMTY6MTUgd291bGQg bm90IHJlcXVpcmUgYSBuZXcgZnVsbCBDUkwgaW4gc2NlbmFyaW8gIzIuICBJbiBzY2VuYXJpbyAj MSwgdGhlIHJlbHlpbmcgcGFydHkgd291bGQgYmUgZm9yY2VkIHRvIG9idGFpbiBib3RoIGZ1bGwg Q1JMIDQgYW5kIGRlbHRhIENSTCA1Lg0NU2NlbmFyaW8gIzMgQWxsb3dpbmcgZm9yIFJlcGxpY2F0 aW9uL1Byb3BhZ2F0aW9uIERlbGF5cw0NSW4gdGhpcyBzY2VuYXJpbywgZnVsbCBDUkxzIGFuZCBk ZWx0YSBDUkxzIGFyZSByZXBsaWNhdGVkIHRocm91Z2hvdXQgYSByZXBvc2l0b3J5IHN5c3RlbS4g IERhdGEgaXMgcmVwbGljYXRlZCB0aHJvdWdoIHRoZSBzeXN0ZW0gYXQgZGlmZmVyZW50IHJhdGVz IGJhc2VkIG9uIHRoZSBzaXplIG9mIHRoZSBmaWxlLiAgVGhlIENBIG9wZXJhdG9ycyBlc3RpbWF0 ZSB0aGF0IGZ1bGwgQ1JMcyB3aWxsIGJlIGF2YWlsYWJsZSB0aHJvdWdob3V0IHRoZSBzeXN0ZW0g d2l0aGluIHRocmVlIGhvdXJzLiAgRGVsdGEgQ1JMcyB3aWxsIGJlIGF2YWlsYWJsZSB3aXRoaW4g MTUgbWludXRlcy4gIChBc3N1bWUgdGhlIGluaXRpYWwgQ1JMIGlzIHNtYWxsIGFuZCB3aWxsIHBy b3BhZ2F0ZSBhcyBpZiBhIGRlbHRhIENSTCB0byByZXNvbHZlIHRoZSBib290c3RyYXAgaXNzdWVz LikNDVRoZSBleGFtcGxlIGJlbG93IHVzZXMgdGhlICJzbGlkaW5nIHdpbmRvdyIgbWV0aG9kIG9m IGlzc3VpbmcgZGVsdGEtQ1JMcywgYnV0IG92ZXJsYXBzIHRoZSB0aGlzVXVwZGF0ZSBhbmQgbmV4 dFV1cGRhdGUgdGltZXMgdG8gYWxsb3cgZm9yIHByb3BhZ2F0aW9uLi4gSW4gdGhpcyBleGFtcGxl LCBmdWxsIENSTHMgYXJlIGlzc3VlZCBvbmNlIGV2ZXJ5IDMgaG91cnMgYW5kIGRlbHRhcyBhcmUg aXNzdWVkIG9uY2UgYW4gaG91cmV2ZXJ5IDQ1IG1pbnV0ZXMuIEZvciBjb25zaXN0ZW5jeSwgdGhl IGlzc3VlciBiZWdpbnMgaXNzdWluZyBkZWx0YXMgYXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgdmVy eSBmaXJzdCBmdWxsIENSTC4gTm90aWNlIHRoYXQgc3RhcnRpbmcgd2l0aCBjUkxOdW1iZXIgNywg dGhlIGRlbHRhIENSTCBpc3N1ZWQgYXQgdGhlIHNhbWUgdGltZSBhcyBhIGZ1bGwgQ1JMIGRvZXMg bm90IHVzZSB0aGUgcHJldmlvdXNseSBpc3N1ZWQgZnVsbCBDUkwgYXMgaXRzIGJhc2UgYnV0IHRo ZSBwcmVjZWRpbmcgQ1JMIGluc3RlYWQuICBIb3dldmVyLCB0aGVzZSBkZWx0YS1DUkxzIG5ldmVy IHByb3ZpZGUgbW9yZSB0aGFuIDYgaG91cnMgb2YgaGlzdG9yeS4NDUFzIGluU2ltaWxhcmx5IHRv IGV4YW1wbGVzICMxIGFuZCAjMjoNQ2VydGlmaWNhdGUgMTQgd2FzIHJldm9rZWQgZm9yIGtleSBj b21wcm9taXNlIGJlZm9yZSAxMjowMCB3aGVuIHRoZSBmaXJzdCBDUkwgd2FzIGlzc3VlZC4NQ2Vy dGlmaWNhdGUgMTI0IHdhcyByZXZva2VkIGZvciBrZXkgY29tcHJvbWlzZSBiZXR3ZWVuIDEyOjAw IGFuZCAxMzowMDEyOjQ1Lg1DZXJ0aWZpY2F0ZSAzOSB3YXMgcGxhY2VkIG9uIGhvbGQgYmV0d2Vl biAxNDowMCAxNSBhbmQgMTU6MDAsIGFuZCBpdHMgc3VzcGVuc2lvbiB3YXMgbGlmdGVkIGJldHdl ZW4gMTYxNTowMCA0NSBhbmQgMTc6MDAxNjozMC4NQ2VydGlmaWNhdGUgNjcgd2FzIHJldm9rZWQg Zm9yIGFuIGFmZmlsaWF0aW9uIGNoYW5nZSBiZXR3ZWVuIDE2OjAwIDE1OjAwIGFuZCAxNzowMDE1 OjQ1LiAgVGhlIHJlYXNvbiB3YXMgY2hhbmdlZCB0byBrZXkgY29tcHJvbWlzZSBiZXR3ZWVuIDE4 NjowMCBhbmQgMTc6MDAxODo0NS4gIHt7eyBDYW5ub3QgaGF2ZSBzYW1lIHRpbWUgc3BhbiEgfX19 DQ1jdXJyZW50IHRpbWUgICAgIAdSZXZva2VkIGNlcnRpZmljYXRlcwdGdWxsIENSTAdEZWx0YS1D UkwHBzEyOjAwB3sxNGt9ICAgICAgICAgICAgB2NSTE51bWJlciA9IDEgICAgICAgICAgICAgICAg ICAgdGhpc1VwZGF0ZSA9IDEyOjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MDAgICAg ICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxNGt9B2NSTE51bWJlciA9IDEgICAgICAgICAg ICAgICAgICAgdGhpc1VwZGF0ZSA9IDEyOjAwDW5leHRVcGRhdGUgPSAxMzoxNSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDAwICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0ge30gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHBzEzOjAwMTI6NDUHezE0aywgMTI0 a30gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDIg ICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDEzOjAwMTI6NDUNbmV4dFVwZGF0ZSA9IDE0 OjE1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgMTM6NDUNQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0gezEyNGt9 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgBwcxNDow MDEzOjMwB3sxNGssIDEyNGt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwdjUkxOdW1iZXIgPSAzICAgICAgICAgICAgICAgICAgIHRoaXNVcGRhdGUgPSAxNDowMDEzOjMw DW5leHRVcGRhdGUgPSAxNDU6MTUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAzMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxDUNlcnRp ZmljYXRlTGlzdCA9IHsxMjRrfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIAcHMTQ6MTUHezE0aywgMTI0a30gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDQgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0 ZSA9IDE0OjE1DW5leHRVcGRhdGUgPSAxNToxNSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxDUNlcnRp ZmljYXRlTGlzdCA9DXsxMjRrfQcHMTU6MDAHezE0aywgMTI0aywgMzlofSAgIAdjUkxOdW1iZXIg PSA0ICAgICAgICAgICAgICAgICAgIDUgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDE1 OjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMjE6MDAgICAgICAgICAgICAgIENlcnRpZmlj YXRlTGlzdCA9IHsxNGssIDEyNGssIDM5aH0HY1JMTnVtYmVyID0gNDUNdGhpc1VwZGF0ZSA9IDE1 NjowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0 ZSA9IDE3MTY6MTUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMDAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9 IDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNhdGVM aXN0ID0gezEyNGssIDM5aH0HBzE2OjAwMTU6NDUHezE0aywgMTI0aywgMzloLCA2N2F9ICAgBwdj UkxOdW1iZXIgPSA1Ng10aGlzVXBkYXRlID0gMTY6MDAxNTo0NSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE2OjQ3OjE1ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxMjRr LCAzOWgsIDY3YX0HBzE3OjAwMTY6MzAHezE0aywgMTI0aywgNjdhfSAgIAcHY1JMTnVtYmVyID0g NjcNdGhpc1VwZGF0ZSA9IDE2OjM3OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MTUxNzozMCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gMSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTI0aywgMzlyLCA2N2F9 BwcxNzoxNQd7MTRrLCAxMjRrLCA2N2F9ICAgBwdjUkxOdW1iZXIgPSA4DXRoaXNVcGRhdGUgPSAx NzoxNSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0 ZSA9IDE4OjE1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENl cnRpZmljYXRlTGlzdCA9IHsxMjRrLCAzOXIsIDY3YX0HBzE4OjAwB3sxNGssIDEyNGssIDY3YX0g ICAHY1JMTnVtYmVyID0gNyAgICAgICAgICAgICAgICAgICA5ICAgICAgICAgICAgICAgICAgIHRo aXNVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDI0OjAwICAgICAgICAg ICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTRrLCAxMjRrLCA2N2F9B2NSTE51bWJlciA9IDc5DXRo aXNVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgbmV4dFVwZGF0ZSA9IDE5OjE1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIDAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDUg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNhdGVMaXN0 ID0gezEyNGssIDM5ciwgNjdhfQcHMTkxODowMDQ1B3sxNGssIDEyNGssIDY3a30gICAHB2NSTE51 bWJlciA9IDgxMA10aGlzVXBkYXRlID0gMTg6NDU5OjAwICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMjA6MTUxOTo0NSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gNCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHszOXIsIDY3a30HBw1EZWx0YSBD UkwgbnVtYmVyIDYgaXMgaXNzdWVkIGF0IDE3OjAwMTU6NDUuICBCeSAxNjowMDc6MTUsIGRlbHRh IENSTCBudW1iZXIgNiBzaG91bGQgYmUgYXZhaWxhYmxlIHRocm91Z2hvdXQgdGhlIHN5c3RlbS4g IEFzIGEgcmVzdWx0LCBkZWx0YSBDUkwgbnVtYmVyIDUgc3BlY2lmaWVkIDE3OjE1MTY6MDAgYXMg aXRzIG5leHRVcGRhdGUgdGltZS4NDUhvd2V2ZXIsIEZ1bGwgZnVsbCBDUkwgQ1JMIG51bWJlciA0 IDUgd2FzIGlzc3VlZCBhdCAxNTowMCBhbmQgbWF5IG5vdCBiZSBhdmFpbGFibGUgdGhyb3VnaG91 dCB0aGUgc3lzdGVtIHVudGlsIDE4OjAwLiAgQXMgYSByZXN1bHQsIGRlbHRhIENSTCBudW1iZXIg NiBtdXN0IGJlIGJhc2VkIG9uIEZ1bGwgZnVsbCBDUkwgbnVtYmVyIDEgd2hpY2ggd2FzIGlzc3Vl ZCBhdCAxMjowMC4NDUlmIHRoZSByZWx5aW5nIHBhcnR5IGZpbmRzIEZ1bGwgZnVsbCBDUkwgbnVt YmVyIDQgNSBpbiB0aGUgcmVwb3NpdG9yeSwgdGhleSBtYXkgc3RpbGwgYXBwbHkgZGVsdGEgQ1JM IG51bWJlciA2IGFuZCBhY2hpZXZlIHRoZSBjb3JyZWN0IGFuc3dlci4NDUZpbmFsbHksIG5vdGUg dGhhdCBhIENSTCBpc3N1ZXIgbXVzdCBnZW5lcmF0ZSBtb3JlIENSTHMgdG8gYWNoaWV2ZSB0aGUg Z29hbCBvZiBzdGF0dXMgaW5mb3JtYXRpb24gdGhhdCBpcyBubyBtb3JlIHRoYW4gb25lIGhvdXIg b2xkIHdoZW4gZmFjdG9yaW5nIGluIHRoZSBwcm9wYWdhdGlvbiBkZWxheXMuDQ0NAiBBIHJldm9j YXRpb24gbm90aWNlIG1heSBvcHRpb25hbGx5IHNwZWNpZnkgaW4gdGhlIGludmFsaWRpdHkgZGF0 ZSBleHRlbnNpb24gdGhlIGRhdGUgYXQgZnJvbSB3aGljaCB0aGUgY2VydGlmaWNhdGUgc2hvdWxk IGJlIGNvbnNpZGVyZWQgaW52YWxpZCBpbiB0aGUgaW52YWxpZGl0eSBkYXRlIGV4dGVuc2lvbiwg YXMgd2VsbC4gIFRoaXMgZGF0ZSBtYXkgcHJlY2VkZSB0aGUgYWN0dWFsIHJldm9jYXRpb24gZGF0 ZS4gIFRoZSBpbnZhbGlkdHlpbnZhbGlkaXR5IGRhdGUgZXh0ZW5zaW9uIGRvZXMgbm90IGZlYXR1 cmUgaW4gdGhpcyBkaXNjdXNzaW9uLCBzbyBpdCBpcyBub3QgY29uc2lkZXJlZCBmdXJ0aGVyIGlu IHRoaXMgcGFwZXIuDQ0NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAQAAAEEAACXBAAAoQQAAPgEAAD9BAAAAgUAAPoHAAAMCAAAGQkAACQJAAA5CQAAOgkA ANYJAADkCQAA5QkAAB0KAAAeCgAAIQoAACQKAAAlCgAAMAoAADEKAACMCgAAjQoAAJwKAACjCgAA tAoAAEoLAABfCwAAaQsAAHILAABqDAAAyg0AAMsNAAAhDgAAJg4AACgOAAAqDgAAKw4AADUOAABB DgAATQ4AAGoOAAB0DgAAfQ4AAEYPAAD4APEA6vEA6ADoAOEA2tMAzADFzADMAMwA09oAvrCpvqIA m42bjZuNmwCGeKmGAAAAAAAAGgAIgQEIgQRIAgAFaARDVUZjSAQAZGhrRFVGAA0BCIEESAIABWgE Q1VGGgAIgQEIgQRIAgAFaANDVUZjSAMAZGjPQ1VGAA0BCIEESAIABWgDQ1VGDQAIgWNIAgBkaABD VUYNAQiBBEgEAAVoa0RVRhoACIEBCIEESAIABWgAQ1VGY0gEAGRoa0RVRgANAQiBBEgCAAVoAENV Rg0BCIEESAMABWjMQ1VGDQAIgWNIAwBkaMxDVUYNAAiBY0gDAGRozUNVRg0BCIEESAMABWjNQ1VG DQNqAAAAADBKEgBVCAEDNgiBDQAIgWNIAgBkaPVCVUYNAQiBBEgCAAVo9UJVRg0BCIEESAEABWhA RFVGAC4ABAAADAQAAA0EAAAdBQAAHgUAAIsFAACMBQAAkgUAAJMFAAA1BgAANgYAANgGAADZBgAA OwkAADwJAACPCQAAkAkAAD8LAABACwAAyw0AAMwNAAD9AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAA APsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD5AAAA AAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAA+wAAAAAAAAAA AAAAAPsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD7 AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAAtAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAQyQBRcaAAAACAANDVUYAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAAEAAAAB DwAAFAAEAADwYQAAXWMAAP7+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC AQECzA0AAEEOAABCDgAA8w8AAPQPAABpEAAAahAAAKkQAACqEAAAuBAAALkQAACFEgAAhhIAAPMT AAD0EwAAChUAAAsVAADbFgAA3BYAACMXAAAkFwAA7xgAALoAAAAAAAAAAAAAAAC4AAAAAAAAAAAA AAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALgA AAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAtgAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAA AAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAA ALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALYAAAAAAAAAAAAAAAC4AAAA AAAAAAAAAAAAuAAAAAAAAAAAAAAAAAAAAAABAQAAAQAAAEQAAEMkAUXGgAAAAgADQ1VGAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ABVGDwAA8w8AAGoQAACoEAAAyhAAANAQAAD1EAAA+xAAAA4RAAATEQAAHREAACYRAAAoEQAANhEA ADcRAABhEQAAmBEAAJwRAACdEQAAtxEAAL0RAADGEQAA0BEAANcRAADcEQAA6BEAAO0RAADyEQAA BRIAAAYSAAAKEgAAEhIAABUSAAAWEgAAGxIAACUSAAApEgAALBIAAC4SAAD48fgA6uPc1c7A1cDV sqOUo9UA1dwA3I0AjYYAeADOcQDOeM6NYwAAAAAaAAiBAQiBBEgCAAVoBkNVRmNIBABkaFBEVUYA DQEIgQRIAgAFaAVDVUYaAAiBAQiBBEgCAAVoBUNVRmNIBABkaFBEVUYADQEIgQRIBAAFaFBEVUYN AAiBY0gEAGRoUERVRh0ACIEBCIEESAMABWjRQ1VGDCoHY0gEAGRoT0RVRh0ACIEBCIEESAMABWjQ Q1VGDCoHY0gEAGRoT0RVRhoACIEBCIEESAMABWjQQ1VGY0gEAGRoT0RVRgAaAAiBAQiBBEgCAAVo BUNVRmNIBABkaE9EVUYADQAIgWNIAgBkaAVDVUYNAAiBY0gEAGRoT0RVRg0BCIEESAQABWhPRFVG DQEIgQRIBAAFaE5EVUYNAAiBY0gEAGRoTkRVRg0ACIFjSAIAZGgDQ1VGDQAIgWNIAgBkaARDVUYA Ji4SAAAwEgAAORIAAD0SAABBEgAAQhIAAEMSAABbEgAAZhIAAGgSAABwEgAAcRIAAHUSAAB6EgAA fRIAAIISAACDEgAAtBIAAL0SAAA0EwAANRMAAGITAABlEwAAaBMAAGwTAABuEwAAfBMAAH4TAACH EwAAjBMAAJATAACqEwAAxxMAAMwTAADREwAA7hMAAO8TAADwEwAA8hMAAPQTAAD1EwAA/xMAAA4U AAAVFAAAHxQAAE4UAAD48eoA3PHV3OrO6s7c6s7cAMcAwLmrx9Wdx4+Ij8ePx4iPxwDAgYjAegB6 wAAAAAAAAAAAAAAAAAAAAAANAAiBY0gEAGRoUkRVRg0BCIEESAIABWgHQ1VGDQAIgWNIAgBkaAdD VUYaAAiBAQiBBEgCAAVoB0NVRmNIBABkaFFEVUYAGgAIgQEIgQRIAgAFaAZDVUZjSAQAZGhRRFVG ABoACIEBCIEESAMABWjRQ1VGY0gEAGRoUURVRgANAQiBBEgDAAVo0UNVRg0BCIEESAQABWhSRFVG DQAIgWNIBABkaFFEVUYNAQiBBEgCAAVoBkNVRg0ACIFjSAIAZGgGQ1VGGgAIgQEIgQRIAgAFaAZD VUZjSAQAZGhQRFVGAA0BCIEESAQABWhQRFVGDQAIgWNIBABkaFBEVUYNAAiBY0gCAGRoBUNVRgAt ThQAAFgUAABZFAAAjhQAAAgVAAAbFQAAIhUAACwVAABHFQAASxUAAFgVAABsFQAAcBUAAH0VAACf FgAAoBYAAAUXAAAKFwAADxcAACMXAAAkFwAALxcAADgXAAA9FwAAQhcAAEMXAABEFwAAWhcAAFwX AACdFwAAoxcAAKUXAACqFwAArRcAALMXAAC1FwAAthcAALgXAADeFwAA6xcAAO0XAADvFwAA/RcA ABMYAAD48QDqAOPcANXOANXOAMcAwLkAtwCwqQDAuQCilI2GAH8AeLl/AHjAuQBxAAAAAAAAAA0B CIEESAMABWjWQ1VGDQEIgQRIAwAFaNVDVUYNAAiBY0gDAGRo1UNVRg0ACIFjSAMAZGjUQ1VGDQEI gQRIAwAFaNRDVUYaAAiBAQiBBEgDAAVo1ENVRmNIBABkaFdEVUYADQEIgQRIBAAFaFdEVUYNAQiB BEgCAAVoIUNVRg0ACIFjSAIAZGghQ1VGAzUIgQ0BCIEESAQABWhiRFVGDQAIgWNIBABkaGJEVUYN AAiBY0gDAGRo00NVRg0BCIEESAMABWjSQ1VGDQAIgWNIAwBkaNJDVUYNAQiBBEgEAAVoVERVRg0A CIFjSAQAZGhURFVGDQEIgQRIBAAFaFFEVUYNAQiBBEgEAAVoU0RVRg0ACIFjSAQAZGhTRFVGACsT GAAAFBgAABUYAAAvGAAAOxgAAEQYAABJGAAAgBgAAIEYAACDGAAAiBgAAJcYAACYGAAAmRgAALsY AADAGAAAxRgAAO4YAADvGAAA8BgAAPEYAAAAGgAAFxoAABwaAAAlGgAALxoAADMaAABEGgAAvBoA AL4aAADBGgAAwxoAAMQaAAAJGwAACxsAAAwbAAANGwAAgRsAAIobAADy6+Td1sjdAMEA3bqzAKyl ALqeALoAl5AAkACzgrOCe7OXdG0AZgAAAAAAAAAAAAANAAiBY0gCAGRoIUNVRg0BCIEESAQABWhm RFVGDQAIgWNIBABkaGZEVUYNAAiBY0gCAGRoHUNVRhoACIEBCIEESAIABWgdQ1VGY0gEAGRoYkRV RgANAQiBBEgEAAVoZURVRg0ACIFjSAQAZGhlRFVGDQAIgWNIAgBkaAhDVUYNAQiBBEgEAAVoaURV Rg0ACIFjSAQAZGhpRFVGDQAIgWNIBABkaGJEVUYNAQiBBEgEAAVoYkRVRg0BCIEESAMABWjXQ1VG GgAIgQEIgQRIAgAFaBxDVUZjSAMAZGjXQ1VGAA0ACIFjSAIAZGgcQ1VGDQAIgWNIAwBkaNdDVUYN AQiBBEgDAAVo1kNVRg0BCIEESAQABWhjRFVGGgAIgQEIgQRIAwAFaNZDVUZjSAQAZGhjRFVGJu8Y AADxGAAAABoAAAEaAABDGgAARBoAAAobAAALGwAAURsAAFIbAADvGwAAugAAAAAAAAAAAAAAALgA AAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAswAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAA AAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAbAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgEARcaA AQACAPVCVUYCAAAAAAAAAAAABAIABAIABAIAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAABAIAAyQBYSQBAAEAAABEAABDJAFFxoAAAAQAYkRVRgAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKihsA AI8bAABKHAAAUxwAAFgcAABcHAAAXRwAAF8cAAB3HAAAgxwAAI8cAACWHAAAmxwAAKQcAACoHAAA qxwAAKwcAACwHAAAtBwAALUcAADgHAAA5RwAAOocAADvHAAA8xwAABgdAAAbHQAAIh0AAGEdAACa HQAAnB0AAJ4dAAC7HQAAUB4AAFEeAABaHgAAWx4AAHUeAACzHgAAth4AALkeAADSHgAAAh8AAAcf AAD4APH4APEA7+bd7+bd793m793vANbPAMgAwcgAuqzPuqUAnpeQicF7iQB0AAAAAAAAAAAAAAAA AA0ACIFjSAQAZGhrRFVGGgAIgQEIgQRIAgAFaCJDVUZjSAMAZGjaQ1VGAA0ACIFjSAMAZGjaQ1VG DQEIgQRIAwAFaNtDVUYNAQiBBEgDAAVo3ENVRg0BCIEESAMABWjiQ1VGDQAIgWNIAwBkaNtDVUYa AAiBAQiBBEgDAAVo2kNVRmNIBABkaGpEVUYADQEIgQRIAwAFaNpDVUYNAAiBY0gCAGRoIkNVRg0B CIEESAIABWgiQ1VGDQEIgQRIBAAFaGpEVUYNAAiBY0gEAGRoakRVRhABCIEESAQABWhpRFVGNgiB ABAACIE2CIFjSAQAZGhpRFVGAAM2CIENAAiBY0gCAGRoIUNVRg0BCIEESAIABWghQ1VGACvvGwAA XhwAAF8cAAC1HAAAthwAADkdAAA6HQAAYR0AALgAAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAAsQAA AAAAAAAAAAAAALYAAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAAtgAAAAAAAAAAAAAAAGoAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgQARcaAAQACAPVC VUYCAAAAAAAAAAAABAIABAIABAIAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAABAAAAyQBYSQBAAEAAABGAAAKJgALRgEARcaAAQACAPVCVUYCAAAAAAAAAAAABAIA BAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAKAAAACkAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2EdAABR HgAA0x4AADofAAC4AAAAAAAAAAAAAAAAcQAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgQARcaAAQACAPVCVUYCAAAAAAAAAAAABAIA BAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAKAAAACkAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARgAACiYB C0YEAEXGgAEAAgD1QlVGAQAAAAAAAAAAAAQCAAQCAAQCAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAACAAEALgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAEYAAAomAQtGBABFxoABAAIA9UJVRgEAAAAAAAAAAAAEAgAE AgAEAgAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgABAC4AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADBx8AAAwf AABQHwAAVR8AAFofAACMHwAAkR8AAJYfAACzHwAAvx8AAMQfAADNHwAA1h8AANofAADyHwAAIiAA ADEgAAA+IAAAXyAAAGAgAABhIAAAiCAAAIkgAACKIAAAQSEAAEIhAADIIQAAySEAAMohAAAcIgAA ZyIAAGoiAABrIgAAkyIAAJUiAAB7IwAAniMAAMojAADMIwAA9yMAAPgjAAAFJAAAGiQAAFAkAABg JAAAYSQAAGYkAAB1JAAAdiQAAHckAAB7JAAAfCQAAH4kAAD4APH4APH4AO/m3e/U7wDNxgC/uAC/ uAC2AL+4AK8ArwCoAKEAmgC2AJOMAIWaALaTAJMAAAANAQiBBEgEAAVobURVRg0BCIEESAIABWgm Q1VGDQAIgWNIAgBkaCZDVUYNAAiBY0gEAGRobURVRg0BCIEESAMABWjoQ1VGDQAIgWNIBABkaGxE VUYNAAiBY0gCAGRoJENVRgNIKgINAQiBBEgEAAVoZ0RVRg0ACIFjSAQAZGhnRFVGDQEIgQRIAwAF aOZDVUYNAAiBY0gDAGRo5kNVRhABCIEESAQABWhsRFVGNgiBABABCIEESAQABWhrRFVGNgiBABAA CIE2CIFjSAQAZGhrRFVGAAM2CIENAAiBY0gEAGRoa0RVRg0BCIEESAQABWhrRFVGADQ6HwAAch8A ALIfAACzHwAA8h8AAPMfAABAIAAAQSAAAAIhAAADIQAAnSEAAJ4hAAAbIgAAuAAAAAAAAAAAAAAA AHEAAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAagAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABvAAAA AAAAAAAAAAAAbwAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAbwAAAAAAAAAA AAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAAAAAAAAEAAADJAFhJAEAAQAAAEYAAAomAQtG BABFxoABAAIA9UJVRgEAAAAAAAAAAAAEAgAEAgAEAgAAAgAAAAIAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAgABAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgELRgQARcaAAQACAPVCVUYBAAAAAAAAAAAABAIABAIA BAIAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAQAuAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADBsiAAAcIgAA ZyIAAMMiAAA5IwAAnyMAAAAkAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAA AAC2AAAAAAAAAAAAAAAAbwAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgIARcaA AQACAPVCVUYCAAAAAAAAAAAEBAIABAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAARgAACiYAC0YCAEXGgAEAAgD1QlVGAgAAAAAAAAAABAQCAAQCAAQCAAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADACgAAAApAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGACQAAHgkAABX JQAAWCUAANwmAADdJgAA3ycAAOAnAAASKAAAEygAAE8pAAC4AAAAAAAAAAAAAAAAcQAAAAAAAAAA AAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAbwAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABv AAAAAAAAAAAAAAAAbQAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAAEAAABGAAAKJgALRgMA RcaAAQACAPVCVUYCAAAAAAAAAAAEBAIABAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAARgAACiYAC0YDAEXGgAEAAgD1QlVGAgAAAAAAAAAABAQCAAQCAAQC AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADACgAAAApAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp+JAAAgiQAAKEk AADAJAAAwyQAAO4kAADvJAAA8CQAAPEkAADyJAAA9yQAAP4kAAAFJQAAJiUAACclAABVJQAAayUA AGwlAABtJQAAgCUAAIklAACOJQAAqyUAALQlAAC5JQAAvSUAAMslAADNJQAAzyUAANAlAAB9JgAA fiYAALAmAAC0JgAADycAABAnAABUJwAA3ScAABQoAABfKAAAkygAAKEoAACnKAAAqigAAKsoAAD4 KAAA+PHq8QDj3NUA487HAMDHALmyAM7HAKukAJ0AndwAzgCWAKsAjwCIgXoAgXoAAAAAAAAAAAAA AAAAAAAADQAIgWNIBABkaHBEVUYNAQiBBEgEAAVocERVRg0BCIEESAQABWhvRFVGDQEIgQRIBAAF aG5EVUYNAQiBBEgDAAVo6kNVRg0ACIFjSAMAZGjpQ1VGDQEIgQRIAgAFaChDVUYNAAiBY0gCAGRo KENVRg0BCIEESAQABWhnRFVGDQAIgWNIBABkaGdEVUYNSCoCV8oHAQIAJ0NVRg0BCIEESAIABWgn Q1VGDQAIgWNIAgBkaCdDVUYNAQiBBEgEAAVobURVRg0BCIEESAMABWjpQ1VGDQAIgWNIBABkaG1E VUYNAQiBBEgDAAVo6ENVRg0BCIEESAIABWgmQ1VGDQAIgWNIAgBkaCZDVUYALfgoAAD5KAAATikA AE8pAABQKQAAZioAAGgqAABpKgAAcCoAANAqAADeKgAA3yoAAOoqAADrKgAA7SoAAO4qAADxKgAA /CoAAP4qAAD/KgAACSsAABErAAAlKwAAUCsAAGQrAABmKwAAaisAAMgrAADJKwAAyisAABQtAAAW LQAAYy0AAGQtAABlLQAAsDAAALIwAAC0MAAAvDAAAL4wAADAMAAA+DAAAPkwAAD46eLbANTN1M3G v8a/xr/Gv9S/xr/Gv9S4qZqpmqmTAIyFAH53AH53AHAAAAAAAAAAAAAADQEIgQRIBAAFaGdEVUYN AQiBBEgEAAVoh0pVZg0ACIFjSAQAZGiHSlVmDQAIgWNIAgBkaClDVUYNAQiBBEgCAAVoKUNVRg0A CIFjSAQAZGh0RFVGHQAIgQEIgQRIAwAFaO1DVUYMKgdjSAQAZGh0RFVGHQAIgQEIgQRIAwAFaO5D VUYMKgdjSAQAZGh0RFVGDQEIgQRIAwAFaO1DVUYNAQiBBEgEAAVoc0RVRg0BCIEESAQABWhyRFVG DQEIgQRIBAAFaHFEVUYNAQiBBEgEAAVodERVRg0BCIEESAQABWhwRFVGDQAIgWNIBABkaHBEVUYd AAiBAQiBBEgDAAVo60NVRgwqB2NIBABkaHBEVUYNAQiBBEgDAAVo60NVRgAqTykAAFApAABRKQAA nCkAAN0pAABnKgAAugAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAA AAAAAAAAAHUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQwAARcaA AAAEAHJEVUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAAAEQAAEMkAUXGgAAABABwRFVGAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVnKgAAaCoAAGMrAABk KwAAZSsAAGYrAABqKwAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAugAA AAAAAAAAAAAAAHUAAAAAAAAAAAAAAAB1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAQyQB RcaAAAADAO1DVUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAARAAAQyQBRcaAAAAEAHREVUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABmorAADJKwAAyisAAOgr AAANLAAAMiwAAFcsAAB8LAAAoSwAAMYsAADrLAAAES0AABUtAAAWLQAAIS0AACItAABNLwAATi8A AF8vAAC5LwAAATAAAHMwAAC6AAAAAAAAAAAAAAAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAAAAC6 AAAAAAAAAAAAAAAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAugAAAAAA AAAAAAAAALoAAAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAA AAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAA AAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAA AAAAAAAAAAAAAAAAAAEAAABEAABDJAFFxoAAAAMA7kNVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV+TAAAPowAAADMQAABDEA AAUxAAAIMQAACTEAADkxAAA6MQAASDEAAE0xAAB9MQAAjjEAAI8xAACoMQAArTEAAAYyAAAHMgAA 5DIAAOwyAAAeMwAAIDMAAAE0AAAJNAAAOzQAAD00AAAeNQAAJjUAADk1AAA6NQAAvDUAAL01AADZ NQAA2jUAANs1AAAYNgAAGTYAABo2AAChNgAAqTYAAME2AADDNgAAmzcAAKA3AACkNwAAyDcAANA3 AADjNwAA5TcAAMY4AADOOAAA4TgAAOI4AAD4APH4AOrb1ADNAM0AzcDNAM0AzQDNAM0AzQDNAM0A zbOmzbOmzQDNAM2ZzYQAzQDNAM0AKQAIgQEIgQRIAwAFaANEVUYMKgdDShIAT0oDAFFKAwBjSAQA ZGh1RFVGGQAIgUNKEgBPSgMAUUoDAGNIBABkaHVEVUYZAAiBQ0oSAE9KAwBRSgMAY0gBAGRoYVNV hhkBCIEESAEABWhhU1WGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIAwBkaPBDVUYMQ0oS AE9KAwBRSgMAAA0BCIEESAQABWhoRFVGHQAIgQEIgQRIAwAFaAREVUYMKgdjSAQAZGhoRFVGDQAI gWNIBABkaGhEVUYNAQiBBEgEAAVoZ0RVRg0ACIFjSAQAZGhnRFVGADRzMAAAOzEAADwxAABOMQAA YzEAAGwxAAB2MQAAdzEAAH0xAACPMQAABzIAADoyAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAA APcAAAAAAAAAAAAAAAD3AAAAAAAAAAAAAAAA9wAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAABnvAUA AAAAAAAAAAAA9wAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAAD3AAAAAAAAAAAAAAAA9wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEA AAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAA AAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/ AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/ AAAA/wAAAP801gYAAQoDbABh9gMAAAYAABYkAUlmAQAAAAABAAAACzoyAACdMgAA5TIAAOYyAADs MgAAHzMAACAzAABTMwAAtjMAAAI0AAADNAAACTQAADw0AAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAA AAAAAGl0BAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5 AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpdAQAAAAAAAAAAAAA+QAAAAAA AAAAAAAAAPkAAAAAAAAAAAAAAAAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAA BAEAAAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAA AAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/ BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8A AAD/AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8A AAD/AAAA/wAAAP801gYAAQoDbABh9gMAAAYAABYkAUlmAQAAAAAMPDQAAD00AABwNAAA0zQAAB81 AAAgNQAAJjUAADo1AAC9NQAAyzUAAKI2AACjNgAAqTYAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAA AAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpDAYAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkA AAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpnAQAAAAA AAAAAAAA+QAAAAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAE AQAABAEAAAQBAAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAA AAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8E AQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAA AP8AAAD/AAAA/xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAA AP8AAAD/AAAA/zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAAAAypNgAAwjYAAMM2AADRNgAAyTcA AMo3AADQNwAA5DcAAOU3AADzNwAAxzgAAMg4AADOOAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAA AAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGn4AwAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGkABgAAAAAA AAAAAAD5AAAAAAAAAAAAAAAAAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQB AAAEAQAABAEAAAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAA AAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQB AAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA /wAAAP8AAAD/G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA /wAAAP8AAAD/NNYGAAEKA2wAYfYDAAAGAAAWJAFJZgEAAAAADM44AADiOAAAZTkAAHM5AABHOgAA SDoAAE46AABiOgAAYzoAAHE6AABAOwAAQTsAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAPkAAAAAAAAAAAAAAABp5AMAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEA AAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAA AAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/ AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/ AAAA/wAAAP801gYAAQoDbABh9gMAAAYAABYkAUlmAQAAAAAL4jgAAGQ5AABlOQAAPToAAEI6AABG OgAATjoAAD87AABDOwAAWDsAAMw+AADOPgAA0D4AANg+AADaPgAA3D4AABQ/AAAVPwAAFj8AAB8/ AAAgPwAAIT8AACU/AAAmPwAAWj8AAFs/AABcPwAAaT8AAG4/AACePwAArz8AALA/AAAnQAAAKEAA AAVBAAANQQAAP0EAAEFBAAAiQgAAKkIAAFxCAABeQgAAP0MAAEdDAABaQwAAW0MAAN1DAADeQwAA +kMAAPtDAAD8QwAAOUQAADpEAAA7RAAAwkQAAPkA+ez5APkA5QDe1wDQyQDCuwDCuwC0pbvCAPkA +QD5APkA+QD5APkA+QD5APkA+ZiL+ZiL+QAAAAAZAAiBQ0oSAE9KAwBRSgMAY0gBAGRoYVNVhhkB CIEESAEABWhhU1WGQ0oSAE9KAwBRSgMAHQAIgQEIgQRIAwAFaAZEVUYMKgdjSAQAZGhoRFVGDQEI gQRIAwAFaAZEVUYNAAiBY0gEAGRoaERVRg0BCIEESAQABWhoRFVGDQEIgQRIBAAFaIhKVWYNAAiB Y0gEAGRoiEpVZg0BCIEESAQABWiHSlVmDQAIgWNIBABkaIdKVWYNAAiBY0gBAGRoWkNVRhkBCIEE SAIABWgrQ1VGQ0oSAE9KAwBRSgMADENKEgBPSgMAUUoDADZBOwAAQjsAAEM7AABZOwAAWjsAAFs7 AABnOwAAaDsAAGg9AABpPQAAez0AANU9AAAdPgAAjz4AAFs/AABcPwAAXT8AAG8/AACEPwAAjT8A AJc/AAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA /QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAA AAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAA AAAA/QAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAAsgAAAAAAAAAAAAAAALIA AAAAAAAAAAAAAACyAAAAAAAAAAAAAAAAsgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAABYkAUlm AQAAAABEAABDJAFFxoAAAAQAaERVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAFJc/AACYPwAAnj8AALA/AAAoQAAAW0AA AL5AAAAGQQAAB0EAAA1BAABAQQAAQUEAAHRBAABvvAUAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkA AAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAA AAAAAAAAb3QEAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAA AGkAAAAAAAAAAAAAAAAAAAYAABYkAUlmAQAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQB AAAEAQAABAEAAAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJ AAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT 1jAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrW EAAAAP8AAAD/AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3W EAAAAP8AAAD/AAAA/wAAAP801gYAAQoDbABh9gMAAAAMdEEAANdBAAAjQgAAJEIAACpCAABdQgAA XkIAAJFCAAD0QgAAQEMAAEFDAABHQwAAW0MAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaXQE AAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGkMBgAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA +QAAAAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEA AAQBAAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAA AAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA /wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/ AAAA/xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/ AAAA/zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAAAAxbQwAA3kMAAOxDAADDRAAAxEQAAMpEAADj RAAA5EQAAPJEAADMRQAAzUUAANNFAADnRQAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAA AAAAAAAAAAAAaSQEAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAA AAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaRAEAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5 AAAAAAAAAAAAAAAAAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQBAAAEAQAA BAEAAAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAAAAAAAAAA AAAABpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQBAAAAAAD/ BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA/wAAAP8A AAD/G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA/wAAAP8A AAD/NNYGAAEKA2wAYfYDAAAGAAAWJAFJZgEAAAAADMJEAADKRAAA4kQAAOREAADLRQAA00UAAOZF AADoRQAAz0YAANdGAADqRgAA60YAAG1HAABuRwAAVUgAAF1IAABTSQAAVkkAAJ9JAADaSQAA3EkA AA5KAAAmSgAAJ0oAAClKAABpSgAAakoAAIxKAACNSgAAjkoAAA9LAAAgSwAAIUsAACJLAABuTQAA b00AAHBNAAB+TQAAf00AAIBNAACkTQAApU0AAPZNAAACTgAAEk4AAG1PAAByTwAAfk8AAIZPAACH TwAAik8AAJFPAAAuUAAAM1AAADhQAABnUAAAalAAAAD5APkA+QD5APkA+QD5APkA8uvk8uTy5N3W 3c/Wz9by3QDIwQDIwQDBALqzAKylAKUApQCelwCQAAAAAA0ACIFjSAQAZGiRRFVGDQEIgQRIBAAF aJJEVUYNAAiBY0gEAGRokkRVRg0BCIEESAQABWiJSlVmDQAIgWNIBABkaIlKVWYNAQiBBEgEAAVo dkRVRg0ACIFjSAQAZGh2RFVGDQAIgWNIAwBkaAhEVUYNAQiBBEgDAAVoCERVRg0BCIEESAQABWiY RFVGDQEIgQRIBAAFaJlEVUYNAQiBBEgEAAVol0RVRg0BCIEESAQABWibRFVGDQEIgQRIBAAFaJpE VUYNAQiBBEgEAAVolkRVRgxDShIAT0oDAFFKAwA450UAAOhFAAD2RQAA0EYAANFGAADXRgAA60YA AG5HAAB8RwAAVkgAAFdIAABdSAAAcUgAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAA AAAAAAAAAGkYBgAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAA AAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGn4AwAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEAAAQB AAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAAAAAA AAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA/wQB AAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/AAAA /xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/AAAA /zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAAAAxxSAAAckgAAIBIAABUSQAAVUkAAFZJAAAoSgAA +QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGcAAAAA AAAAAAAAAABnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAABAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQBAAAEAQAABAEA AAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAAAAAAAAAAAAAA BpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQBAAAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA/wAAAP8AAAD/ G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA/wAAAP8AAAD/ NNYGAAEKA2wAYfYDAAAGAAAWJAFJZgEAAAAABihKAAApSgAAIUsAACJLAABaSwAAW0sAALoAAAAA AAAAAAAAAAC6AAAAAAAAAAAAAAAAdQAAAAAAAAAAAAAAADAAAAAAAAAAAAAAAAAuAAAAAAAAAAAA AAAAAAAAAAEAAABEAABDJAFFxoAAAAQAlkRVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEAABDJAFFxoAAAAQAl0RVRgAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABEAABDJAFFxoAAAAQAm0RVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFW0sAAA5NAAAPTQAAbE8AAG1PAACTTwAA7U8AADpQ AAC5UAAAgFEAAIFRAACTUQAAqFEAALFRAAC7UQAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9 AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAA AAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAPcAAAAAAAAAAAAA AAD3AAAAAAAAAAAAAAAA9wAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAGAAAWJAFJZgEAAAAAAQAAAA5qUAAAbVAAAJ5QAACgUAAAolAAAKNQAACmUAAAqVAA AK1QAACyUAAAt1AAAPZQAAD8UAAA/1AAAAFRAAACUQAABlEAAAtRAAAQUQAARVEAAEZRAABHUQAA T1EAAFBRAABRUQAAVFEAAFlRAABaUQAAXFEAAF1RAABeUQAAf1EAAI1RAACSUQAAwlEAANNRAADU UQAAS1IAAExSAACPUgAA0FIAABFTAABqUwAAbFMAAHFTAAD4APHqAPHqAOPcANXO3M4A1dwAx8AA 1cDVzgC5qpuqAJQAlACUAJSHepQAcwAAAAAAAA0ACIFjSAQAZGh3RFVGGQEIgQRIBAAFaHZEVUZD ShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gEAGRodkRVRgxDShIAT0oDAFFKAwAAHQAIgQEI gQRIAwAFaAlEVUYMKgdjSAQAZGh2RFVGHQAIgQEIgQRIAwAFaAhEVUYMKgdjSAQAZGh2RFVGDQEI gQRIAwAFaAhEVUYNAAiBY0gEAGRoaURVRg0BCIEESAQABWhpRFVGDQEIgQRIBAAFaJNEVUYNAAiB Y0gEAGRok0RVRg0BCIEESAQABWiJSlVmDQAIgWNIBABkaIlKVWYNAQiBBEgEAAVoiEpVZg0ACIFj SAQAZGiISlVmDQEIgQRIBAAFaJFEVUYALLtRAAC8UQAAwlEAANRRAABMUgAAf1IAACNTAABrUwAA bFMAAHdTAACqUwAAq1MAAONTAABvwAYAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAA AABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAb7QE AAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAA AAAAAAAAAAYAABYkAUlmAQAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEA AAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAA AAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/ AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/ AAAA/wAAAP801gYAAQoDbABh9gMAAAAMcVMAAHZTAAB3UwAAqVMAAKtTAADYUwAA3VMAAOJTAADw UwAANFQAADpUAACXVAAAmVQAAJ5UAACjVAAApFQAANZUAADYVAAABVUAAApVAAAPVQAAHlUAAB9V AAAgVQAAIVUAAGJVAACjVQAAAFYAAAJWAAAIVgAAOlYAADtWAAA8VgAAaVYAAG5WAAB9VgAAflYA AONWAADqVgAA61YAAOxWAADyVgAABVcAAAZXAAASVwAA+ADxAPHk1/Hk1/EA0PgA8QDxw7bxtsPx qZzxAPiPtvi2graCtnW2+ADxAPEAAAAAAAAAAAAAGQEIgQRIBAAFaIlEVUZDShIAT0oDAFFKAwAZ AQiBBEgEAAVoekRVRkNKEgBPSgMAUUoDABkBCIEESAEABWhpU1WGQ0oSAE9KAwBRSgMAGQEIgQRI BAAFaHlEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gEAGRoeURVRhkBCIEESAQABWh3 RFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaHdEVUYNAAiBY0gEAGRod0RVRhkB CIEESAQABWh2RFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaHZEVUYMQ0oSAE9K AwBRSgMAAA0BCIEESAQABWh3RFVGACzjUwAAOlQAAExUAACYVAAA+QAAAAAAAAAAAAAAALAAAAAA AAAAAAAAAAD5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASQAAFiQBQyQBRcaAAAAEAHZEVUYAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABJZgEAAAAGAAAWJAFJZgEAAAAAA5hUAACZVAAApFQAANdUAADYVAAAEFUAALVVAAABVgAAAlYA AAhWAAA7VgAAPFYAAG+kBQAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAA AAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABvqAMAAAAAAAAA AAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAYAABYkAUlmAQAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEAAAQB AAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAAAAAA AAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEAAAAA AP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/AAAA /wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/AAAA /wAAAP801gYAAQoDbABh9gMAAAALPFYAAG9WAADSVgAA5FYAAOtWAAC2AAAAAAAAAAAAAAAAtgAA AAAAAAAAAAAAALAAAAAAAAAAAAAAAABnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABJ AAAWJAFDJAFFxoAAAAQAiURVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAElmAQAAAAYAABYkAUlmAQAAAEkAABYkAUMkAUXGgAAA BAB3RFVGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAASWYBAAAAAATrVgAA7FYAAPJWAAAGVwAAnVcAAKxXAACxWAAAslgAAL1YAADW WAAA11gAAOZYAADIWQAAbxgHAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAA AAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAb1wEAAAAAAAAAAAAAGkAAAAAAAAA AAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAA AAAGAAAWJAFJZgEAAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQBAAAEAQAA BAEAAAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAAAAAAAAAA AAAABpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQBAAAAAAD/ BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA/wAAAP8A AAD/G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA/wAAAP8A AAD/NNYGAAEKA2wAYfYDAAAADBJXAAAmVwAAOlcAAJxXAACdVwAAqVcAAKpXAACrVwAAulcAALtX AAC8VwAA+FcAAPpXAAD8VwAA/VcAACpYAABXWAAAsFgAALJYAAC3WAAAvFgAAL1YAADVWAAA11gA AONYAADkWAAA5VgAAPNYAAD4WAAA/VgAADdZAAA6WQAAPVkAAMdZAADJWQAAzlkAANNZAADUWQAA 51kAAOlZAAD1WQAA9lkAAPdZAAAGWgAACVoAAAxaAABGWgAAS1oAAFBaAADZWgAA21oAAOFaAAD1 WgAA9loAAAJbAAADWwAAUlsAAPLl3gDe0cTexNHe0cTe0cTeAL22AN4A3qmc3qmc3pyp3gC9tgDe AN6pnN6cqd6pnN4Ato+2j5yPAAAZAQiBBEgEAAVoeERVRkNKEgBPSgMAUUoDABkBCIEESAQABWiF RFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaIVEVUYNAQiBBEgEAAVoeERVRg0A CIFjSAQAZGh4RFVGGQEIgQRIBAAFaHlEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gE AGRoeURVRgxDShIAT0oDAFFKAwAAGQEIgQRIBAAFaHpEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9K AwBRSgMAY0gEAGRoekRVRgA4yFkAAMlZAADUWQAA6FkAAOlZAAD4WQAA2loAANtaAADhWgAA9VoA APZaAABvSAQAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAA aQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABvEAQAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAA AAAAAAAAAABpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BgAAFiQBSWYBAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEAAAQB AAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAAAAAA AAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA/wQB AAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/AAAA /xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/AAAA /zTWBgABCgNsAGH2AwAAAAr2WgAABFsAAN5bAADfWwAAtgAAAAAAAAAAAAAAALAAAAAAAAAAAAAA AAAg0AcAAAAAAAAAAAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQB AAAEAQAABAEAAAQBAAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAA AAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAA AP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA /wAAAP8AAAD/AAAA/xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA /wAAAP8AAAD/AAAA/zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAASQAAFiQBQyQBRcaAAAAEAHhE VUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAABJZgEAAAAAA1JbAABUWwAA3lsAAN9bAADlWwAA+FsAAPlbAAAFXAAAGVwAAC1cAACP XAAAkFwAAJxcAACdXAAAnlwAAO1cAAAaXQAAR10AAFddAACDXQAAr10AAMJdAADIXQAA0V0AANNd AADVXQAA110AANhdAADaXQAA3F0AAN1dAAD+XQAA/10AAAFeAAAQXgAAFF4AABheAABRXgAAVl4A AFteAACWXgAAwl4AAO5eAAAKXwAALV8AADJfAADy5d4A1wDXyr3XANfKvdfKvdewo9ew1wCclQCc lQDXyr3XiHvXe4jXsKPXAHQAAAANAAiBY0gEAGRoh0RVRhkACIFDShIAT0oDAFFKAwBjSAQAZGiR RFVGGQEIgQRIBAAFaJFEVUZDShIAT0oDAFFKAwANAQiBBEgEAAVohkRVRg0ACIFjSAQAZGiGRFVG GQEIgQRIBAAFaIlEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gEAGRoiURVRhkBCIEE SAQABWiGRFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaIZEVUYMQ0oSAE9KAwBR SgMAAA0BCIEESAQABWh4RFVGGQEIgQRIBAAFaHhEVUZDShIAT0oDAFFKAwAZAQiBBEgEAAVohURV RkNKEgBPSgMAUUoDAAAt31sAAOVbAAD5WwAAkFwAAJ9cAADSXQAA010AAN1dAADxXQAA8l0AAAJe AAALXwAADF8AAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAAaeQEAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA +QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAAAAAI8A ABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEAAAQBAAAI1lwABJT/Jwm6Ek4c 4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAA AAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8E AQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/AAAA/xvWEAAAAP8AAAD/AAAA /wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/AAAA/zTWBgABCgNsAGH2AwAA BgAAFiQBSWYBAAAAAAwMXwAADV8AANRfAADVXwAAr2AAALBgAAA/YQAAQGEAAO5hAADvYQAA8GEA AFxjAABdYwAAXmMAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAA AAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAA AAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAERAABEAABDJAFFxoAAAAQAlERV RgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAABAAAADTJfAAA3XwAAPl8AAEJfAABGXwAAsV8AALZfAAC7XwAA3l8AAONfAADoXwAA 7F8AAPBfAAD3XwAA+V8AAPtfAAB9YAAAgmAAAIdgAADLYAAA0GAAANVgAADgYAAA4mAAAORgAAAe YQAAPmEAAO1hAADwYQAA8WEAAB1iAAAkYgAAM2IAAD5iAABHYgAASmIAAFViAACBYgAAiWIAAJhi AACrYgAA5WIAAO5iAAD4YgAAXmMAAPgA+PEA8fgA6uMA6gDq4wDq4wDq4wDx+ADc1QDOAMe+xwC3 sACpoKkAmZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAANAQiBBEgBAAVoWUNVRg0ACIFjSAEAZGhZQ1VGEAAIgTYIgWNI AgBkaPlCVUYADQAIgWNIAgBkaPlCVUYNAQiBBEgCAAVo+EJVRg0ACIFjSAIAZGj4QlVGEAEIgQRI AgAFaPlCVUY2CIEADQEIgQRIAgAFaPlCVUYNA2oAAAAAMEoSAFUIAQ0BCIEESAQABWiURFVGDQEI gQRIAQAFaFpDVUYNAQiBBEgEAAVoiERVRg0ACIFjSAQAZGiIRFVGDQAIgWNIBABkaIdEVUYNAQiB BEgEAAVoh0RVRgAsIAAxkGgBH7DQLyCw4D0hsC0FIrAtBSOQ8AMkkPADJbAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAUABMACgABAGkADwADAAAAAAAAAAAAOAAAQPH/AgA4AAwABgBOAG8AcgBtAGEA bAAAAAIAAAAYAENKGABfSAEEYUoYAG1ICQRzSAkEdEgJBDYAAUABAAIANgAMAAkASABlAGEAZABp AG4AZwAgADEAAAAOAAEAAyQBBiQBQCYAYSQBBABDShwAMgACQAEAAgAyAAwACQBIAGUAYQBkAGkA bgBnACAAMgAAAAgAAgAGJAFAJgEGADYIgV0IgTgAA0ABAAIAOAAMAAkASABlAGEAZABpAG4AZwAg ADMAAAAOAAMAAyQBBiQBQCYCYSQBBgA2CIFdCIEAAAAAAAAAAAAAAAA8AEFA8v+hADwADAAWAEQA ZQBmAGEAdQBsAHQAIABQAGEAcgBhAGcAcgBhAHAAaAAgAEYAbwBuAHQAAAAAAAAAAAAAAAAAKAA+ QAEA8gAoAAwABQBUAGkAdABsAGUAAAAIAA8AAyQBYSQBBABDShwAIgBXQKIAAQEiAAwABgBTAHQA cgBvAG4AZwAAAAYANQgBXAgBNgAdQAEAEgE2AAwADQBGAG8AbwB0AG4AbwB0AGUAIABUAGUAeAB0 AAAAAgARAAgAQ0oUAGFKFAA4ACZAogAhATgADAASAEYAbwBvAHQAbgBvAHQAZQAgAFIAZQBmAGUA cgBlAG4AYwBlAAAAAwBIKgEAOQUAAF5fAAABAAAAAABsAQAAbwEAAAAAAABeXwAABgAAygAABQD/ ////AAAAAAwAAAANAAAAHQEAAB4BAACLAQAAjAEAAJIBAACTAQAANQIAADYCAADYAgAA2QIAADsF AAA8BQAAjwUAAJAFAAA/BwAAQAcAAMsJAADMCQAAQQoAAEIKAADzCwAA9AsAAGkMAABqDAAAqQwA AKoMAAC4DAAAuQwAAIUOAACGDgAA8w8AAPQPAAAKEQAACxEAANsSAADcEgAAIxMAACQTAADvFAAA 8RQAAAAWAAABFgAAQxYAAEQWAAAKFwAACxcAAFEXAABSFwAA7xcAAF4YAABfGAAAtRgAALYYAAA5 GQAAOhkAAGEZAABRGgAA0xoAADobAAByGwAAshsAALMbAADyGwAA8xsAAEAcAABBHAAAAh0AAAMd AACdHQAAnh0AABseAAAcHgAAZx4AAMMeAAA5HwAAnx8AAAAgAAB4IAAAVyEAAFghAADcIgAA3SIA AN8jAADgIwAAEiQAABMkAABPJQAAUCUAAFElAACcJQAA3SUAAGcmAABoJgAAYycAAGQnAABlJwAA ZicAAGonAADJJwAAyicAAOgnAAANKAAAMigAAFcoAAB8KAAAoSgAAMYoAADrKAAAESkAABUpAAAW KQAAISkAACIpAABNKwAATisAAF8rAAC5KwAAASwAAHMsAAA7LQAAPC0AAE4tAABjLQAAbC0AAHYt AAB3LQAAfS0AAI8tAAAHLgAAOi4AAJ0uAADlLgAA5i4AAOwuAAAfLwAAIC8AAFMvAAC2LwAAAjAA AAMwAAAJMAAAPDAAAD0wAABwMAAA0zAAAB8xAAAgMQAAJjEAADoxAAC9MQAAyzEAAKIyAACjMgAA qTIAAMIyAADDMgAA0TIAAMkzAADKMwAA0DMAAOQzAADlMwAA8zMAAMc0AADINAAAzjQAAOI0AABl NQAAczUAAEc2AABINgAATjYAAGI2AABjNgAAcTYAAEA3AABBNwAAQjcAAEM3AABZNwAAWjcAAFs3 AABnNwAAaDcAAGg5AABpOQAAezkAANU5AAAdOgAAjzoAAFs7AABcOwAAXTsAAG87AACEOwAAjTsA AJc7AACYOwAAnjsAALA7AAAoPAAAWzwAAL48AAAGPQAABz0AAA09AABAPQAAQT0AAHQ9AADXPQAA Iz4AACQ+AAAqPgAAXT4AAF4+AACRPgAA9D4AAEA/AABBPwAARz8AAFs/AADePwAA7D8AAMNAAADE QAAAykAAAONAAADkQAAA8kAAAMxBAADNQQAA00EAAOdBAADoQQAA9kEAANBCAADRQgAA10IAAOtC AABuQwAAfEMAAFZEAABXRAAAXUQAAHFEAAByRAAAgEQAAFRFAABVRQAAVkUAAChGAAApRgAAIUcA ACJHAABaRwAAW0cAAA5JAAAPSQAAbEsAAG1LAACTSwAA7UsAADpMAAC5TAAAgE0AAIFNAACTTQAA qE0AALFNAAC7TQAAvE0AAMJNAADUTQAATE4AAH9OAAAjTwAAa08AAGxPAAB3TwAAqk8AAKtPAADj TwAAOlAAAExQAACYUAAAmVAAAKRQAADXUAAA2FAAABBRAAC1UQAAAVIAAAJSAAAIUgAAO1IAADxS AABvUgAA0lIAAOtSAADsUgAA8lIAAAZTAACdUwAArFMAALFUAACyVAAAvVQAANZUAADXVAAA5lQA AMhVAADJVQAA1FUAAOhVAADpVQAA+FUAANpWAADbVgAA4VYAAPVWAAD2VgAABFcAAN5XAADfVwAA 5VcAAPlXAACQWAAAn1gAANJZAADTWQAA3VkAAPFZAADyWQAAAloAAAtbAAAMWwAADVsAANRbAADV WwAAr1wAALBcAAA/XQAAQF0AAO5dAADvXQAAX18AAJgAAAAPMAAAAAAAAACAAAAAgJgAAAAAAAAA AAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAA AACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgCgAAAADAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACA jAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEA AJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgA AAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAMAAAAAAAAACAjAEAAJgAAAAA AAAAAAAAAACAjAEAAJgAAAAAMAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAMAAA AAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAMAAAAAAAAACAjAEAAJgAAAAAAAAAAAAA AACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACA jAEAAJgAAAAAAAAAAAAAAACAjAEAAAgAAAABAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAqgwA AJgAAAAAMAAAAAAAAACAqgwAAJgAAAAAAAAAAAAAAACAqgwAAJgAAAAAMAAAAAAAAACAqgwAAJgA AAAAAAAAAAAAAACAqgwAAJgAAAAAMAAAAAAAAACAqgwAAJgAAAAAAAAAAAAAAACAqgwAAJgAAAAA MAAAAAAAAACAqgwAAJgAAAAAAAAAAAAAAACAqgwAAAgAAAABMAAAAAAAAACAAAAAgJgAAAAAAAAA AAAAAACA3BIAAJgAAAAAMAAAAAAAAACA3BIAAJgAAAAAMAAAAAAAAACA3BIAAJgAAAAAMAAAAAAA AACA3BIAAJgAAAAAMAAAAAAAAACA3BIAABgAAAACMAAAAAAAAACA3BIAAJgAAAAAAAAAAAAAAACA ARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYA AJgAAAAAAAAAAAAAAACAARYAAJgAASAAAAAAAAAAAACAARYAAJgAASAAAAEAAAAAAACAARYAAJgA AAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAA MAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgABCAAAAAAAAAAAACAARYAAJgBBCAAMAAA AAA6GQAAARYAAJgBBCAAMAEAAAA6GQAAARYAAJgABCAAMAEAAAAAAACAARYAAJgBBCAAMAAAAADT GgAAARYAAJgBBCAAMAEAAADTGgAAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACA ARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYA AJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgA AAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAA AAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAiAAAAAAAAAAAACAARYAAJgAAiAAMAEA AAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAyAAMAAAAAAAAACAARYAAJgAAyAAMAEAAAAA AACAARYAAJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACA AAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgCgAAAADAAAAAAAAAACAAAAA gJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAMAAAAAAAAACAAAAAgJoAAAAAAAAAAAAAAACAuB4AAJgA AAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAAAAAAAAAAACAuB4AAJgAAAAA MAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAA AAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAA AACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACA AAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAA gJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoA AAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAA AAAAAAAAAACAuB4AAJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAAAAA AAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAA AACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACA AAAAgJgAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAA gKkAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgJwAAAAAAAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKsAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAA AAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACA AAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACA AAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAA gJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJhA AAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAA AAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAA AAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJpAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAA AACAAAAAgKlAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgKlAAAAAAAAAAAAAAACA AAAAgKlAAAAAAAAAAAAAAACAAAAAgJ4AAAAAAAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAA AACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACA AAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAA gJgAAAAAAAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhA AAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAA MAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhAAAAAAAAA AAAAAACAAAAAgKlAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgKlAAAAAAAAAAAAA AACAAAAAgKlAAAAAAAAAAAAAAACAAAAAgJwAAAAAAAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKsAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKsAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKtA AAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAA AAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACA AAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgKsA AAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAA AAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKlAAAAAMAAAAAAAAACAAAAAgKlAAAAAMAAAAAAA AACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACA AAAAgJlAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkA AAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAA AAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAA AAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhAAAAAAAAAAAAA AACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgAAEAABGDwAALhIAAE4UAAATGAAAihsAAAcfAAB+JAAA +CgAAPkwAADiOAAAwkQAAGpQAABxUwAAElcAAFJbAAAyXwAAXmMAADIAAAA2AAAANwAAADgAAAA5 AAAAOwAAAD4AAABCAAAAQwAAAEcAAABNAAAAUgAAAFcAAABZAAAAXgAAAGEAAABkAAAAAAQAAMwN AADvGAAA7xsAAGEdAAA6HwAAGyIAAAAkAABPKQAAZyoAAGorAABzMAAAOjIAADw0AACpNgAAzjgA AEE7AACXPwAAdEEAAFtDAADnRQAAcUgAAChKAABbSwAAu1EAAONTAACYVAAAPFYAAOtWAADIWQAA 9loAAN9bAAAMXwAAXmMAADMAAAA1AAAAOgAAADwAAAA9AAAAPwAAAEAAAABBAAAARAAAAEUAAABG AAAASAAAAEkAAABKAAAASwAAAEwAAABOAAAATwAAAFAAAABRAAAAUwAAAFQAAABVAAAAVgAAAFgA AABaAAAAWwAAAFwAAABdAAAAXwAAAGAAAABiAAAAYwAAAAAEAABdYwAANAAAAAAAAAAHAAAACwAA AGkHAAByBwAAdAoAAH0KAADeDAAA4gwAAMwNAADQDQAA4w0AAOcNAAAfEAAAIxAAAFgQAABcEAAA LBEAADARAAAAGQAACRkAAJMZAACiGQAATh0AAE8dAADsHgAA+R4AAFUfAABiHwAAUiAAAF8gAADh IAAA7iAAAOMiAADsIgAAWCQAAFwkAACeJQAAoCUAANMlAADaJQAA7yUAAPYlAAARJwAAJScAAJcq AACgKgAAjy0AAJgtAACvLQAAuS0AAM8tAADZLQAA7y0AAP4tAAAHLgAAEC4AACcuAAAxLgAAOi4A AEQuAACLLgAAmC4AAJ0uAACsLgAAIC8AACkvAABALwAASi8AAFMvAABdLwAApC8AALEvAAC2LwAA xS8AAD0wAABGMAAAXTAAAGcwAABwMAAAejAAAMEwAADOMAAA0zAAAOIwAAA6MQAAQzEAAFoxAABk MQAAejEAAIQxAACaMQAAqTEAAL0xAADGMQAAyzEAANUxAAAKMgAAFDIAAEgyAABVMgAAhDIAAJMy AADDMgAAzDIAANEyAADbMgAADzMAABkzAABMMwAAWTMAAIgzAACXMwAA5TMAAO4zAADzMwAA/TMA ADE0AAA7NAAAbjQAAHs0AACqNAAAuTQAAOI0AADrNAAAAjUAAAw1AAAiNQAALDUAAEI1AABRNQAA ZTUAAG41AABzNQAAfTUAALE1AAC7NQAA7jUAAPs1AAAqNgAAOTYAAGM2AABsNgAAcTYAAHs2AACv NgAAuTYAAOw2AAD5NgAAKDcAADc3AACJOAAAkjgAALA7AAC5OwAA0DsAANo7AADwOwAA+jsAABA8 AAAfPAAAKDwAADE8AABIPAAAUjwAAFs8AABlPAAArDwAALk8AAC+PAAAzTwAAEE9AABKPQAAYT0A AGs9AAB0PQAAfj0AAMU9AADSPQAA1z0AAOY9AABePgAAZz4AAH4+AACIPgAAkT4AAJs+AADiPgAA 7z4AAPQ+AAADPwAAWz8AAGQ/AAB7PwAAhT8AAJs/AAClPwAAuz8AAMo/AADePwAA5z8AAOw/AAD2 PwAAK0AAADVAAABpQAAAdkAAAKVAAAC0QAAA5EAAAO1AAADyQAAA/EAAADBBAAA6QQAAbUEAAHpB AACpQQAAuEEAAOhBAADxQQAA9kEAAABCAAA0QgAAPkIAAHFCAAB+QgAArUIAALxCAADrQgAA9EIA AAtDAAAVQwAAK0MAADVDAABLQwAAWkMAAG5DAAB3QwAAfEMAAIZDAAC6QwAAxEMAAPdDAAAERAAA M0QAAEJEAAByRAAAe0QAAIBEAACKRAAAvkQAAMhEAAD7RAAACEUAADdFAABGRQAAakUAAG5FAAAL RgAAD0YAAGpJAAB1SQAAekkAAIVJAACNSgAAlkoAANRNAADdTQAA9E0AAP5NAAAUTgAAHk4AADRO AABDTgAATE4AAFVOAABsTgAAdk4AAH9OAACJTgAAEU8AAB5PAAAjTwAAMk8AAKtPAAC0TwAAy08A ANVPAADjTwAA7U8AADpQAABHUAAATFAAAFtQAADYUAAA4VAAAPhQAAACUQAAEFEAABpRAACjUQAA sFEAALVRAADEUQAAPFIAAEVSAABcUgAAZlIAAG9SAAB5UgAAwFIAAM1SAADSUgAA4VIAAAZTAAAP UwAAOlMAAERTAABaUwAAZFMAAHpTAACJUwAAnVMAAKZTAACsUwAAtlMAAOtTAAD1UwAAV1QAAGRU AACTVAAAolQAANdUAADgVAAA5lQAAPBUAAApVQAAM1UAAGlVAAB2VQAApVUAALRVAADpVQAA8lUA APhVAAACVgAAOVYAAENWAAB7VgAAiFYAALdWAADGVgAA9lYAAP9WAAAEVwAADlcAAEJXAABMVwAA f1cAAIxXAAC7VwAAylcAAPlXAAACWAAALVgAADdYAABNWAAAV1gAAG1YAAB8WAAAkFgAAJlYAACf WAAAqVgAAN1YAADnWAAAR1kAAFRZAACvWQAAvlkAAPJZAAD7WQAAAloAAAxaAABEWgAATloAAIZa AACTWgAA7loAAP1aAADDWwAAzVsAAHNdAAB3XQAA8F0AAF9fAAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAH ABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA HAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAH ABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA HAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAH ABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA HAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcABwAAAAAAsiwAALIsAACzLAAAtCwAAL4sAAC+ LAAAvywAAMAsAADZMQAA2jEAANsxAADbMQAAGDIAABkyAAAaMgAAGjIAAM46AADOOgAAzzoAANA6 AADaOgAA2joAANs6AADcOgAA+j8AAPs/AAA5QAAAOkAAADtAAAA7QAAAVkUAACJHAABySwAAfksA AIZLAACHSwAAiksAAJFLAAAzTAAAOEwAAGpMAABsTAAAbUwAAG1MAACgTAAAoEwAAKFMAACiTAAA pkwAAKhMAACpTAAAqUwAALJMAAC3TAAA/EwAAAJNAAALTQAAEE0AAFBNAABQTQAAVE0AAFlNAAAI UgAAOlIAABBaAAAUWgAAFVoAABVaAAAWWgAAFloAABdaAAAXWgAAGFoAABhaAABWWgAAW1oAAMJa AADDWgAAPl0AAO1dAADvXQAA8F0AAFxfAABfXwAAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAE AAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQA AwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAAD AAQAAwAEAAMABAADAAQAAwAEAAMABwAHAAcA//8UAAAADABSAHUAcwBzACAASABvAHUAcwBsAGUA eQBMAEMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAXABxAHUAYQBsAGMAbwBtAG0AXABl AHUAZABvAHIAYQBcAGEAdAB0AGEAYwBoAFwAQQBsAGcAbwByAGkAdABoAG0AIABmAG8AcgAgAEMA bwBuAHMAdAByAHUAYwB0AGkAbgBnACAAQwBSAEwAcwAxAC4AZABvAGMADABSAHUAcwBzACAASABv AHUAcwBsAGUAeQBMAEMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAXABxAHUAYQBsAGMA bwBtAG0AXABlAHUAZABvAHIAYQBcAGEAdAB0AGEAYwBoAFwAQQBsAGcAbwByAGkAdABoAG0AIABm AG8AcgAgAEMAbwBuAHMAdAByAHUAYwB0AGkAbgBnACAAQwBSAEwAcwAxAC4AZABvAGMACABUAGkA bQAgAFAAbwBsAGsALABBADoAXABBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwByACAAQwBvAG4AcwB0 AHIAdQBjAHQAaQBuAGcAIABDAFIATABzACAAZgBpAG4AYQBsAC4AZABvAGMAFABWAEEATABVAEUA RAAgAFMATwBOAFkAIABDAFUAUwBUAE8ATQBFAFIAaQBDADoAXABXAEkATgBEAE8AVwBTAFwAQQBw AHAAbABpAGMAYQB0AGkAbwBuACAARABhAHQAYQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBvAHIA ZABcAEEAdQB0AG8AUgBlAGMAbwB2AGUAcgB5ACAAcwBhAHYAZQAgAG8AZgAgAEEAbABnAG8AcgBp AHQAaABtACAAZgBvAHIAIABDAG8AbgBzAHQAcgB1AGMAdABpAG4AZwAgAEMAUgBMAHMAIABmAGkA bgBhAGwALgBhAHMAZAAUAFYAQQBMAFUARQBEACAAUwBPAE4AWQAgAEMAVQBTAFQATwBNAEUAUgA8 AEMAOgBcAFcASQBOAEQATwBXAFMAXABEAGUAcwBrAHQAbwBwAFwAQQBsAGcAbwByAGkAdABoAG0A IABmAG8AcgAgAEMAbwBuAHMAdAByAHUAYwB0AGkAbgBnACAAQwBSAEwAcwAgAGYAaQBuAGEAbAAu AGQAbwBjABQAVgBBAEwAVQBFAEQAIABTAE8ATgBZACAAQwBVAFMAVABPAE0ARQBSADwAQwA6AFwA VwBJAE4ARABPAFcAUwBcAEQAZQBzAGsAdABvAHAAXABBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwBy ACAAQwBvAG4AcwB0AHIAdQBjAHQAaQBuAGcAIABDAFIATABzACAAZgBpAG4AYQBsAC4AZABvAGMA FABWAEEATABVAEUARAAgAFMATwBOAFkAIABDAFUAUwBUAE8ATQBFAFIAPABDADoAXABXAEkATgBE AE8AVwBTAFwARABlAHMAawB0AG8AcABcAEEAbABnAG8AcgBpAHQAaABtACAAZgBvAHIAIABDAG8A bgBzAHQAcgB1AGMAdABpAG4AZwAgAEMAUgBMAHMAIABmAGkAbgBhAGwALgBkAG8AYwAUAFYAQQBM AFUARQBEACAAUwBPAE4AWQAgAEMAVQBTAFQATwBNAEUAUgA8AEMAOgBcAFcASQBOAEQATwBXAFMA XABEAGUAcwBrAHQAbwBwAFwAQQBsAGcAbwByAGkAdABoAG0AIABmAG8AcgAgAEMAbwBuAHMAdABy AHUAYwB0AGkAbgBnACAAQwBSAEwAcwAgAGYAaQBuAGEAbAAuAGQAbwBjAAgAVABpAG0AIABQAG8A bABrAGkAQwA6AFwAVwBJAE4ARABPAFcAUwBcAEEAcABwAGwAaQBjAGEAdABpAG8AbgAgAEQAYQB0 AGEAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAbwByAGQAXABBAHUAdABvAFIAZQBjAG8AdgBlAHIA eQAgAHMAYQB2AGUAIABvAGYAIABBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwByACAAQwBvAG4AcwB0 AHIAdQBjAHQAaQBuAGcAIABDAFIATABzACAAZgBpAG4AYQBsAC4AYQBzAGQACABUAGkAbQAgAFAA bwBsAGsAIgBDADoAXABXAEkATgBEAE8AVwBTAFwARABlAHMAawB0AG8AcABcAFAASwBJAFgAIABk AGUAbAB0AGEAcwAuAGQAbwBjAAQA1WoHBsaTbN7/D/8P/w//D/8P/w//D/8P/w8AAPgXsy/Gk2ze /w//D/8P/w//D/8P/w//D/8PEADgFKVJ6ALyNf8P/w//D/8P/w//D/8P/w//DxAAugbSZY7tlGH/ D/8P/w//D/8P/w//D/8P/w8QAAEAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAMYAAAPhNACEYSY/hXG BQAB0AIGXoTQAmCEmP5vKAADACgAAAApAAEAAAAEAAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAPhKAF EYSY/hXGBQABoAUGXoSgBWCEmP4CAAEALgABAAAAAoIBAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4Rw CBGETP8VxgUAAXAIBl6EcAhghEz/AgACAC4AAQAAAACAAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+E QAsRhJj+FcYFAAFACwZehEALYISY/gIAAwAuAAEAAAAEgAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAP hBAOEYSY/hXGBQABEA4GXoQQDmCEmP4CAAQALgABAAAAAoIBAAAAAAAAAAAAAAAAAAAAAAAAGAAA D4TgEBGETP8VxgUAAeAQBl6E4BBghEz/AgAFAC4AAQAAAACAAQAAAAAAAAAAAAAAAAAAAAAAABgA AA+EsBMRhJj+FcYFAAGwEwZehLATYISY/gIABgAuAAEAAAAEgAEAAAAAAAAAAAAAAAAAAAAAAAAY AAAPhIAWEYSY/hXGBQABgBYGXoSAFmCEmP4CAAcALgABAAAAAoIBAAAAAAAAAAAAAAAAAAAAAAAA GAAAD4RQGRGETP8VxgUAAVAZBl6EUBlghEz/AgAIAC4AAQAAAAAAAgAAAAAAAAAAAAAAAAAAAAAA AxgAAA+E0AIRhJj+FcYFAAHQAgZehNACYISY/m8oAAMAKAAAACkAAQAAAASAAQAAAAAAAAAAAAAA AAAAAAAAABgAAA+EoAURhJj+FcYFAAGgBQZehKAFYISY/gIAAQAuAAEAAAACggEAAAAAAAAAAAAA AAAAAAAAAAAYAAAPhHAIEYRM/xXGBQABcAgGXoRwCGCETP8CAAIALgABAAAAAIABAAAAAAAAAAAA AAAAAAAAAAAAGAAAD4RACxGEmP4VxgUAAUALBl6EQAtghJj+AgADAC4AAQAAAASAAQAAAAAAAAAA AAAAAAAAAAAAABgAAA+EEA4RhJj+FcYFAAEQDgZehBAOYISY/gIABAAuAAEAAAACggEAAAAAAAAA AAAAAAAAAAAAAAAYAAAPhOAQEYRM/xXGBQAB4BAGXoTgEGCETP8CAAUALgABAAAAAIABAAAAAAAA AAAAAAAAAAAAAAAAGAAAD4SwExGEmP4VxgUAAbATBl6EsBNghJj+AgAGAC4AAQAAAASAAQAAAAAA AAAAAAAAAAAAAAAAABgAAA+EgBYRhJj+FcYFAAGAFgZehIAWYISY/gIABwAuAAEAAAACggEAAAAA AAAAAAAAAAAAAAAAAAAYAAAPhFAZEYRM/xXGBQABUBkGXoRQGWCETP8CAAgALgABAAAABAACAAAA AAAAAAAAAAAAAAAAAAADGAAAD4TQAhGEmP4VxgUAAdACBl6E0AJghJj+bygAAwAoAAAAKQABAAAA BIABAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4SgBRGEmP4VxgUAAaAFBl6EoAVghJj+AgABAC4AAQAA AAKCAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+EcAgRhEz/FcYFAAFwCAZehHAIYIRM/wIAAgAuAAEA AAAAgAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAPhEALEYSY/hXGBQABQAsGXoRAC2CEmP4CAAMALgAB AAAABIABAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4QQDhGEmP4VxgUAARAOBl6EEA5ghJj+AgAEAC4A AQAAAAKCAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+E4BARhEz/FcYFAAHgEAZehOAQYIRM/wIABQAu AAEAAAAAgAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAPhLATEYSY/hXGBQABsBMGXoSwE2CEmP4CAAYA LgABAAAABIABAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4SAFhGEmP4VxgUAAYAWBl6EgBZghJj+AgAH AC4AAQAAAAKCAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+EUBkRhEz/FcYFAAFQGQZehFAZYIRM/wIA CAAuAAEAAAAEEAIAAAAAAAAAAABoAQAAAAAAAAMYAAAPhNACEYSY/hXGBQAB0AIGXoTQAmCEmP5v KAADACgAAAApAAEAAAAEEAEAAAAAAAAAAABoAQAAAAAAAAAYAAAPhKAFEYSY/hXGBQABoAUGXoSg BWCEmP4CAAEALgABAAAAApIBAAAAAAAAAAAAaAEAAAAAAAAAGAAAD4RwCBGETP8VxgUAAXAIBl6E cAhghEz/AgACAC4AAQAAAACQAQAAAAAAAAAAAGgBAAAAAAAAABgAAA+EQAsRhJj+FcYFAAFACwZe hEALYISY/gIAAwAuAAEAAAAEkAEAAAAAAAAAAABoAQAAAAAAAAAYAAAPhBAOEYSY/hXGBQABEA4G XoQQDmCEmP4CAAQALgABAAAAApIBAAAAAAAAAAAAaAEAAAAAAAAAGAAAD4TgEBGETP8VxgUAAeAQ Bl6E4BBghEz/AgAFAC4AAQAAAACQAQAAAAAAAAAAAGgBAAAAAAAAABgAAA+EsBMRhJj+FcYFAAGw EwZehLATYISY/gIABgAuAAEAAAAEkAEAAAAAAAAAAABoAQAAAAAAAAAYAAAPhIAWEYSY/hXGBQAB gBYGXoSAFmCEmP4CAAcALgABAAAAApIBAAAAAAAAAAAAaAEAAAAAAAAAGAAAD4RQGRGETP8VxgUA AVAZBl6EUBlghEz/AgAIAC4ABAAAAPgXsy8AAAAAAAAAAAAAAADgFKVJAAAAAAAAAAAAAAAAugbS ZQAAAAAAAAAAAAAAANVqBwYAAAAAAAAAAAAAAAD///////////////////////8EAAAAAAAAAAAA AAD//wQAAAAAAAAAAAAAAAAAAAA7LQAAPC0AAE4tAABjLQAAbC0AAHYtAAB3LQAAfS0AAI8tAAAH LgAA5S4AAOYuAADsLgAAHy8AACAvAAACMAAAAzAAAAkwAAA8MAAAPTAAAB8xAAAgMQAAJjEAADox AAC9MQAAojIAAKMyAACpMgAAwjIAAMMyAADJMwAAyjMAANAzAADkMwAA5TMAAMc0AADINAAAzjQA AOI0AABlNQAARzYAAEg2AABONgAAYjYAAGM2AABANwAAQTcAAFs7AABdOwAAbzsAAIQ7AACNOwAA lzsAAJg7AACeOwAAsDsAACg8AAAGPQAABz0AAA09AABAPQAAQT0AACM+AAAkPgAAKj4AAF0+AABe PgAAQD8AAEE/AABHPwAAWz8AAN4/AADDQAAAxEAAAMpAAADjQAAA5EAAAMxBAADNQQAA00EAAOdB AADoQQAA0EIAANFCAADXQgAA60IAAG5DAABWRAAAV0QAAF1EAABxRAAAckQAAFRFAABVRQAAgE0A AIFNAACTTQAAqE0AALFNAAC7TQAAvE0AAMJNAADUTQAATE4AAGtPAABsTwAAd08AAKpPAACrTwAA mFAAAJlQAACkUAAA11AAANhQAAABUgAAAlIAAAhSAAA7UgAAPFIAAOtSAADsUgAA8lIAAAZTAACd UwAAsVQAALJUAAC9VAAA1lQAANdUAADIVQAAyVUAANRVAADoVQAA6VUAANpWAADbVgAA4VYAAPVW AAD2VgAA3lcAAN9XAADlVwAA+VcAAJBYAADSWQAA01kAAN1ZAADxWQAA8lkAAAtbAAAMWwAA710A APBdAABcXwAAX18AAAAAAAABAAAACAAAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAA AgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAAC AQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIB AAACAQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAFgEAAAEAAAAIAAAAAgEAAAIBAAACAQAAAgEA AB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAA AgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAAC AQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAWAQAAAQAAAAgA AAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAAAgEA AB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAA AgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAAC AQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAWAQAAAd0AAAAA AAABAAAA/0APgAEAOlIAADpSAAAUnGQAAQABADpSAAAAAAEAOlIAACcJuhICEAAAAAAAAABeXwAA YAAACABAAAD//wUAAAAHAFUAbgBrAG4AbwB3AG4ACABUAGkAbQAgAFAAbwBsAGsADABEAGEAdgBp AGQAIABDAG8AbwBwAGUAcgAMAFIAdQBzAHMAIABIAG8AdQBzAGwAZQB5ABQAVgBBAEwAVQBFAEQA IABTAE8ATgBZACAAQwBVAFMAVABPAE0ARQBSAP//BQAIAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAAAAACAAAAAAAAAAAAAwAAAAAAAAAAAAQA//8FAAAAAAAAAAAAAAAAAP//AAACAP//AAAAAP// AAACAP//AAAAAAQAAABHFpABAAACAgYDBQQFAgMEhzoAAAAAAAAAAAAAAAAAAP8AAAAAAAAAVABp AG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4AAAA1FpABAgAFBQECAQcGAgUHAAAAAAAAABAAAAAA AAAAAAAAAIAAAAAAUwB5AG0AYgBvAGwAAAAzJpABAAACCwYEAgICAgIEhzoAAAAAAAAAAAAAAAAA AP8AAAAAAAAAQQByAGkAYQBsAAAAPzWQAQAAAgcDCQICBQIEBIc6AAAAAAAAAAAAAAAAAAD/AAAA AAAAAEMAbwB1AHIAaQBlAHIAIABOAGUAdwAAACIABABxiIwAAPDQAgAAaAEAAAAAnFNVhpxTVYZG U1WGAgAiAAAAlg0AAHVNAAABACcAAAAEAAMQpQAAAAAAAAAAAAAAAQABAAAAAQAAAAAAAAAhAwDw EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtBfADeAC0AIKCEjAAABAAGQBkAAAAGQAAAB9f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABXIQAAAAAAAAAAAAAA AAAAAAAAAAAAAgAAAAAAAAAAAAAygxEA8BAA3wMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAD//xIAAAAAAAAAPwBBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwByACAAQwBvAG4AcwB0AHIAdQBj AHQAaQBuAGcAIABDAFIATABzACAAZgByAG8AbQAgAGEAIABiAGEAcwBlACAAQwBSAEwAIABhAG4A ZAAgAGEAIABkAGUAbAB0AGEAIABDAFIATAAAAAAAAAAIAFQAaQBtACAAUABvAGwAawAIAFQAaQBt ACAAUABvAGwAawAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+/wAABAoCAAAAAAAAAAAAAAAAAAAAAAAB AAAA4IWf8vlPaBCrkQgAKyez2TAAAADAAQAAEgAAAAEAAACYAAAAAgAAAKAAAAADAAAA6AAAAAQA AAD0AAAABQAAAAgBAAAGAAAAFAEAAAcAAAAgAQAACAAAADQBAAAJAAAASAEAABIAAABUAQAACgAA AHABAAALAAAAfAEAAAwAAACIAQAADQAAAJQBAAAOAAAAoAEAAA8AAACoAQAAEAAAALABAAATAAAA uAEAAAIAAADkBAAAHgAAAEAAAABBbGdvcml0aG0gZm9yIENvbnN0cnVjdGluZyBDUkxzIGZyb20g YSBiYXNlIENSTCBhbmQgYSBkZWx0YSBDUkwAHgAAAAEAAAAAbGdvHgAAAAkAAABUaW0gUG9sawAg Zm8eAAAAAQAAAABpbSAeAAAAAQAAAABpbSAeAAAACwAAAE5vcm1hbC5kb3QAbx4AAAAJAAAAVGlt IFBvbGsAdABvHgAAAAIAAAAyAG0gHgAAABMAAABNaWNyb3NvZnQgV29yZCA5LjAAckAAAAAATO+/ BAAAAEAAAAAADIZ8c9nAAUAAAAAAeBLxftnAAUAAAAAAeBLxftnAAQMAAAABAAAAAwAAAJYNAAAD AAAAdU0AAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v8AAAQKAgAAAAAAAAAAAAAAAAAAAAAAAQAAAALVzdWc LhsQk5cIACss+a4wAAAANAEAAAwAAAABAAAAaAAAAA8AAABwAAAABQAAAIgAAAAGAAAAkAAAABEA AACYAAAAFwAAAKAAAAALAAAAqAAAABAAAACwAAAAEwAAALgAAAAWAAAAwAAAAA0AAADIAAAADAAA ABQBAAACAAAA5AQAAB4AAAANAAAAQ1NEL0lUTC9OSVNUAABvAAMAAAClAAAAAwAAACcAAAADAAAA H18AAAMAAADtDgkACwAAAAAAAAALAAAAAAAAAAsAAAAAAAAACwAAAAAAAAAeEAAAAQAAAEAAAABB bGdvcml0aG0gZm9yIENvbnN0cnVjdGluZyBDUkxzIGZyb20gYSBiYXNlIENSTCBhbmQgYSBkZWx0 YSBDUkwADBAAAAIAAAAeAAAABgAAAFRpdGxlAAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAwAAAAQAAAAFAAAABgAAAAcAAAAIAAAACQAAAAoAAAAL AAAADAAAAA0AAAAOAAAADwAAABAAAAARAAAAEgAAABMAAAAUAAAAFQAAABYAAAAXAAAAGAAAABkA AAAaAAAAGwAAABwAAAAdAAAAHgAAAB8AAAAgAAAAIQAAACIAAAAjAAAAJAAAACUAAAAmAAAAJwAA ACgAAAApAAAAKgAAACsAAAAsAAAALQAAAC4AAAAvAAAAMAAAADEAAAAyAAAAMwAAADQAAAA1AAAA NgAAADcAAAA4AAAAOQAAADoAAAA7AAAAPAAAAD0AAAA+AAAAPwAAAEAAAABBAAAAQgAAAEMAAABE AAAARQAAAEYAAABHAAAASAAAAEkAAABKAAAASwAAAEwAAABNAAAATgAAAE8AAABQAAAAUQAAAFIA AABTAAAAVAAAAFUAAABWAAAAVwAAAFgAAABZAAAAWgAAAFsAAABcAAAAXQAAAF4AAABfAAAAYAAA AGEAAABiAAAAYwAAAGQAAABlAAAA/v///2cAAABoAAAAaQAAAGoAAABrAAAAbAAAAG0AAABuAAAA bwAAAHAAAABxAAAAcgAAAHMAAAB0AAAAdQAAAHYAAAB3AAAAeAAAAHkAAAB6AAAAewAAAHwAAAB9 AAAAfgAAAH8AAACAAAAAgQAAAIIAAACDAAAAhAAAAIUAAACGAAAAhwAAAIgAAACJAAAA/v///4sA AACMAAAAjQAAAI4AAACPAAAAkAAAAJEAAAD+////kwAAAJQAAACVAAAAlgAAAJcAAACYAAAAmQAA AP7////9/////f///50AAAD+/////v////7///////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAf//////////AwAAAAYJAgAAAAAAwAAAAAAAAEYAAAAA AAAAAAAAAACgoSoPf9nAAZ8AAACAAAAAAAAAADEAVABhAGIAbABlAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAIA////////////////AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZgAAAKlGAAAAAAAAVwBvAHIAZABEAG8AYwB1 AG0AZQBuAHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoAAgEFAAAA //////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIsoAAAAAAAAF AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAKAACAQIAAAAEAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AIoAAAAAEAAAAAAAAAUARABvAGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0A YQB0AGkAbwBuAAAAAAAAAAAAAAA4AAIB////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAkgAAAAAQAAAAAAAAAQBDAG8AbQBwAE8AYgBqAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAgEBAAAABgAAAP////8AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAagAAAAAAAABPAGIAagBlAGMAdABQAG8A bwBsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgABAP////// /////////wAAAAAAAAAAAAAAAAAAAAAAAAAAoKEqD3/ZwAGgoSoPf9nAAQAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQAAAP7///////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////8BAP7/AwoAAP////8GCQIAAAAAAMAAAAAAAABGGAAAAE1pY3Jvc29mdCBXb3Jk IERvY3VtZW50AAoAAABNU1dvcmREb2MAEAAAAFdvcmQuRG9jdW1lbnQuOAD0ObJxAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA== --=====================_32329696==_-- Received: from roadblock.missi.ncsc.mil (roadblock.missi.ncsc.mil [144.51.50.70]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA27082 for <ietf-pkix@imc.org>; Thu, 10 May 2001 13:15:28 -0700 (PDT) Message-Id: <200105102015.NAA27082@above.proper.com> Received: from mfil.terminal (mfil@localhost) by roadblock.missi.ncsc.mil with SMTP id QAA27173 for <ietf-pkix@imc.org>; Thu, 10 May 2001 16:12:39 -0400 (EDT) Received: from reject.missi.ncsc.mil (reject.missi.ncsc.mil [144.51.60.17]) by roadblock.missi.ncsc.mil with SMTP id QAA27168 for <ietf-pkix@imc.org>; Thu, 10 May 2001 16:12:36 -0400 (EDT) Received: from 144.51.60.215 by reject.missi.ncsc.mil (InterScan E-Mail VirusWall NT); Thu, 10 May 2001 16:12:28 -0400 (Eastern Daylight Time) Received: from missi.ncsc.mil (ara.missi.ncsc.mil [144.51.55.128]) by amx.missi.ncsc.mil with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id JSFMBHKM; Thu, 10 May 2001 16:12:28 -0400 Sender: dpkemp@roadblock.missi.ncsc.mil Date: Thu, 10 May 2001 16:06:41 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta CRLs References: <3AFA4F09.5AB02392@bull.net> <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> <5.0.1.4.2.20010510143415.01896eb8@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I agree with Russ, Tim, and David on **every single point** made in this long note. Dave "Housley, Russ" wrote: > > Denis: > > Please excuse the half-done message from this morning. My mailer and I had > a disagreement... > > Anyway, since I was not going to get the full message out before the end of > the business day in France, I took the time to coordinate a response with > Tim Polk and David Cooper. This mail thread is quite long, so hopefully > our coordination on the side will reduce the overall number of messages to > the list and help to reach consensus faster. > > Here goes .... [ remainder snipped ] > Only one editorial glitch: > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). > > No. The relying party needs a full CRL (either one that has been downloaded > from a repository or one that has been locally generated) against which the > delta CRL of interest may be applied. There is no requirement that the full > CRL be a base CRL. ... which was later corrected: > > A delta CRL must include a BaseCRLNumber. > The CRL specified by that BaseCRLNumber is by definition a base CRL. > Of course, the referenced base CRL MUST be a full CRL. Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA21891 for <ietf-pkix@imc.org>; Thu, 10 May 2001 11:48:11 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 10 May 2001 18:47:53 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA25362 for <ietf-pkix@imc.org>; Thu, 10 May 2001 14:48:12 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NWWV5>; Thu, 10 May 2001 14:48:11 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.11]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NWWVT; Thu, 10 May 2001 14:47:53 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010510144111.018b5658@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 10 May 2001 14:42:50 -0400 Subject: RE: delta CRLs In-Reply-To: <8D7EC1912E25D411A32100D0B76953978DE9AA@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: Any CRL that does not include the deltaCRLIndicator extension is a full CRL. I some delta CRL references it, then that full CRL is also a base CRL. Russ At 12:28 PM 5/10/2001 -0400, Santosh Chokhani wrote: >Denis: > >I do not agree with you. Any CRL that is not a delta CRL (i.e., >deltaCRLIndicator extension is absent), is a base CRL for some scope as >defined in CRLScope extension and/or the IDP extension. > >-----Original Message----- >From: Denis Pinkas >[<mailto:Denis.Pinkas@bull.net>mailto:Denis.Pinkas@bull.net] >Sent: Thursday, May 10, 2001 12:30 PM >To: Carlin Covey; Sharon Boeyen >Cc: ietf-pkix@imc.org >Subject: Re: delta CRLs > >Carlin and Sharon (at the same time), > > > Denis, > > > Now I'm confused again (or still). > >:-) > > > I agree that there is a difference > > between a base CRL and a full CRL. However, my understanding was that > a CRL > > is a "base CRL" with respect to some delta CRL only by virtue of having > been > > so identified in that delta CRL. > >I believe that a base CRL must include the Freshest CRL extension (a.k.a. >Delta CRL Distribution Point) defined in section 4.2.1.16. It indicates both >that the service exists and where to fetch the information. It is a >non-critical extension so that a base CRL may also be used as a full CL for >relying parties not supporting delta CRLs. > > > According to the PKIX profile, this base CRL must be a full CRL > > (complete for the intended scope). > > I believe that X.509 does not require that a base CRL be a full CRL. > >You just say above: "According to the PKIX profile, this base CRL must be a >full CRL (complete for the intended scope". So do you mean that X.509 and >PKIX are taking different approaches ? > >Regards, > >Denis > > > Regards, > > > > Carlin > > > > ____________________________ > > > > - Carlin Covey > > Cylink Corporation > > > > -----Original Message----- > > From: Denis Pinkas > [<mailto:Denis.Pinkas@bull.net>mailto:Denis.Pinkas@bull.net] > > Sent: Thursday, May 10, 2001 1:19 AM > > Cc: ietf-pkix@imc.org > > Subject: Re: delta CRLs > > > > Tim, David, Russ, Santosh, Carlin, and many others ... > > > > There is difference between a base CRL and a full CRL : a base CRL MUST > > include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > > whereas a full CRL may not include that extension. In other words, a base > > CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > > > At any time a CA may issue a full CRL, whether or not a base CRL has > already > > been issued. This additional CRL SHOULD have nextUpdate equal to the > > nextUpdate of the last issued full CRL. However, there is no guarantee > that > > this additional CRL will ever be seen by the relying party (because there > > will be two CRLs matching the thisUpdate and nextUpdate rule and if one is > > deleted, this is not seen by a relying party). > > > > Due to the fact that CRLs numbers are strictly increasing, two CRLs > whether > > they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > > delta CRL and a full CRL that cover the same scope and are issued at the > > same time CANNOT have the same number. If a full CRL is issued, its CRL > > number bears no relationship with the previous base CRL, if any. The only > > relationship between the numbers is defined by the rule that CRLs numbers > > are strictly increasing. As Santosh said : "the CRL number is unique > > whether it is a base or a delta ". > > > > This is fairly important to be able to unambiguously (and thus uniquely) > > refer to a CRL by only providing its CRL number. > > > > Besides the fact that a CRL issued later MUST have a higher CRL number, > full > > CRLs and delta CRLs have independent numbering rules. As noticed by > Santosh, > > " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > > number (for the same or no stream identifier). > > > > As Santosh said : "a check based on thisUpdate is more general and > > preferred [to the use of CRL numbers]. " > > > > Related to the three rules mentioned by Russ : > > > > 1) the first rule is not understandable to me. > > 2) the second rule does not say anything more than the basic rule valid > > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > > 3) we will debate the hold condition, once we will have sorted the main > > issue. > > > > Russ said : "If separate number sequence is used, then you will have to > > periodically fetch base CRLs ". This is true. > > > > Tim said that he would *not* like to be forced to download new base CRLs. > > This is the core of the "dispute". > > > > >From the definition of what a delta CRL is, it is *not* possible to > > get rid of the fetching of base CRLs. Unless we add a new sentence to > > expand/change that definition, base CRL fetching will remain mandatory. > > > > Remember that the goal of delta CRLs is to provide the freshest > information, > > and to my knowledge the goal was not to get rid of the fetching of base > CRLs > > (which may less frequent due to the support of delta CRLs). > > > > If I understand correctly, Tim/David/Russ would like to *always* > achieve the > > following property : it is possible to reconstruct the current CRL by > using > > a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has > been > > issued at the same time a base CRL was issued and which contains updates > > made to the *previous* base. > > > > By this way the fetching of base CRLs could be avoided. However, note that > > it is perfectly " legal " to stop issuing base and delta CRLs during some > > period of time and to issue full CRLs instead (see the difference between > > "full" and "base" at the top of this e-mail). In other words there is no > > need to issue a new base CRL at the end of the validity period of the > > previous base CRL. Doing this would mandate to prescribe issuing rules > > for CAs that we have not prescripted. > > > > I will now raise a series of questions, for which I believe we have > > different answers. Tim/David/Russ do not hesitate to correct > > if my guess is wrong. ;-) > > > > Common point: > > > > 1) What will be the value of the nextUpdate field from the last issued > delta > > CRL for a given base CRL ? > > > > Denis: the nextUpdate field from the last issued delta CRL MUST be > equal to > > the value of nextUpdate from the base CRL. > > > > Tim/David/Russ: ??? > > > > 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 3) Does a CA needs to issue a new base CRL at the end of the validity of a > > current base CRL ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 4) Does a CA needs to issue a delta CRL at the same time a new base is > > issued ? > > > > Denis: Yes. The delta CRL refers to the *new* base. > > Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note > > that there can be no previous at all, or the "previous" may even be three > > months old]. > > > > The last point highlights the most noticeable difference. Other > differences > > appears when considering the guaranty to get the freshest information : > > using the traditional scheme and the thisUpdate and nextUpdate fields the > > guaranty to get the freshest information is obtained, but cannot be > obtained > > using the other scheme. :-( > > > > Several people are referring to the X.509 document for arguments to > support > > that discussion. However, it is important to remember that we are defining > > PKIX, not X.509, so we DO NOT need to copy and paste everything from > X.509, > > but only what we believe is relevant. > > > > We first need to clearly define the processing rules applicable to the > > relying parties. These rules will certainly contain SHALL/MUST statements, > > but may also include some MAY statements which may even be conditional to > > what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > > > > Here is a proposal for the MUST statement, based on the previous text I > > produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). It may then construct > > an updated CRL for that base, for a specific time T, by combining > > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. Applications that support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally reconstructed CRL > > based on the current base CRL, and combining it with a delta CRL which > > contains a delta CRL indicator extension with the same CRL number as > > the base CRL. > > > > We also need to clearly separate the issuing rules applicable for the CAs. > > These rules will certainly contain SHALL statements, but could also > include > > some MAY statements. (I let Tim/David or Russ provide the MAY statement). > > > > Here is a proposal for the MUST statement, based on the previous text I > > produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > > > In his e-mail from Wednesday, May 9, David said that delta-CRL processing > > rules could be base on time instead of CRL numbers. This is a point of > which > > I strongly agree. Let us do it! > > > > (However, there is no need to add to PKIX, as he suggested, the support of > > the baseUpdateTime extension from X.509 which would even more > complicate the > > problem.) > > > > Regards, > > > > Denis Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA21890 for <ietf-pkix@imc.org>; Thu, 10 May 2001 11:48:10 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 10 May 2001 18:47:53 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA25359 for <ietf-pkix@imc.org>; Thu, 10 May 2001 14:48:12 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NWWVX>; Thu, 10 May 2001 14:48:11 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.11]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NWWV4; Thu, 10 May 2001 14:47:59 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010510144324.0183e898@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 10 May 2001 14:47:43 -0400 Subject: Re: delta CRLs In-Reply-To: <3AFAC206.CE45C32C@bull.net> References: <FLEELNBJKAIIGDJJKPDGOEGGCEAA.ccovey@cylink.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: > > I agree that there is a difference > > between a base CRL and a full CRL. However, my understanding was that > a CRL > > is a "base CRL" with respect to some delta CRL only by virtue of having > been > > so identified in that delta CRL. > >I believe that a base CRL must include the Freshest CRL extension (a.k.a. >Delta CRL Distribution Point) defined in section 4.2.1.16. It indicates both >that the service exists and where to fetch the information. It is a >non-critical extension so that a base CRL may also be used as a full CL for >relying parties not supporting delta CRLs. Neither X.509 nor the draft PKIX profile requires the inclusion of the freshestCRL extension. It might be a nice to advertise the availability (that is why it is there). Remember that the PKIX profile does not require CAs to issue CRLs. We do not want to make it difficult for them to do so. Further, we do not want to make it too difficult to support delta CRLs. > > According to the PKIX profile, this base CRL must be a full CRL > > (complete for the intended scope). > > I believe that X.509 does not require that a base CRL be a full CRL. > >You just say above: "According to the PKIX profile, this base CRL must be a >full CRL (complete for the intended scope". So do you mean that X.509 and >PKIX are taking different approaches ? The PKIX profile is selecting a subset of the X.509 functionality. Always has! Always will! Russ Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA21820 for <ietf-pkix@imc.org>; Thu, 10 May 2001 11:46:24 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id OAA02518 for <ietf-pkix@imc.org>; Thu, 10 May 2001 14:46:23 -0400 (EDT) Message-Id: <4.2.0.58.20010510142208.0172ad50@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 10 May 2001 14:44:11 -0400 To: ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> Subject: Strawman on Delta CRLs In-Reply-To: <5.0.1.4.2.20010510111424.01873878@exna07.securitydynamics. com> References: <8D7EC1912E25D411A32100D0B76953978DE98C@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_104696206==_" --=====================_104696206==_ Content-Type: text/plain; charset="us-ascii"; format=flowed Folks, David Cooper, Russ Housley and I have collaborated on a "strawman" describing the use of delta CRLs in PKIX implementations. We believe the functionality we describe is consistent with ISO X.509 as well. The text describes algorithms for using deltas and base CRLs to (a) check the status of a certificate or (b) create a constructed CRL. This is followed by three scenarios for the use of deltas - "traditional deltas", "sliding window deltas", and a variant on sliding window deltas that factors in the real world delays in populating repositories with base and delta CRLs. I have appended the strawman below in ASCII text. The text includes tables for the examples. Please note, these tables *require* a fixed font to be legible. I have also attached a copy of the document in Word, for those that would prefer that format. The Word version may be easier to read. Hopefully, this strawman will serve to frame further discussions and accelerate consensus. Once we agree on the requirements, Russ and I will draft the necessary changes and we can finish Last Call. (I am nothing if not an optimist.) We would also like to add the examples as an *informative* appendix in son-of-2459. Thanks, Tim Polk --------------------------------strawman--------------------------- Implementing Delta CRLs Using PKIX This paper addresses the use of delta CRLs in PKIX-compliant systems. This paper assumes that delta CRLs include the delta CRL indicator extension (rather than a CRL scope extension) and ignores complications involving combined delta CRLs from indirect CRL issuers. This paper also assumes that CRLs with different scopes are distributed using different distribution points. Terms Revoked: A statement that a particular certificate's status has changed and it should no longer be trusted. Once a certificate is revoked, it is always revoked. Suspension: A statement that a particular certificate may not be trustworthy. Once placed on hold, a certificate may be revoked or the suspension may be lifted. Revocation notice: A statement that a particular certificate has been suspended or revoked. The revocation statement identifies the certificate by the issuer name and serial number. The issuer may be specified explicitly or implicitly. The issuer may be explicitly identified using the certificate issuer extension. If not specified explicitly, the issuer of the certificate is implicitly identified as the issuer of the CRL. A revocation notice includes the date and time the certificate was revoked. A revocation notice may optionally include a revocation reason in the reason code CRL entry extension. [Note: A revocation notice may optionally specify in the invalidity date extension the date from which the certificate should be considered invalid. This date may precede the actual revocation date. The invalidity date extension does not feature in this discussion, so it is not considered further in this paper.] Certificate revocation list (CRL): a list of revocation notices for certificates. CRL scope: the set of certificates that could appear on a given CRL. For example, the scope may be "all certificates issued by CA X", "all CA and end entity certificates issued by CA X", "all certificates issued by CA X that have been revoked for key compromise and CA compromise", or may be a set of certificates based on local information, such as "all certificates issued to the NIST employees located in Boulder". Full CRL: a CRL that lists all unexpired certificates, in its scope, that have been revoked for one of the revocation reasons covered by the scope of the CRL. The scope of a full CRL does not necessarily include all of the certificates issued by a CA or all possible revocation reasons. Base CRL: the particular CRL used as the foundation for a delta CRL. The base must be a full CRL. Delta CRL: a CRL that only lists those unexpired certificates, in its scope, whose revocation status has changed since the issuance of a particular, referenced base CRL. The scope of a delta CRL is must be the same as the base CRL that it references CRL Numbering A CRL issuer may generate full CRLs for more than one scope. The CRL issuer may also generate delta CRLs. Each delta CRLs must have the same scope as the full CRL referenced as its base. For each scope supported by the CRL issuer, a numbering sequence must be maintained. For each scope, the CRLs are numbered in a monotonically increasing sequence. (Wrapping is not permitted in the PKIX profile.) If a CRL issuer generates CRLs for one scope (e.g., full CRLs and deltas CRLs), the issuer must maintain one numbering sequence. If a delta CRL and a full CRL that cover the same scope are issued at the same time, they will have the same CRL number. If a CRL issuer generates CRLs for two scopes (e.g., one covering CA certificates and one covering end entity certificates), then the CRL issuer must maintain two number sequences. The CRLs and deltas for the same scope (e.g., CA certificates) will share one numbering sequence. The CRLs and deltas for the second scope (e.g., end entity certificates) will share one numbering sequence. There is no requirement that these sequences be disjoint. Algorithms for Determining Status from a Full CRL and a Delta CRL Consider a full CRL, F, with CRL number X. A client may obtain BF in either of the following ways: (a) the full CRL F may have been pushed to the client or pulled from a repository; or (b) F may have been constructed from a full CRL and a delta CRL using this algorithm. Consider a delta CRL, D, which specifies base CRL Y and has CRL number Z. This means that all certificates whose statuses have changed since the issuance of CRL Y will be listed on the delta CRL. Note that the PKIX profile requires the CA to issue CRL Y as a full CRL. Determining Whether a Full CRL and Delta CRL May Be Combined F and D may be combined if each of the following conditions are met: (1) X is greater than or equal to Y. That is, the full CRL must (at a minimum) contain all the revocation information held by the referenced base CRL. (2) X is less than Z. That is, the delta CRL must cover some time that was not covered by the full CRL. Determining Status of a Certificate from a Full CRL and a Delta CRL If the PKI client maintains the delta and full CRL, the status of an unexpired certificate C may be determined as follows: (1) If C is listed on the delta CRL, then: a. If C is listed on the delta CRL with reason code "removeFromCRL", then C is not revoked. b. Otherwise, certificate C is revoked. (2) If C was not listed on the delta CRL, then the full CRL is checked, and the status is as follows: a. If C is listed on the full CRL, then C is revoked. b. If C is not listed on the full CRL, then C is not revoked. Combining a Full CRL and Delta CRL into a Constructed CRL If the PKI client maintains the current CRL in a local cache: The revocation information on F is assumed as the initial condition. F is a list of revoked certificates; each certificate is listed with a revocation reason (which may be "unspecified"). The list of revoked certificates L with n entries denoted as L[i] where 1 <= i <= n. (The value n may shrink or grow as the combination process proceeds.) Initialize L to the revocation notices on F. For each certificate C on the delta CRL, update the contents of L as follows. If a certificate C appears on the delta CRL, and C is not currently in the list L, then: (a) if C has a revocation reason other than "removeFromCRL", add C as a new entry in the list of revoked certificates L. (b) If C has revocation reason "removeFromCRL", skip this certificate. No update to the cache is needed. If a certificate C appears on the delta CRL, and C is presently listed in L as entry L[i], then: (a) If C is listed on the delta CRL with a revocation reason of "removeFromCRL", delete entry L[i] (b) If C is listed on the delta CRL without a revocation reason or with a revocation reason other than "removeFromCRL", change the reason code associated with L[i] to the reason code specified in the delta CRL. The combination of F and D forms a new full CRL with CRL number Z. This full CRL has complete information until the time specified in the next update field in the delta CRL is reached. If a relying party is validating a certificate with respect to time T, and T is before the next update field in the delta CRL, they may assume complete information. If an unexpired certificate C within the scope of the constructed CRL is not listed, then certificate C is not revoked for one of the revocation reasons covered by this CRL. If the constructed CRL covers all reasons, then the certificate C is not revoked. Using Deltas to Distribute Revocation Information This section provides three different scenarios for the use of delta CRLs. For the purpose of these examples, assume a goal of providing revocation information to relying parties that is no more than one hour old. The following notation is used to denote a revoked certificate on a CRL: Xr certificate X is listed for reason r, where r in {a,k,h,r} The reason codes {a,k,h,r} correspond to "affiliation changed", "key compromise", "certificate hold", and "remove from CRL" respectively. (Note: The remaining reason codes are omitted for simplicity. The handling of certificates revoked for the reasons "unspecified", "CA compromise", "superseded", and "cessationOfOperation" are identical to "affiliation changed or "key compromise"). Example #1 The example below shows the "traditional" method of issuing delta CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. After that, however, a delta can always use a previously issued full CRL as its base. Notice that starting with cRLNumber 4, the delta CRL issued at the same time as a full CRL uses the previously issued full CRL as its base. However, the delta-CRLs never provide more than 3 hours of history. In this example: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 4 | | | CertificateList = {67a} | | | ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 4 | | | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 4 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = {67k} ---------|--------------|--------------------------|---------------------- Scenario #2 The example below shows the "sliding window" method of issuing delta-CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. However, these delta-CRLs never provide more than 6 hours of history. As in example #1: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 13:00. Certificate 39 was placed on hold between 14:00 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 16:00 and 17:00. The reason was changed to key compromise between 18:00 and 19:00. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 15:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 13:00 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 13:00 | | | nextUpdate = 14:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:00 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 14:00 | | | nextUpdate = 15:00 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 4 | cRLNumber = 4 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 18:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 16:00 | {14k, 124k, | | cRLNumber = 5 | 39h, 67a} | | thisUpdate = 16:00 | | | nextUpdate = 17:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 17:00 | {14k, 124k, | | cRLNumber = 6 | 67a} | | thisUpdate = 17:00 | | | nextUpdate = 18:00 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 7 | cRLNumber = 7 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 21:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 67a} | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 19:00 | {14k, 124k, | | cRLNumber = 8 | 67k} | | thisUpdate = 19:00 | | | nextUpdate = 20:00 | | | BaseCRLNumber = 7 | | | CertificateList = | | | {39r, 67k ---------|--------------|--------------------------|---------------------- Note that the delta CRLs are marginally larger than in the first scenario since they cover a longer time period. On the other hand, a relying party is less likely to download full CRLs in the second scenario. For example, a relying party that validated one certificate at 12:15, then a second certificate at 16:15 would not require a new full CRL in scenario #2. In scenario #1, the relying party would be forced to obtain both full CRL 4 and delta CRL 5. Scenario #3 Allowing for Replication/Propagation Delays In this scenario, full CRLs and delta CRLs are replicated throughout a repository system. Data is replicated through the system at different rates based on the size of the file. The CA operators estimate that full CRLs will be available throughout the system within three hours. Delta CRLs will be available within 15 minutes. (Assume the initial CRL is small and will propagate as if a delta CRL to resolve the bootstrap issues.) The example below uses the "sliding window" method of issuing delta-CRLs, but overlaps the thisUpdate and nextUpdate times to allow for propagation. In this example, full CRLs are issued once every 3 hours and deltas are issued every 45 minutes. For consistency, the issuer begins issuing deltas at the same time as the very first full CRL. Notice that starting with cRLNumber 7, the delta CRL issued at the same time as a full CRL does not use the previously issued full CRL as its base but the preceding CRL instead. As in example #2, these delta-CRLs never provide more than 6 hours of history. Similary to examples #1 and #2: Certificate 14 was revoked for key compromise before 12:00 when the first CRL was issued. Certificate 124 was revoked for key compromise between 12:00 and 12:45. Certificate 39 was placed on hold between 14:15 and 15:00, and its suspension was lifted between 16:00 and 17:00. Certificate 67 was revoked for an affiliation change between 15:45 and 16:30. The reason was changed to key compromise between 18:00 and 18:45. current | Revoked | Full CRL | Delta-CRL time | certificates | | ---------|--------------|--------------------------|---------------------- 12:00 | {14k} | cRLNumber = 1 | cRLNumber = 1 | | thisUpdate = 12:00 | thisUpdate = 12:00 | | nextUpdate = 18:00 | nextUpdate = 13:00 | | CertificateList = {14k} | BaseCRLNumber = 1 | | | CertificateList = {} ---------|--------------|--------------------------|---------------------- 12:45 | {14k, 124k} | | cRLNumber = 2 | | | thisUpdate = 12:45 | | | nextUpdate = 13:45 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 13:30 | {14k, 124k} | | cRLNumber = 3 | | | thisUpdate = 13:30 | | | nextUpdate = 14:30 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 14:15 | {14k, 124k} | | cRLNumber = 4 | | | thisUpdate = 14:15 | | | nextUpdate = 15:15 | | | BaseCRLNumber = 1 | | | CertificateList = {124k} ---------|--------------|--------------------------|---------------------- 15:00 | {14k, 124k, | cRLNumber = 5 | cRLNumber = 5 | 39h} | thisUpdate = 15:00 | thisUpdate = 15:00 | | nextUpdate = 21:00 | nextUpdate = 16:00 | | CertificateList = | BaseCRLNumber = 1 | | {14k, 124k, 39h} | CertificateList = | | | {124k, 39h} ---------|--------------|--------------------------|---------------------- 15:45 | {14k, 124k, | | cRLNumber = 6 | 39h, 67a} | | thisUpdate = 15:45 | | | nextUpdate = 16:45 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39h, 67a} ---------|--------------|--------------------------|---------------------- 16:30 | {14k, 124k, | | cRLNumber = 7 | 67a} | | thisUpdate = 16:30 | | | nextUpdate = 17:30 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 17:15 | {14k, 124k, | | cRLNumber = 8 | 67a} | | thisUpdate = 17:15 | | | nextUpdate = 18:15 | | | BaseCRLNumber = 1 | | | CertificateList = | | | {124k, 39r, 67a} ---------|--------------|--------------------------|---------------------- 18:00 | {14k, 124k, | cRLNumber = 9 | cRLNumber = 9 | 67a} | thisUpdate = 18:00 | thisUpdate = 18:00 | | nextUpdate = 24:00 | nextUpdate = 19:00 | | CertificateList = | BaseCRLNumber = 5 | | {14k, 124k, 67a} | CertificateList = | | | {39r, 67a} ---------|--------------|--------------------------|---------------------- 18:45 | {14k, 124k, | | cRLNumber = 10 | 67k} | | thisUpdate = 18:45 | | | nextUpdate = 19:45 | | | BaseCRLNumber = 5 | | | CertificateList = | | | {39r, 67k} ---------|--------------|--------------------------|---------------------- Delta CRL number 6 is issued at 15:45. By 16:00, delta CRL number 6 should be available throughout the system. As a result, delta CRL number 5 specified 16:00 as its nextUpdate time. However, full CRL number 5 was issued at 15:00 and may not be available throughout the system until 18:00. As a result, full CRL number 1 specified 18:00 as its nextUpdate time. In addition, delta CRL number 6 must be based on full CRL number 1 which was issued at 12:00. If the relying party finds full CRL number 5 in the repository, they may still apply delta CRL number 6 and achieve the correct answer. Finally, note that a CRL issuer must generate more CRLs to achieve the goal of status information that is no more than one hour old when factoring in the propagation delays. --=====================_104696206==_ Content-Type: application/msword; name="PKIX deltas.doc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="PKIX deltas.doc" 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAnAAAAAAAAAAA EAAAngAAAAEAAAD+////AAAAAJoAAACbAAAA//////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////s pcEATSAJBAAA8BK/AAAAAAAAEAAAAAAABAAAXmMAAA4AYmpiauI94j0AAAAAAAAAAAAAAAAAAAAA AAAJBBYAIsoAAIBXAACAVwAA8F0AAG0BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAA AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAAGwAAAAAAAgCAAAAAAAACAIAAAgC AAAKAAAAEgIAAAwAAAAeAgAAAAAAAB4CAAAAAAAAHgIAABQAAAAAAAAAAAAAADICAAAAAAAAHiAA AAAAAAAeIAAAAAAAAB4gAAAAAAAAHiAAAIwAAACqIAAADAEAADICAAAAAAAAy0IAAPYAAADCIQAA AAAAAMIhAAAAAAAAwiEAAAAAAADCIQAAAAAAAMIhAAAAAAAAwiEAAAAAAADCIQAAAAAAAMIhAAAA AAAAqkEAAAIAAACsQQAAAAAAAKxBAAAAAAAArEEAAAAAAACsQQAAAAAAAKxBAAAAAAAArEEAACQA AADBQwAAIAIAAOFFAADIAAAA0EEAABUAAAAAAAAAAAAAAAAAAAAAAAAAHgIAAAAAAADCIQAAAAAA AAAAAAAAAAAAAAAAAAAAAADCIQAAAAAAAMIhAAAAAAAAwiEAAAAAAADCIQAAAAAAANBBAAAAAAAA Ci0AAAAAAAAeAgAAAAAAAB4CAAAAAAAAwiEAAAAAAAAAAAAAAAAAAMIhAAAAAAAA5UEAAIYAAAAK LQAAAAAAAAotAAAAAAAACi0AAAAAAADCIQAATAkAAB4CAAAAAAAAwiEAAAAAAAAeAgAAAAAAAMIh AAAAAAAAqkEAAAAAAAAAAAAAAAAAAAotAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAwiEAAAAAAACqQQAAAAAAAAotAACmBgAACi0AAAAAAACwMwAA cgAAAF48AABUAAAAHgIAAAAAAAAeAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzjwAAAAAAADCIQAAAAAAALYhAAAMAAAAoKEqD3/Z wAEyAgAA7B0AAB4gAAAAAAAADisAAPwBAACyPAAADgAAAAAAAAAAAAAAzjwAANwEAABrQgAAYAAA AMtCAAAAAAAAwDwAAA4AAACpRgAAAAAAAAotAAAAAAAAqUYAAAAAAADOPAAAAAAAAAotAAAAAAAA MgIAAAAAAAAyAgAAAAAAAB4CAAAAAAAAHgIAAAAAAAAeAgAAAAAAAB4CAAAAAAAAAgDZAAAAIERl bHRhIENSTHMNDVRoaXMgcGFwZXIgYWRkcmVzc2VzIHRoZSB1c2Ugb2YgZGVsdGEgQ1JMcyBpbiBQ S0lYLWNvbXBsaWFudCBzeXN0ZW1zLiAgVGhpcyBwYXBlciBhc3N1bWVzIHRoYXQgZGVsdGEgQ1JM cyBpbmNsdWRlIHRoZSBkZWx0YSBDUkwgaW5kaWNhdG9yIGV4dGVuc2lvbiAocmF0aGVyIHRoYW4g YSBDUkwgc2NvcGUgZXh0ZW5zaW9uKSBhbmQgaWdub3JlcyBjb21wbGljYXRpb25zIGludm9sdmlu ZyBjb21iaW5lZCBkZWx0YSBDUmxzIENSTHMgZnJvbSBpbmRpcmVjdCBDUkwgaXNzdWVycy4NDVRo aXMgcGFwZXIgYWxzbyBhc3N1bWVzIHRoYXQgQ1JMcyB3aXRoIGRpZmZlcmVudCBzY29wZXMgYXJl IGRpc3RyaWJ1dGVkIHVzaW5nIGRpZmZlcmVudCBkaXN0cmlidXRpb24gcG9pbnRzLg0NVGVybXMN DVJldm9rZWQ6IEEgc3RhdGVtZW50IHRoYXQgYSBwYXJ0aWN1bGFyIGNlcnRpZmljYXRlknMgc3Rh dHVzIGhhcyBjaGFuZ2VkIGFuZCBpdCBzaG91bGQgbm8gbG9uZ2VyIGJlIHRydXN0ZWQuICBPbmNl IGEgY2VydGlmaWNhdGUgaXMgcmV2b2tlZCwgaXQgaXMgYWx3YXlzIHJldm9rZWQuDQ1TdXNwZW5z aW9uOiBBIHN0YXRlbWVudCB0aGF0IGEgcGFydGljdWxhciBjZXJ0aWZpY2F0ZSBtYXkgbm90IGJl IHRydXN0d29ydGh5LiAgT25jZSBwbGFjZWQgb24gaG9sZCwgYSBjZXJ0aWZpY2F0ZSBtYXkgYmUg cmV2b2tlZCBvciB0aGUgc3VzcGVuc2lvbiBtYXkgYmUgbGlmdGVkLg0NUmV2b2NhdGlvbiBub3Rp Y2U6IEEgc3RhdGVtZW50IHRoYXQgYSBwYXJ0aWN1bGFyIGNlcnRpZmljYXRlIGhhcyBiZWVuIHN1 c3BlbmRlZCBvciByZXZva2VkLiAgVGhlIHJldm9jYXRpb24gc3RhdGVtZW50IGlkZW50aWZpZXMg dGhlIGNlcnRpZmljYXRlIGJ5IHRoZSBpc3N1ZXIgbmFtZSBhbmQgc2VyaWFsIG51bWJlci4gIFRo ZSBpc3N1ZXIgbWF5IGJlIHNwZWNpZmllZCBleHBsaWNpdGx5IG9yIGltcGxpY2l0bHkuICBUaGUg aXNzdWVyIG1heSBiZSBleHBsaWNpdGx5IGlkZW50aWZpZWQgdXNpbmcgdGhlIGNlcnRpZmljYXRl IGlzc3VlciBleHRlbnNpb24uIElmIG5vdCBzcGVjaWZpZWQgZXhwbGljaXRseSwgdGhlIGlzc3Vl ciBvZiB0aGUgY2VydGlmaWNhdGUgaXMgaW1wbGljaXRseSBpZGVudGlmaWVkIGFzIHRoZSBpc3N1 ZXIgb2YgdGhlIENSTC4gQSByZXZvY2F0aW9uIG5vdGljZSBpbmNsdWRlcyB0aGUgZGF0ZSBhbmQg dGltZSB0aGUgY2VydGlmaWNhdGUgd2FzIHJldm9rZWQuICBBIHJldm9jYXRpb24gbm90aWNlIG1h eSBvcHRpb25hbGx5IGluY2x1ZGUgYSByZXZvY2F0aW9uIHJlYXNvbiBpbiB0aGUgcmVhc29uIGNv ZGUgQ1JMIGVudHJ5IGV4dGVuc2lvbi4CDQ1DZXJ0aWZpY2F0ZSByZXZvY2F0aW9uIGxpc3QgKENS TCk6ICBhIGxpc3Qgb2YgcmV2b2NhdGlvbiBub3RpY2VzIGZvciBjZXJ0aWZpY2F0ZXMuDQ1DUkwg c2NvcGU6IHRoZSBzZXQgb2YgY2VydGlmaWNhdGVzIHRoYXQgY291bGQgYXBwZWFyIG9uIGEgZ2l2 ZW4gQ1JMLiAgRm9yIGV4YW1wbGUsIHRUaGUgc2NvcGUgbWF5IGJlIJNhbGwgY2VydGlmaWNhdGVz IGlzc3VlZCBieSBDQSBYlCwgk2FsbCBbQ0EgYW5kfCBlbmQgZW50aXR5XSBjZXJ0aWZpY2F0ZXMg aXNzdWVkIGJ5IENBIFiULCCTYWxsIGNlcnRpZmljYXRlcyBpc3N1ZWQgYnkgQ0EgWCB0aGF0IGhh dmUgYmVlbiByZXZva2VkIGZvciBba2V5IGNvbXByb21pc2UgfCBldGMuXWFuZCBDQSBjb21wcm9t aXNllCwgb3IgbWF5IGJlIGEgc2V0IG9mIGNlcnRpZmljYXRlcyBiYXNlZCBvbiBsb2NhbCBpbmZv cm1hdGlvbiwgc3VjaCBhcyCTYWxsIGNlcnRpZmljYXRlcyBpc3N1ZWQgdG8gdGhlIE5JU1QgZW1w bG95ZWVzIGxvY2F0ZWQgaW4gQm91bGRlcpQuDQ1GdWxsIENSTDogYSBDUkwgdGhhdCBsaXN0cyBh bGwgdW4tZXhwaXJlZHVuZXhwaXJlZCBjZXJ0aWZpY2F0ZXMsIGluIGl0cyBzY29wZSwgdGhhdCBo YXZlIGJlZW4gcmV2b2tlZCBmb3Igb25lIG9mIHRoZSByZXZvY2F0aW9uIHJlYXNvbnMgY292ZXJl ZCBieSB0aGUgc2NvcGUgb2YgdGhlIENSTC4gIFRoZSBzY29wZSBvZiBhIGZ1bGwgQ1JMIGRvZXMg bm90IG5lY2Vzc2FyaWx5IGluY2x1ZGUgYWxsIG9mIHRoZSBjZXJ0aWZpY2F0ZXMgaXNzdWVkIGJ5 IGEgQ0Egb3IgYWxsIHBvc3NpYmxlIHJldm9jYXRpb24gcmVhc29ucy4gIHRoZSBzY29wZSBvZiBh IGZ1bGwgQ1JMIGlzIHNldCBvZiB1bi1leHBpcmVkIGNlcnRpZmljYXRlcyB3aG9zZSBjdXJyZW50 IHN0YXR1cyBpcyBub3QgZnVsbHkgdHJ1c3RlZC4gIFRoZSBmdWxsIENSTCBtYXkgY292ZXIgYWxs IGNlcnRpZmljYXRlcyBpc3N1ZWQgYnkgYSBDQSwgb3IgYSBzdWJzZXQgdGhvc2UgY2VydGlmaWNh dGVzIChlLmcuLCBhIENSTCBzZWdtZW50KSBiYXNlZCBvbiBjZXJ0aWZpY2F0ZSBzdWJqZWN0IHR5 cGUsIHJldm9jYXRpb24gcmVhc29ucywgb3Igb3RoZXIgbG9jYWwgcmVhc29ucyAoZS5nLiwgk2Fs bCBjZXJ0aWZpY2F0ZXMgaXNzdWVkIHRvIE5JU1SScyBCb3VsZGVyIGVtcGxveWVlc5QpLg0NQmFz ZSBDUkw6ICB0aGUgcGFydGljdWxhciBDUkwgdXNlZCBhcyB0aGUgZm91bmRhdGlvbiBmb3IgYSBk ZWx0YSBDUkwuICBUaGUgYmFzZSBtdXN0IGhhdmUgYmVlbiBpc3N1ZWQgYXMgYSBmdWxsIENSTC4N DURlbHRhIENSTDogIGEgQ1JMIHRoYXQgb25seSBsaXN0cyB0aG9zZSB1bi1leHBpcmVkdW5leHBp cmVkIGNlcnRpZmljYXRlcywgaW4gaXRzIHNjb3BlLCB3aG9zZSByZXZvY2F0aW9uIHN0YXR1cyBo YXMgY2hhbmdlZCBzaW5jZSB0aGUgaXNzdWFuY2Ugb2YgYSBwYXJ0aWN1bGFyLCByZWZlcmVuY2Vk IGJhc2UgQ1JMLiBUaGUgc2NvcGUgb2YgYSBkZWx0YSBDUkwgaXMgbXVzdCBiZSB0aGUgc2FtZSBh cyB0aGUgYmFzZSBDUkwgdGhhdCBpdCByZWZlcmVuY2VzIFRoZSBzY29wZSBvZiBhIGRlbHRhIENS TCBpcyB0aGUgc2FtZSBhcyB0aGUgYmFzZSBDUkwsIGJ1dCB0aGUgY29udGVudHMgYXJlIGxpbWl0 ZWQgdG8gdGhlIGxpc3Qgb2YgY2VydGlmaWNhdGVzIHdob3NlIHN0YXR1cyBoYXMgY2hhbmdlZCBz aW5jZSB0aGUgaXNzdWFuY2Ugb2YgdGhlIGJhc2UgQ1JMLg0NQmFzZSBDUkw6ICBUaGUgcGFydGlj dWxhciBDUkwgdXNlZCBhcyB0aGUgZm91bmRhdGlvbiBmb3IgYSBkZWx0YSBDUkwuICBUaGUgYmFz ZSBtdXN0IGhhdmUgYmVlbiBpc3N1ZWQgYXMgYSBmdWxsIENSTC4NDUNvbnN0cnVjdGVkIENSTDog dGhlIGNvbWJpbmF0aW9uIG9mIGEgZGVsdGEgQ1JMIGFuZCBhIGJhc2UgQ1JMDQ1DUkwgTnVtYmVy aW5nDQ1BIENSTCBpc3N1ZXIgbWF5IGlzc3VlIGdlbmVyYXRlIGZ1bGwgQ1JMcyBmb3IgbW9yZSB0 aGFuIG9uZSBzY29wZS5hbnkgY29tYmluYXRpb24gb2YgZnVsbCBzZWdtZW50ZWQgQ1JMcyBhbmQg dW5zZWdtZW50ZWQgQ1JMcyB7e3sgVGhlc2UgdHdvIHRlcm1zIGFyZSBub3QgZGVmaW5lZCBhYm92 ZS4gSSBob3BlIHRoYXQgeW91IGNhbiBzdGljayB0byB0aGUgZGVmaW5lZCB0ZXJtIJNzY29wZS6U IH19fS4gIFRoZSBDUkwgaXNzdWVyIG1heSBhbHNvIGlzc3VlIGdlbmVyYXRlIGRlbHRhIENSTHMu ICBFYWNoOyB0aGUgZGVsdGEgQ1JMcyB3aWxsIG11c3QgaGF2ZSB0aGUgc2FtZSBzY29wZXMgYXMg ZWl0aGVyIGF0aGUgZnVsbCBzZWdtZW50ZWQgQ1JMIG9yIHVuYSBzZWdtZW50ZWRmdWxsIENSTHMg aXNzdWVkIGJ5IHRoZSBDUkwgaXNzdWVydGhhdCB0aGV5IHIgcmVmZXJlbmNlZCBhcyB0aGVpcml0 cyBiYXNlcy4NDUZvciBlYWNoIHNjb3BlIHN1cHBvcnRlZCBieSB0aGUgQ1JMIGlzc3VlciwgYSBz ZXBhcmF0ZSBudW1iZXJpbmcgc2VxdWVuY2UgbXVzdCBiZSBtYWludGFpbmVkLiAgRm9yIGVhY2gg c2NvcGUsIHRoZSBDUkxzIGFyZSBudW1iZXJlZCBpbiBhIG1vbm90b25pY2FsbHkgaW5jcmVhc2lu ZyBzZXF1ZW5jZS4gIChXcmFwcGluZyBpcyBub3QgcGVybWl0dGVkIGluIHRoZSBQS0lYIHByb2Zp bGUuICBJZiB0aGUgYSBkZWx0YSBDUkwgYW5kIGEgY29tcGxldGUgZnVsbCBDUkwgdGhhdCBjb3Zl ciB0aGUgc2FtZSBzY29wZSBhcmUgaXNzdWVkIGF0IHRoZSBzYW1lIHRpbWUsIGVhY2ggdGhleSB3 aWxsIGhhdmUgdGhlIHNhbWUgQ1JMIG51bWJlci4pICANDUlUaGF0IGlzLCBpZiBhIENSTCBpc3N1 ZXIgaXNzdWVzIGdlbmVyYXRlcyBDUkxzIGZvciBvbmUgc2NvcGUgKGUuZy4sIGZ1bGwgQ1JMcyBh bmQgZGVsdGFzIGZvciBmdWxsIENDUkxzKSwgdGhlIGlzc3VlciBtdXN0IG1haW50YWluIG9uZSBu dW1iZXJpbmcgc2VxdWVuY2UuICBJZiBhIGRlbHRhIENSTCBhbmQgYSBmdWxsIENSTCB0aGF0IGNv dmVyIHRoZSBzYW1lIHNjb3BlIGFyZSBpc3N1ZWQgYXQgdGhlIHNhbWUgdGltZSwgdGhleSB3aWxs IGhhdmUgdGhlIHNhbWUgQ1JMIG51bWJlci4NDUlmIGEgQ1JMIGlzc3VlciBpc3N1ZXMgZ2VuZXJh dGVzIENSTHMgZm9yIHR3byBzY29wZXMgKGUuZy4sIGFsbCBvbmUgY292ZXJpbmcgQ0EgY2VydGlm aWNhdGVzIGFuZCBhbGwgb25lIGNvdmVyaW5nIGVuZCBlbnRpdHkgY2VydGlmaWNhdGVzKSwgdGhl biB0aGUgQ1JMIGlzc3VlciBtdXN0IG1haW50YWluIHR3byBudW1iZXIgc2VxdWVuY2VzLiAgVGhl IENSTHMgYW5kIGRlbHRhcyBmb3IgdGhlIHNhbWUgc2NvcGUgKGUuZy4sIENBIGNlcnRpZmljYXRl cykgd2lsbCBzaGFyZSBvbmUgbnVtYmVyaW5nIHNlcXVlbmNlLiAgVGhlIENSTHMgYW5kIGRlbHRh cyBmb3IgdGhlIHNlY29uZCBzY29wZSAoZS5nLiwgZW5kIGVudGl0eSBjZXJ0aWZpY2F0ZXMpIHdp bGwgc2hhcmUgb25lIG51bWJlcmluZyBzZXF1ZW5jZS4gICBUaGVyZSBpcyBubyByZXF1aXJlbWVu dCB0aGF0IHRoZXNlIHNlcXVlbmNlcyBiZSBkaXNqb2ludC4NDUFsZ29yaXRobXMgZm9yIERldGVy bWluaW5nIFN0YXR1cyBmcm9tIGEgQmFzZSBGdWxsIENSTCBhbmQgYSBEZWx0YSBDUkwNDUNvbnNp ZGVyIGEgY29tcGxldGUgZnVsbCBDUkwsIEJGLCB3aXRoIENSTCBudW1iZXIgWC4gIEEgVGhlIFBL SVggcHJvZmlsZSByZXF1aXJlcyB0aGUgQ0EgdG8gaXNzdWUgQiBhcyBhIGZ1bGwgQ1JMLCBidXQg YSBjbGllbnQoQiBtYXkgYmUgb2J0YWluIEJGZWQgaW4gZWl0aGVyIG9mIHRoZSBmb2xsb3dpbmcg d2F5czogKGEpIHRoZSBmdWxsIENSTCBCIEYgbWF5IGhhdmUgYmVlbiBwdXNoZWQgdG8gdGhlIGNs aWVudCBvZnIgcHVsbGVkIGZyb20gYSByZXBvc2l0b3J5O2lzc3VlZCBhcyBhIGNvbXBsZXRlIGZ1 bGwgQ1JMIHdoaWNoIGNvbnRhaW5zIGEgQ1JMIG51bWJlciBleHRlbnNpb24gd2l0aCB2YWx1ZSBY LiBvciAoYikgQWx0ZXJuYXRpdmVseSwgRkIgbWF5IGhhdmUgYmVlbiBjb25zdHJ1Y3RlZCBmcm9t IGEgYmFzZSBmdWxsIENSTCBhbmQgYSBkZWx0YSBDUkwgdXNpbmcgdGhpcyBhbGdvcml0aG0uDS4N Q29uc2lkZXIgYSBkZWx0YSBDUkwsIEQsIHdoaWNoIHNwZWNpZmllcyBiYXNlIENSTCBZIGFuZCBo YXMgQ1JMIG51bWJlciBaLiAgVGhpcyBtZWFucyB0aGF0IGFsbCBjZXJ0aWZpY2F0ZXMgd2hvc2Ug c3RhdHVzZXMgaGF2ZSBjaGFuZ2VkIHNpbmNlIHRoZSBpc3N1YW5jZSBvZiBDUkwgWSB3aWxsIGJl IGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMLiAgTm90ZSB0aGF0IHRoZSBQS0lYIHByb2ZpbGUgcmVx dWlyZXMgdGhlIENBIHRvIGlzc3VlIENSTCBZIGFzIGEgZnVsbCBDUkwuDQ1EZXRlcm1pbmluZyBX aGV0aGVyIGEgQmFzZSBGdWxsIENSTCBhbmQgRGVsdGEgQ1JMIE1heSBCZSBDb21iaW5lZA0NQ29u c2lkZXIgYSBkZWx0YSBDUkwsIEQsIHdoaWNoIHNwZWNpZmllcyBiYXNlIENSTCBZIGFuZCBoYXMg Q1JMIG51bWJlciBaLiAgVGhpcyBtZWFucyB0aGF0IGFsbCBjZXJ0aWZpY2F0ZXMgd2hvc2Ugc3Rh dHVzZXMgaGF2ZXMgY2hhbmdlZCBzaW5jZSB0aGUgaXNzdWFuY2Ugb2YgQ1JMIFkgd2lsbCBiZSBs aXN0ZWQgb24gdGhlIGRlbHRhIENSTC4NDUJGIGFuZCBEIG1heSBiZSBjb21iaW5lZCBpZiBlYWNo IG9mIHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUgbWV0Og0NWCBpcyBncmVhdGVyIHRoYW4g b3IgZXF1YWwgdG8gWS4gIFRoYXQgaXMsIHRoZSBjb21wbGV0ZSBmdWxsIENSTCBtdXN0IChhdCBh IG1pbmltdW0pIGNvbnRhaW4gYWxsIHRoZSByZXZvY2F0aW9uIGluZm9ybWF0aW9uIGhlbGQgYnkg dGhlIHJlZmVyZW5jZWQgYmFzZSBDUkwuDVggaXMgbGVzcyB0aGFuIFouICBUaGF0IGlzLCB0aGUg ZGVsdGEgQ1JMIG11c3QgY292ZXIgc29tZSB0aW1lIHRoYXQgd2FzIG5vdCBjb3ZlcmVkIGJ5IHRo ZSBjb21wbGV0ZSBmdWxsIENSTC4gDQ1EZXRlcm1pbmluZyBTdGF0dXMgb2YgYSBjZXJ0aWZpY2F0 ZSBDZXJ0aWZpY2F0ZSBmcm9tIGEgYmFzZSBGdWxsIENSTCBhbmQgYSBEZGVsdGEgQ1JMDQ1JZiB0 aGUgUEtJIGNsaWVudCBtYWludGFpbnMgdGhlIGRlbHRhIGFuZCBiYXNlIGZ1bGwgQ1JMLCB0aGUg c3RhdHVzIG9mIGFuIHVuZXhwaXJlZCBjZXJ0aWZpY2F0ZSBDIGlzIG1heSBiZSBkZXRlcm1pbmVk IGFzIGZvbGxvd3M6DQ1JZiBDIGlzIGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMLCB0aGVuOg1JZiBD IGlzIGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMIHdpdGggcmVhc29uIGNvZGUgInJlbW92ZUZvcnJv bUNSTCIsIHRoZW4gQyBpcyBub3QgcmV2b2tlZC5JZiBDIHdhcyBsaXN0ZWQgd2l0aG91dCBhbiBh c3NvY2lhdGVkIHJldm9jYXRpb24gcmVhc29uIG9yIGEgcmV2b2NhdGlvbiByZWFzb24gb3RoZXIg dGhhbiBjZXJ0aWZpY2F0ZSBob2xkLCB0aGVuIGNlcnRpZmljYXRlIEMgaXMgY29uc2lkZXJlZCBy ZXZva2VkLg1PdGhlcndpc2UsIGNlcnRpZmljYXRlIEMgaXMgcmV2b2tlZC5JZiBDIGlzIGxpc3Rl ZCBvbiB0aGUgZGVsdGEgQ1JMIHdpdGggcmVhc29uIGNvZGUgInJlbW92ZSBmb3JtIGNybENSTCIs IHRoZW4gQyBpcyBub3QgcmV2b2tlZC4NSWYgQyB3YXMgbm90IGxpc3RlZCBvbiB0aGUgZGVsdGEg Q1JMLCB0aGVuIHRoZSBiYXNlIGZ1bGwgQ1JMIGlzIGNoZWNrZWQsIGFuZCB0aGUgc3RhdHVzIGlz IGFzIGZvbGxvd3M6DUlmIEMgaXMgbGlzdGVkIG9uIHRoZSBiYXNlIGZ1bGwgQ1JMLCB0aGVuIEMg aXMgcmV2b2tlZC4NSWYgQyBpcyBub3QgbGlzdGVkIG9uIHRoZSBiYXNlIGZ1bGwgQ1JMLCB0aGVu IEMgaXMgbm90IHJldm9rZWQuDQ1Db21iaW5pbmcgYSBCYXNlIEZ1bGwgQ1JMIGFuZCBEZWx0YSBD UkwgaW50byBhIENvbnN0cnVjdGVkIENSTA0NSWYgdGhlIFBLSSBjbGllbnQgbWFpbnRhaW5zIHRo ZSBjdXJyZW50IENSTCBpbiBlbGVjdHJvbmljIGZvcm1hIGxvY2FsIGNhY2hlOg0NVGhlIHJldm9j YXRpb24gaW5mb3JtYXRpb24gb24gQkYgaXMgYXNzdW1lZCBhcyB0aGUgaW5pdGlhbCBjb25kaXRp b24uICBCRiBpcyBhIGxpc3Qgb2YgcmV2b2tlZCBjZXJ0aWZpY2F0ZXM7IGVhY2ggY2VydGlmaWNh dGUgaXMgbGlzdGVkIHdpdGggYSByZXZvY2F0aW9uIHJlYXNvbiAod2hpY2ggbWF5IGJlIJN1bnNw ZWNpZmllZJQpLiAgDQ1UaGUgbGlzdCBvZiByZXZva2VkIGNlcnRpZmljYXRlcyBMIHdpdGggbiBl bnRyaWVzIGRlbm90ZWQgYXMgTGkgd2hlcmUgMSA8PSBpIDw9IG4uICAoVGhlIHZhbHVlIG4gbWF5 IHNocmluayBvciBncm93IGFzIHRoZSBjb21iaW5hdGlvbiBwcm9jZXNzIHByb2NlZWRzLikNDUlu aXRpYWxpemUgTCB0byB0aGUgcmV2b2NhdGlvbiBub3RpY2VzIG9uIEJGLiAgRm9yIGVhY2ggY2Vy dGlmaWNhdGUgQyBvbiB0aGUgZGVsdGEgQ1JMLCB1cGRhdGUgdGhlIGNvbnRlbnRzIG9mIEwgYXMg Zm9sbG93cy4NDUEgY2VydGlmaWNhdGUgQyBpcyBhZGRlZCB0byB0aGUgbGlzdCBvZiByZXZva2Vk IGNlcnRpZmljYXRlcyBMIGFzIGZvbGxvd3M6DUlmICBhIGNlcnRpZmljYXRlIEMgYXBwZWFycyBv biB0aGUgZGVsdGEgQ1JMIEQsIGFuZCBDIGlzIG5vdCBjdXJyZW50bHkgaW4gdGhlIGxpc3QgTCwg dGhlbjoNaWYgQyBoYXMgYSByZXZvY2F0aW9uIHJlYXNvbiBvdGhlciB0aGFuIJNyZW1vdmVGcm9t Q1JMlCwgYWRkIEMgYXMgYSBuZXcgZW50cnkgaW4gIHRoZSBsaXN0IG9mIHJldm9rZWQgY2VydGlm aWNhdGVzIEwuDUlmIEMgaGFzIHJldm9jYXRpb24gcmVhc29uIJNyZW1vdmVGcm9tQ1JMlCwgc2tp cCB0aGlzIGNlcnRpZmljYXRlLiAgTm8gdXBkYXRlIHRvIHRoZSBjYWNoZSBpcyBuZWVkZWQuDUlm IGEgY2VydGlmaWNhdGUgQyBhcHBlYXJzIG9uIHRoZSBkZWx0YSBDUkwgRCwgYW5kIEMgaXMgcHJl c2VudGx5IGxpc3RlZCBpbiBMIGFzIGVudHJ5IExpLCB0aGVuOg1JZiBDIGhhcyByZXZvY2F0aW9u IHJlYXNvbmlzIGxpc3RlZCBvbiB0aGUgZGVsdGEgQ1JMIHdpdGggYSByZXZvY2F0aW9uIHJlYXNv biBvZiCTcmVtb3ZlRnJvbUNSTJQsIHRoZW4gZGVsZXRlIGVudHJ5IExpIA1JZiAgQyBoYXMgaXMg bGlzdGVkIG9uIHRoZSBkZWx0YSBDUkwgd2l0aG91dCBhIHJldm9jYXRpb24gcmVhc29uIG9yIHdp dGggYSByZXZvY2F0aW9uIHJlYXNvbiBvdGhlciB0aGFuIJNyZW1vdmVGcm9tQ1JMLJQsIHRoZW4g dXBkYXRlIGNoYW5nZSB0aGUgcmVhc29uIGNvZGUgYXNzb2NpYXRlZCB3aXRoIExpIHRvIHRoZSBy ZWFzb24gY29kZSBzcGVjaWZpZWQgaW4gdGhlIGRlbHRhIENSTC4NDVRoZSBjb21iaW5hdGlvbiBv ZiBCRiBhbmQgRCBmb3JtcyBhIG5ldyBjb21wbGV0ZSBmdWxsIENSTCB3aXRoIENSTCBudW1iZXIg Wi4gIFRoaXMgY29tcGxldGUgZnVsbCBDUkwgaXMgYXNzdW1lZCB0byBoYXZlcyBjb21wbGV0ZSBp bmZvcm1hdGlvbiB1bnRpbCB0aGUgdGltZSBzcGVjaWZpZWQgaW4gdGhlIG5leHQgdXBkYXRlIGZp ZWxkIGluIHRoZSBkZWx0YSBDUkwgaXMgcmVhY2hlZC4gIElmIGEgcmVseWluZyBwYXJ0eSBpcyB2 YWxpZGF0aW5nIGEgY2VydGlmaWNhdGUgd2l0aCByZXNwZWN0IHRvIHRpbWUgVCwgIGFuZCBUIGlz IGJlZm9yZSB0aGUgbmV4dCB1cGRhdGUgZmllbGQgaW4gdGhlIGRlbHRhIENSTCwgdGhleSBtYXkg YXNzdW1lIGNvbXBsZXRlIGluZm9ybWF0aW9uLg0NSWYgYW4gdW5leHBpcmVkIGNlcnRpZmljYXRl IEMgd2l0aGluIHRoZSBzY29wZSBvZiAgdGhlIGNvbnN0cnVjdGVkIENSTCBpcyBub3QgbGlzdGVk LCB0aGVuIGNlcnRpZmljYXRlIEMgaXMgbm90IHJldm9rZWQgZm9yIG9uZSBvZiB0aGUgcmV2b2Nh dGlvbiByZWFzb25zIGNvdmVyZWQgYnkgdGhpcyBDUkwuICBJZiB0aGUgY29uc3RydWN0ZWQgQ1JM IGNvdmVycyBhbGwgcmVhc29ucywgdGhlbiB0aGUgY2VydGlmaWNhdGUgQyBpcyBub3QgcmV2b2tl ZC4NDVVzaW5nIERlbHRhcyB0byBEaXN0cmlidXRlIFJldm9jYXRpb24gSW5mb3JtYXRpb24NDVRo aXMgc2VjdGlvbiBwcm92aWRlcyB0aHJlZSBkaWZmZXJlbnQgc2NlbmFyaW9zIGZvciB0aGUgdXNl IG9mIGRlbHRhIENSTHMuICBGb3IgdGhlIHB1cnBvc2Ugb2YgdGhlc2UgZXhhbXBsZXMsIGFzc3Vt ZSBhIGdvYWwgb2YgaGUgZ29hbCBpcyB0byBwcm92aWRpbmdlIHJldm9jYXRpb24gaW5mb3JtYXRp b24gdG8gcmVseWluZyBwYXJ0aWVzIHRoYXQgaXMgbm8gbW9yZSB0aGFuIG9uZSBob3VyIG9sZC4g e3t7IFdoZXJlIGRvZXMgdGhpcyBjb21lIGZyb20/ICBFeGFtcGxlPyAgSXQgaXMgY2VydGFpbmx5 IG5vdCBhIFBLSVggcmVxdWlyZW1lbnQhIH19fQ0NDVRoZSBmb2xsb3dpbmcgbm90YXRpb24gaXMg dXNlZCB0byBkZW5vdGUgYSByZXZva2VkIGNlcnRpZmljYXRlIG9uIGEgQ1JMOiAgDQkJWHIJY2Vy dGlmaWNhdGUgWCBpcyBsaXN0ZWQgZm9yIHJlYXNvbiByLCB3aGVyZSByIGluIHthLGssaCxyfSAN VGhlIHJlYXNvbiBjb2RlcyB7YSxrLGgscn0gY29ycmVzcG9uZCB0byCTYWZmaWxpYXRpb24gY2hh bmdlZJQsIJNrZXkgY29tcHJvbWlzZZQsIJNjZXJ0aWZpY2F0ZSBob2xklCwgYW5kIJNyZW1vdmUg ZnJvbSBDUkyUIHJlc3BlY3RpdmVseS4NDShOb3RlOiAgVGhlIHJlbWFpbmluZyByZWFzb24gY29k ZXMgYXJlIG9taXR0ZWQgZm9yIHNpbXBsaWNpdHkuICBUaGUgaGFuZGxpbmcgb2YgY2VydGlmaWNh dGVzIHJldm9rZWQgZm9yICB0aGUgcmVhc29ucyCTdW5zcGVjaWZpZWSULCCTQ0EgY29tcHJvbWlz ZZQsIJNzdXBlcnNlZGVklCwgYW5kIJNjZXNzYXRpb25PZk9wZXJhdGlvbpQgYXJlIGlkZW50aWNh bCB0byCTYWZmaWxpYXRpb24gY2hhbmdlZCBvciCTa2V5IGNvbXByb21pc2WUKS4NDQ0Ne3t7DVdo ZXJlIGFyZSB0aGUgcmVzdD8gIEFnYWluLCBtYXliZSB0aGlzIGlzIGJlY2F1c2Ugd2UgbWFkZSBh IGNsdW1zeSB0cmFuc2l0aW9uIGludG8gYW4gZXhhbXBsZS4NDSAgIENSTFJlYXNvbiA6Oj0gRU5V TUVSQVRFRCB7DSAgICAgICAgdW5zcGVjaWZpZWQgICAgICAgICAgICAgKDApLA0gICAgICAgIGtl eUNvbXByb21pc2UgICAgICAgICAgICgxKSwNICAgICAgICBjQUNvbXByb21pc2UgICAgICAgICAg ICAoMiksDSAgICAgICAgYWZmaWxpYXRpb25DaGFuZ2VkICAgICAgKDMpLA0gICAgICAgIHN1cGVy c2VkZWQgICAgICAgICAgICAgICg0KSwNICAgICAgICBjZXNzYXRpb25PZk9wZXJhdGlvbiAgICAo NSksDSAgICAgICAgY2VydGlmaWNhdGVIb2xkICAgICAgICAgKDYpLA0gICAgICAgIHJlbW92ZUZy b21DUkwgICAgICAgICAgICg4KSB9DX19fQ0NRXhhbXBsZSAjMQ0NVGhlIGV4YW1wbGUgYmVsb3cg c2hvd3MgdGhlICJ0cmFkaXRpb25hbCIgbWV0aG9kIG9mIGlzc3VpbmcgZGVsdGEgLUNSTHMuIElu IHRoaXMgZXhhbXBsZSwgZnVsbCBDUkxzIGFyZSBpc3N1ZWQgb25jZSBldmVyeSAzIGhvdXJzIGFu ZCBkZWx0YXMgYXJlIGlzc3VlZCBvbmNlIGFuIGhvdXIuIEZvciBjb25zaXN0ZW5jeSwgdGhlIGlz c3VlciBiZWdpbnMgaXNzdWluZyBkZWx0YXMgYXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgdmVyeSBm aXJzdCBmdWxsIENSTC4gQWZ0ZXIgdGhhdCwgaG93ZXZlciwgYSBkZWx0YSBjYW4gYWx3YXlzIHVz ZSBhIHByZXZpb3VzbHkgaXNzdWVkIGZ1bGwgQ1JMIGFzIGl0cyBiYXNlLiBOb3RpY2UgdGhhdCBz dGFydGluZyB3aXRoIGNSTE51bWJlciA0LCB0aGUgZGVsdGEgQ1JMIGlzc3VlZCBhdCB0aGUgc2Ft ZSB0aW1lIGFzIGEgZnVsbCBDUkwgdXNlcyB0aGUgcHJldmlvdXNseSBpc3N1ZWQgZnVsbCBDUkwg YXMgaXRzIGJhc2UuIEhvd2V2ZXIsIHRoZSBkZWx0YS1DUkxzIG5ldmVyIHByb3ZpZGUgbW9yZSB0 aGFuIDMgaG91cnMgb2YgaGlzdG9yeS4NDUluIHRoaXMgZXhhbXBsZToNQ2VydGlmaWNhdGUgMTQg d2FzIHJldm9rZWQgZm9yIGtleSBjb21wcm9taXNlIGJlZm9yZSAxMjowMCB3aGVuIHRoZSBmaXJz dCBDUkwgd2FzIGlzc3VlZC4NQ2VydGlmaWNhdGUgMTI0IHdhcyByZXZva2VkIGZvciBrZXkgY29t cHJvbWlzZSBiZXR3ZWVuIDEyOjAwIGFuZCAxMzowMC4NQ2VydGlmaWNhdGUgMzkgd2FzIHBsYWNl ZCBvbiBob2xkIGJldHdlZW4gMTQ6MDAgYW5kIDE1OjAwLCBhbmQgaXRzIHN1c3BlbnNpb24gd2Fz IGxpZnRlZCBiZXR3ZWVuIDE2OjAwIGFuZCAxNzowMC4NQ2VydGlmaWNhdGUgNjcgd2FzIHJldm9r ZWQgZm9yIGFuIGFmZmlsaWF0aW9uIGNoYW5nZSBiZXR3ZWVuIDE2MTU6MDAgYW5kIDE3MTY6MDAu ICBUaGUgcmVhc29uIHdhcyBjaGFuZ2VkIHRvIGtleSBjb21wcm9taXNlIGJldHdlZW4gMTg2OjAw IGFuZCAxOTc6MDAue3t7IFRoZXNlIHR3byB0aW1lIHNwYW5zIGNhbm5vdCBiZSB0aGUgc2FtZSEg fX19Lg0NY3VycmVudCB0aW1lICAgICAHUmV2b2tlZCBjZXJ0aWZpY2F0ZXMHRnVsbCBDUkwHRGVs dGEtQ1JMBwcxMjowMAd7MTRrfSAgICAgICAgICAgIAdjUkxOdW1iZXIgPSAxICAgICAgICAgICAg ICAgICAgIHRoaXNVcGRhdGUgPSAxMjowMCAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE1OjAw ICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTRrfQdjUkxOdW1iZXIgPSAxICAgICAg ICAgICAgICAgICAgIHRoaXNVcGRhdGUgPSAxMjowMA1uZXh0VXBkYXRlID0gMTM6MDAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBC YXNlQ1JMTnVtYmVyID0gMQ1DZXJ0aWZpY2F0ZUxpc3QgPSB7fSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAcHMTM6MDAHezE0aywgMTI0a30gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDIgICAgICAgICAg ICAgICAgICAgdGhpc1VwZGF0ZSA9IDEzOjAwDW5leHRVcGRhdGUgPSAxNDowMCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxDUNlcnRpZmljYXRlTGlzdCA9IHsxMjRrfSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAcHMTQ6MDAHezE0aywgMTI0a30gICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDMgICAgICAgICAg ICAgICAgICAgdGhpc1VwZGF0ZSA9IDE0OjAwDW5leHRVcGRhdGUgPSAxNTowMCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxDUNlcnRpZmljYXRlTGlzdCA9IHsxMjRrfSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAcHMTU6MDAHezE0aywgMTI0aywgMzlofSAg IAdjUkxOdW1iZXIgPSA0ICAgICAgICAgICAgICAgICAgIHRoaXNVcGRhdGUgPSAxNTowMCAgICAg ICAgICAgICAgbmV4dFVwZGF0ZSA9IDE4OjAwICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3Qg PSB7MTRrLCAxMjRrLCAzOWh9B2NSTE51bWJlciA9IDQNdGhpc1VwZGF0ZSA9IDE1NjowMCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE2Nzow MCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVy ID0gMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0 ZUxpc3QgPSB7MTI0aywgMzlofQcHMTY6MDAHezE0aywgMTI0aywgMzloLCA2N2F9ICAgBwdjUkxO dW1iZXIgPSA1DXRoaXNVcGRhdGUgPSAxNjowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE3OjAwICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSA0ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHszOWgsIDY3YX1XaHkgaXMg MzloIGhlcmU/ICBJdCBpcyBvbiB0aGUgYmFzZSEHBzE3OjAwB3sxNGssIDEyNGssIDY3YX0gICAH B2NSTE51bWJlciA9IDYNdGhpc1VwZGF0ZSA9IDE3OjAwICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MDAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9IDQgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNhdGVMaXN0ID0gezM5ciwgNjdhfQcH MTg6MDAHezE0aywgMTI0aywgNjdhfSAgIAdjUkxOdW1iZXIgPSA3ICAgICAgICAgICAgICAgICAg IHRoaXNVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDIxOjAwICAgICAg ICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTRrLCAxMjRrLCA2N2F9B2NSTE51bWJlciA9IDcN dGhpc1VwZGF0ZSA9IDE4OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBuZXh0VXBkYXRlID0gMTk6MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgQmFzZUNSTE51bWJlciA9IDQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgQ2VydGlmaWNhdGVMaXN0ID0gezM5ciwgNjdhfQcHMTk6MDAHezE0aywgMTI0 aywgNjdrfSAgIAcHY1JMTnVtYmVyID0gOA10aGlzVXBkYXRlID0gMTk6MDAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5leHRVcGRhdGUgPSAyMDowMCAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gNyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7 NjdrfQcHDQ1Db25zZXF1ZW5jZXMgb2YgdGhpcyANDQ1TY2VuYXJpbyAjMg0NVGhlIGV4YW1wbGUg YmVsb3cgc2hvd3MgdGhlICJzbGlkaW5nIHdpbmRvdyIgbWV0aG9kIG9mIGlzc3VpbmcgZGVsdGEt Q1JMcy4gSW4gdGhpcyBleGFtcGxlLCBmdWxsIENSTHMgYXJlIGlzc3VlZCBvbmNlIGV2ZXJ5IDMg aG91cnMgYW5kIGRlbHRhcyBhcmUgaXNzdWVkIG9uY2UgYW4gaG91ci4gRm9yIGNvbnNpc3RlbmN5 LCB0aGUgaXNzdWVyIGJlZ2lucyBpc3N1aW5nIGRlbHRhcyBhdCB0aGUgc2FtZSB0aW1lIGFzIHRo ZSB2ZXJ5IGZpcnN0IGZ1bGwgQ1JMLiBOb3RpY2UgdGhhdCBzdGFydGluZyB3aXRoIGNSTE51bWJl ciA3LCB0aGUgZGVsdGEgQ1JMIGlzc3VlZCBhdCB0aGUgc2FtZSB0aW1lIGFzIGEgZnVsbCBDUkwg ZG9lcyBub3QgdXNlIHRoZSBwcmV2aW91c2x5IGlzc3VlZCBmdWxsIENSTCBhcyBpdHMgYmFzZSBi dXQgdGhlIHByZWNlZGluZyBDUkwgaW5zdGVhZC4gIEhvd2V2ZXIsIHRoZXNlIGRlbHRhLUNSTHMg bmV2ZXIgcHJvdmlkZSBtb3JlIHRoYW4gNiBob3VycyBvZiBoaXN0b3J5Lg0NQXMgaW4gZXhhbXBs ZSAjMToNQ2VydGlmaWNhdGUgMTQgd2FzIHJldm9rZWQgZm9yIGtleSBjb21wcm9taXNlIGJlZm9y ZSAxMjowMCB3aGVuIHRoZSBmaXJzdCBDUkwgd2FzIGlzc3VlZC4NQ2VydGlmaWNhdGUgMTI0IHdh cyByZXZva2VkIGZvciBrZXkgY29tcHJvbWlzZSBiZXR3ZWVuIDEyOjAwIGFuZCAxMzowMC4NQ2Vy dGlmaWNhdGUgMzkgd2FzIHBsYWNlZCBvbiBob2xkIGJldHdlZW4gMTQ6MDAgYW5kIDE1OjAwLCBh bmQgaXRzIHN1c3BlbnNpb24gd2FzIGxpZnRlZCBiZXR3ZWVuIDE2OjAwIGFuZCAxNzowMC4NQ2Vy dGlmaWNhdGUgNjcgd2FzIHJldm9rZWQgZm9yIGFuIGFmZmlsaWF0aW9uIGNoYW5nZSBiZXR3ZWVu IDE2MTU6MDAgYW5kIDE3MTY6MDAuICBUaGUgcmVhc29uIHdhcyBjaGFuZ2VkIHRvIGtleSBjb21w cm9taXNlIGJldHdlZW4gMTg2OjAwIGFuZCAxOTc6MDAuIHt7eyBBZ2FpbiwgdGhlc2UgY2Fubm90 IGhhdmUgdGhlIHNhbWUgdGltZSBzcGFuISB9fX0NDQ1jdXJyZW50IHRpbWUgICAgIAdSZXZva2Vk IGNlcnRpZmljYXRlcwdGdWxsIENSTAdEZWx0YS1DUkwHBzEyOjAwB3sxNGt9ICAgICAgICAgICAg B2NSTE51bWJlciA9IDEgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDEyOjAwICAgICAg ICAgICAgICBuZXh0VXBkYXRlID0gMTU6MDAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9 IHsxNGt9B2NSTE51bWJlciA9IDEgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDEyOjAw DW5leHRVcGRhdGUgPSAxMzowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxDUNlcnRpZmljYXRlTGlz dCA9IHt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwcxMzowMAd7MTRrLCAxMjRrfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IAcHY1JMTnVtYmVyID0gMiAgICAgICAgICAgICAgICAgICB0aGlzVXBkYXRlID0gMTM6MDANbmV4 dFVwZGF0ZSA9IDE0OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0g ezEyNGt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwcxNDowMAd7MTRrLCAxMjRrfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IAcHY1JMTnVtYmVyID0gMyAgICAgICAgICAgICAgICAgICB0aGlzVXBkYXRlID0gMTQ6MDANbmV4 dFVwZGF0ZSA9IDE1OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0g ezEyNGt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwcxNTowMAd7MTRrLCAxMjRrLCAzOWh9ICAgB2NSTE51bWJlciA9IDQgICAgICAgICAgICAgICAg ICAgdGhpc1VwZGF0ZSA9IDE1OjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MDAgICAg ICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxNGssIDEyNGssIDM5aH0HY1JMTnVtYmVyID0g NA10aGlzVXBkYXRlID0gMTU2OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBuZXh0VXBkYXRlID0gMTY3OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxMjRrLCAzOWh9BwcxNjowMAd7MTRr LCAxMjRrLCAzOWgsIDY3YX0gICAHB2NSTE51bWJlciA9IDUNdGhpc1VwZGF0ZSA9IDE2OjAwICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTc6 MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJl ciA9IDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNh dGVMaXN0ID0gezEyNGssIDM5aCwgNjdhfQcHMTc6MDAHezE0aywgMTI0aywgNjdhfSAgIAcHY1JM TnVtYmVyID0gNg10aGlzVXBkYXRlID0gMTc6MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIG5leHRVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gMSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTI0aywgMzlyLCA2N2F9 BwcxODowMAd7MTRrLCAxMjRrLCA2N2F9ICAgB2NSTE51bWJlciA9IDcgICAgICAgICAgICAgICAg ICAgdGhpc1VwZGF0ZSA9IDE4OjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMjE6MDAgICAg ICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxNGssIDEyNGssIDY3YX0HY1JMTnVtYmVyID0g Nw10aGlzVXBkYXRlID0gMTg6MDAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIG5leHRVcGRhdGUgPSAxOTowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTI0aywgMzlyLCA2N2F9BwcxOTowMAd7 MTRrLCAxMjRrLCA2N2t9ICAgBwdjUkxOdW1iZXIgPSA4DXRoaXNVcGRhdGUgPSAxOTowMCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDIwOjAw ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIg PSA0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRl TGlzdCA9IHszOXIsIDY3a30HBw1Ob3RlIHRoYXQgdGhlIGRlbHRhIENSTHMgYXJlIG1hcmdpbmFs bHkgbGFyZ2VyIHRoYW4gaW4gdGhlIGZpcnN0IHNjZW5hcmlvIHNpbmNlIHRoZXkgY292ZXIgYSBs b25nZXIgdGltZSBwZXJpb2QuICBPbiB0aGUgb3RoZXIgaGFuZCwgYSByZWx5aW5nIHBhcnR5IGlz IGxlc3MgbGlrZWx5IHRvIGRvd25sb2FkIGZ1bGwgQ1JMcyBpbiB0aGUgc2Vjb25kIHNjZW5hcmlv Lg0NRm9yIGV4YW1wbGUsIGEgcmVseWluZyBwYXJ0eSB0aGF0IHZhbGlkYXRlZCBvbmUgY2VydGlm aWNhdGUgYXQgMTI6MTUsIHRoZW4gYSBzZWNvbmQgY2VydGlmaWNhdGUgYXQgMTY6MTUgd291bGQg bm90IHJlcXVpcmUgYSBuZXcgZnVsbCBDUkwgaW4gc2NlbmFyaW8gIzIuICBJbiBzY2VuYXJpbyAj MSwgdGhlIHJlbHlpbmcgcGFydHkgd291bGQgYmUgZm9yY2VkIHRvIG9idGFpbiBib3RoIGZ1bGwg Q1JMIDQgYW5kIGRlbHRhIENSTCA1Lg0NU2NlbmFyaW8gIzMgQWxsb3dpbmcgZm9yIFJlcGxpY2F0 aW9uL1Byb3BhZ2F0aW9uIERlbGF5cw0NSW4gdGhpcyBzY2VuYXJpbywgZnVsbCBDUkxzIGFuZCBk ZWx0YSBDUkxzIGFyZSByZXBsaWNhdGVkIHRocm91Z2hvdXQgYSByZXBvc2l0b3J5IHN5c3RlbS4g IERhdGEgaXMgcmVwbGljYXRlZCB0aHJvdWdoIHRoZSBzeXN0ZW0gYXQgZGlmZmVyZW50IHJhdGVz IGJhc2VkIG9uIHRoZSBzaXplIG9mIHRoZSBmaWxlLiAgVGhlIENBIG9wZXJhdG9ycyBlc3RpbWF0 ZSB0aGF0IGZ1bGwgQ1JMcyB3aWxsIGJlIGF2YWlsYWJsZSB0aHJvdWdob3V0IHRoZSBzeXN0ZW0g d2l0aGluIHRocmVlIGhvdXJzLiAgRGVsdGEgQ1JMcyB3aWxsIGJlIGF2YWlsYWJsZSB3aXRoaW4g MTUgbWludXRlcy4gIChBc3N1bWUgdGhlIGluaXRpYWwgQ1JMIGlzIHNtYWxsIGFuZCB3aWxsIHBy b3BhZ2F0ZSBhcyBpZiBhIGRlbHRhIENSTCB0byByZXNvbHZlIHRoZSBib290c3RyYXAgaXNzdWVz LikNDVRoZSBleGFtcGxlIGJlbG93IHVzZXMgdGhlICJzbGlkaW5nIHdpbmRvdyIgbWV0aG9kIG9m IGlzc3VpbmcgZGVsdGEtQ1JMcywgYnV0IG92ZXJsYXBzIHRoZSB0aGlzVXVwZGF0ZSBhbmQgbmV4 dFV1cGRhdGUgdGltZXMgdG8gYWxsb3cgZm9yIHByb3BhZ2F0aW9uLi4gSW4gdGhpcyBleGFtcGxl LCBmdWxsIENSTHMgYXJlIGlzc3VlZCBvbmNlIGV2ZXJ5IDMgaG91cnMgYW5kIGRlbHRhcyBhcmUg aXNzdWVkIG9uY2UgYW4gaG91cmV2ZXJ5IDQ1IG1pbnV0ZXMuIEZvciBjb25zaXN0ZW5jeSwgdGhl IGlzc3VlciBiZWdpbnMgaXNzdWluZyBkZWx0YXMgYXQgdGhlIHNhbWUgdGltZSBhcyB0aGUgdmVy eSBmaXJzdCBmdWxsIENSTC4gTm90aWNlIHRoYXQgc3RhcnRpbmcgd2l0aCBjUkxOdW1iZXIgNywg dGhlIGRlbHRhIENSTCBpc3N1ZWQgYXQgdGhlIHNhbWUgdGltZSBhcyBhIGZ1bGwgQ1JMIGRvZXMg bm90IHVzZSB0aGUgcHJldmlvdXNseSBpc3N1ZWQgZnVsbCBDUkwgYXMgaXRzIGJhc2UgYnV0IHRo ZSBwcmVjZWRpbmcgQ1JMIGluc3RlYWQuICBIb3dldmVyLCB0aGVzZSBkZWx0YS1DUkxzIG5ldmVy IHByb3ZpZGUgbW9yZSB0aGFuIDYgaG91cnMgb2YgaGlzdG9yeS4NDUFzIGluU2ltaWxhcmx5IHRv IGV4YW1wbGVzICMxIGFuZCAjMjoNQ2VydGlmaWNhdGUgMTQgd2FzIHJldm9rZWQgZm9yIGtleSBj b21wcm9taXNlIGJlZm9yZSAxMjowMCB3aGVuIHRoZSBmaXJzdCBDUkwgd2FzIGlzc3VlZC4NQ2Vy dGlmaWNhdGUgMTI0IHdhcyByZXZva2VkIGZvciBrZXkgY29tcHJvbWlzZSBiZXR3ZWVuIDEyOjAw IGFuZCAxMzowMDEyOjQ1Lg1DZXJ0aWZpY2F0ZSAzOSB3YXMgcGxhY2VkIG9uIGhvbGQgYmV0d2Vl biAxNDowMCAxNSBhbmQgMTU6MDAsIGFuZCBpdHMgc3VzcGVuc2lvbiB3YXMgbGlmdGVkIGJldHdl ZW4gMTYxNTowMCA0NSBhbmQgMTc6MDAxNjozMC4NQ2VydGlmaWNhdGUgNjcgd2FzIHJldm9rZWQg Zm9yIGFuIGFmZmlsaWF0aW9uIGNoYW5nZSBiZXR3ZWVuIDE2OjAwIDE1OjAwIGFuZCAxNzowMDE1 OjQ1LiAgVGhlIHJlYXNvbiB3YXMgY2hhbmdlZCB0byBrZXkgY29tcHJvbWlzZSBiZXR3ZWVuIDE4 NjowMCBhbmQgMTc6MDAxODo0NS4gIHt7eyBDYW5ub3QgaGF2ZSBzYW1lIHRpbWUgc3BhbiEgfX19 DQ1jdXJyZW50IHRpbWUgICAgIAdSZXZva2VkIGNlcnRpZmljYXRlcwdGdWxsIENSTAdEZWx0YS1D UkwHBzEyOjAwB3sxNGt9ICAgICAgICAgICAgB2NSTE51bWJlciA9IDEgICAgICAgICAgICAgICAg ICAgdGhpc1VwZGF0ZSA9IDEyOjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MDAgICAg ICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxNGt9B2NSTE51bWJlciA9IDEgICAgICAgICAg ICAgICAgICAgdGhpc1VwZGF0ZSA9IDEyOjAwDW5leHRVcGRhdGUgPSAxMzoxNSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDAwICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0ge30gICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHBzEzOjAwMTI6NDUHezE0aywgMTI0 a30gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDIg ICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDEzOjAwMTI6NDUNbmV4dFVwZGF0ZSA9IDE0 OjE1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgMTM6NDUNQmFzZUNSTE51bWJlciA9IDENQ2VydGlmaWNhdGVMaXN0ID0gezEyNGt9 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgBwcxNDow MDEzOjMwB3sxNGssIDEyNGt9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg BwdjUkxOdW1iZXIgPSAzICAgICAgICAgICAgICAgICAgIHRoaXNVcGRhdGUgPSAxNDowMDEzOjMw DW5leHRVcGRhdGUgPSAxNDU6MTUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAzMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxDUNlcnRp ZmljYXRlTGlzdCA9IHsxMjRrfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIAcHMTQ6MTUHezE0aywgMTI0a30gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAHB2NSTE51bWJlciA9IDQgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0 ZSA9IDE0OjE1DW5leHRVcGRhdGUgPSAxNToxNSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxDUNlcnRp ZmljYXRlTGlzdCA9DXsxMjRrfQcHMTU6MDAHezE0aywgMTI0aywgMzlofSAgIAdjUkxOdW1iZXIg PSA0ICAgICAgICAgICAgICAgICAgIDUgICAgICAgICAgICAgICAgICAgdGhpc1VwZGF0ZSA9IDE1 OjAwICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMjE6MDAgICAgICAgICAgICAgIENlcnRpZmlj YXRlTGlzdCA9IHsxNGssIDEyNGssIDM5aH0HY1JMTnVtYmVyID0gNDUNdGhpc1VwZGF0ZSA9IDE1 NjowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0 ZSA9IDE3MTY6MTUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMDAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmFzZUNSTE51bWJlciA9 IDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNhdGVM aXN0ID0gezEyNGssIDM5aH0HBzE2OjAwMTU6NDUHezE0aywgMTI0aywgMzloLCA2N2F9ICAgBwdj UkxOdW1iZXIgPSA1Ng10aGlzVXBkYXRlID0gMTY6MDAxNTo0NSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDE2OjQ3OjE1ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VDUkxOdW1iZXIgPSAxICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHsxMjRr LCAzOWgsIDY3YX0HBzE3OjAwMTY6MzAHezE0aywgMTI0aywgNjdhfSAgIAcHY1JMTnVtYmVyID0g NjcNdGhpc1VwZGF0ZSA9IDE2OjM3OjAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBuZXh0VXBkYXRlID0gMTg6MTUxNzozMCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gMSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTI0aywgMzlyLCA2N2F9 BwcxNzoxNQd7MTRrLCAxMjRrLCA2N2F9ICAgBwdjUkxOdW1iZXIgPSA4DXRoaXNVcGRhdGUgPSAx NzoxNSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbmV4dFVwZGF0 ZSA9IDE4OjE1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENl cnRpZmljYXRlTGlzdCA9IHsxMjRrLCAzOXIsIDY3YX0HBzE4OjAwB3sxNGssIDEyNGssIDY3YX0g ICAHY1JMTnVtYmVyID0gNyAgICAgICAgICAgICAgICAgICA5ICAgICAgICAgICAgICAgICAgIHRo aXNVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgbmV4dFVwZGF0ZSA9IDI0OjAwICAgICAgICAg ICAgICBDZXJ0aWZpY2F0ZUxpc3QgPSB7MTRrLCAxMjRrLCA2N2F9B2NSTE51bWJlciA9IDc5DXRo aXNVcGRhdGUgPSAxODowMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgbmV4dFVwZGF0ZSA9IDE5OjE1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIDAwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJhc2VD UkxOdW1iZXIgPSAxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDUg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2VydGlmaWNhdGVMaXN0 ID0gezEyNGssIDM5ciwgNjdhfQcHMTkxODowMDQ1B3sxNGssIDEyNGssIDY3a30gICAHB2NSTE51 bWJlciA9IDgxMA10aGlzVXBkYXRlID0gMTg6NDU5OjAwICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBuZXh0VXBkYXRlID0gMjA6MTUxOTo0NSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCYXNlQ1JMTnVtYmVyID0gNCAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA1ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIENlcnRpZmljYXRlTGlzdCA9IHszOXIsIDY3a30HBw1EZWx0YSBD UkwgbnVtYmVyIDYgaXMgaXNzdWVkIGF0IDE3OjAwMTU6NDUuICBCeSAxNjowMDc6MTUsIGRlbHRh IENSTCBudW1iZXIgNiBzaG91bGQgYmUgYXZhaWxhYmxlIHRocm91Z2hvdXQgdGhlIHN5c3RlbS4g IEFzIGEgcmVzdWx0LCBkZWx0YSBDUkwgbnVtYmVyIDUgc3BlY2lmaWVkIDE3OjE1MTY6MDAgYXMg aXRzIG5leHRVcGRhdGUgdGltZS4NDUhvd2V2ZXIsIEZ1bGwgZnVsbCBDUkwgQ1JMIG51bWJlciA0 IDUgd2FzIGlzc3VlZCBhdCAxNTowMCBhbmQgbWF5IG5vdCBiZSBhdmFpbGFibGUgdGhyb3VnaG91 dCB0aGUgc3lzdGVtIHVudGlsIDE4OjAwLiAgQXMgYSByZXN1bHQsIGRlbHRhIENSTCBudW1iZXIg NiBtdXN0IGJlIGJhc2VkIG9uIEZ1bGwgZnVsbCBDUkwgbnVtYmVyIDEgd2hpY2ggd2FzIGlzc3Vl ZCBhdCAxMjowMC4NDUlmIHRoZSByZWx5aW5nIHBhcnR5IGZpbmRzIEZ1bGwgZnVsbCBDUkwgbnVt YmVyIDQgNSBpbiB0aGUgcmVwb3NpdG9yeSwgdGhleSBtYXkgc3RpbGwgYXBwbHkgZGVsdGEgQ1JM IG51bWJlciA2IGFuZCBhY2hpZXZlIHRoZSBjb3JyZWN0IGFuc3dlci4NDUZpbmFsbHksIG5vdGUg dGhhdCBhIENSTCBpc3N1ZXIgbXVzdCBnZW5lcmF0ZSBtb3JlIENSTHMgdG8gYWNoaWV2ZSB0aGUg Z29hbCBvZiBzdGF0dXMgaW5mb3JtYXRpb24gdGhhdCBpcyBubyBtb3JlIHRoYW4gb25lIGhvdXIg b2xkIHdoZW4gZmFjdG9yaW5nIGluIHRoZSBwcm9wYWdhdGlvbiBkZWxheXMuDQ0NAiBBIHJldm9j YXRpb24gbm90aWNlIG1heSBvcHRpb25hbGx5IHNwZWNpZnkgaW4gdGhlIGludmFsaWRpdHkgZGF0 ZSBleHRlbnNpb24gdGhlIGRhdGUgYXQgZnJvbSB3aGljaCB0aGUgY2VydGlmaWNhdGUgc2hvdWxk IGJlIGNvbnNpZGVyZWQgaW52YWxpZCBpbiB0aGUgaW52YWxpZGl0eSBkYXRlIGV4dGVuc2lvbiwg YXMgd2VsbC4gIFRoaXMgZGF0ZSBtYXkgcHJlY2VkZSB0aGUgYWN0dWFsIHJldm9jYXRpb24gZGF0 ZS4gIFRoZSBpbnZhbGlkdHlpbnZhbGlkaXR5IGRhdGUgZXh0ZW5zaW9uIGRvZXMgbm90IGZlYXR1 cmUgaW4gdGhpcyBkaXNjdXNzaW9uLCBzbyBpdCBpcyBub3QgY29uc2lkZXJlZCBmdXJ0aGVyIGlu IHRoaXMgcGFwZXIuDQ0NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAQAAAEEAACXBAAAoQQAAPgEAAD9BAAAAgUAAPoHAAAMCAAAGQkAACQJAAA5CQAAOgkA ANYJAADkCQAA5QkAAB0KAAAeCgAAIQoAACQKAAAlCgAAMAoAADEKAACMCgAAjQoAAJwKAACjCgAA tAoAAEoLAABfCwAAaQsAAHILAABqDAAAyg0AAMsNAAAhDgAAJg4AACgOAAAqDgAAKw4AADUOAABB DgAATQ4AAGoOAAB0DgAAfQ4AAEYPAAD4APEA6vEA6ADoAOEA2tMAzADFzADMAMwA09oAvrCpvqIA m42bjZuNmwCGeKmGAAAAAAAAGgAIgQEIgQRIAgAFaARDVUZjSAQAZGhrRFVGAA0BCIEESAIABWgE Q1VGGgAIgQEIgQRIAgAFaANDVUZjSAMAZGjPQ1VGAA0BCIEESAIABWgDQ1VGDQAIgWNIAgBkaABD VUYNAQiBBEgEAAVoa0RVRhoACIEBCIEESAIABWgAQ1VGY0gEAGRoa0RVRgANAQiBBEgCAAVoAENV Rg0BCIEESAMABWjMQ1VGDQAIgWNIAwBkaMxDVUYNAAiBY0gDAGRozUNVRg0BCIEESAMABWjNQ1VG DQNqAAAAADBKEgBVCAEDNgiBDQAIgWNIAgBkaPVCVUYNAQiBBEgCAAVo9UJVRg0BCIEESAEABWhA RFVGAC4ABAAADAQAAA0EAAAdBQAAHgUAAIsFAACMBQAAkgUAAJMFAAA1BgAANgYAANgGAADZBgAA OwkAADwJAACPCQAAkAkAAD8LAABACwAAyw0AAMwNAAD9AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAA APsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD5AAAA AAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAA+wAAAAAAAAAA AAAAAPsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD7 AAAAAAAAAAAAAAAA+wAAAAAAAAAAAAAAAPsAAAAAAAAAAAAAAAD7AAAAAAAAAAAAAAAAtAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAQyQBRcaAAAACAANDVUYAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAAEAAAAB DwAAFAAEAADwYQAAXWMAAP7+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC AQECzA0AAEEOAABCDgAA8w8AAPQPAABpEAAAahAAAKkQAACqEAAAuBAAALkQAACFEgAAhhIAAPMT AAD0EwAAChUAAAsVAADbFgAA3BYAACMXAAAkFwAA7xgAALoAAAAAAAAAAAAAAAC4AAAAAAAAAAAA AAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALgA AAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAtgAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAA AAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAA ALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALYAAAAAAAAAAAAAAAC4AAAA AAAAAAAAAAAAuAAAAAAAAAAAAAAAAAAAAAABAQAAAQAAAEQAAEMkAUXGgAAAAgADQ1VGAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ABVGDwAA8w8AAGoQAACoEAAAyhAAANAQAAD1EAAA+xAAAA4RAAATEQAAHREAACYRAAAoEQAANhEA ADcRAABhEQAAmBEAAJwRAACdEQAAtxEAAL0RAADGEQAA0BEAANcRAADcEQAA6BEAAO0RAADyEQAA BRIAAAYSAAAKEgAAEhIAABUSAAAWEgAAGxIAACUSAAApEgAALBIAAC4SAAD48fgA6uPc1c7A1cDV sqOUo9UA1dwA3I0AjYYAeADOcQDOeM6NYwAAAAAaAAiBAQiBBEgCAAVoBkNVRmNIBABkaFBEVUYA DQEIgQRIAgAFaAVDVUYaAAiBAQiBBEgCAAVoBUNVRmNIBABkaFBEVUYADQEIgQRIBAAFaFBEVUYN AAiBY0gEAGRoUERVRh0ACIEBCIEESAMABWjRQ1VGDCoHY0gEAGRoT0RVRh0ACIEBCIEESAMABWjQ Q1VGDCoHY0gEAGRoT0RVRhoACIEBCIEESAMABWjQQ1VGY0gEAGRoT0RVRgAaAAiBAQiBBEgCAAVo BUNVRmNIBABkaE9EVUYADQAIgWNIAgBkaAVDVUYNAAiBY0gEAGRoT0RVRg0BCIEESAQABWhPRFVG DQEIgQRIBAAFaE5EVUYNAAiBY0gEAGRoTkRVRg0ACIFjSAIAZGgDQ1VGDQAIgWNIAgBkaARDVUYA Ji4SAAAwEgAAORIAAD0SAABBEgAAQhIAAEMSAABbEgAAZhIAAGgSAABwEgAAcRIAAHUSAAB6EgAA fRIAAIISAACDEgAAtBIAAL0SAAA0EwAANRMAAGITAABlEwAAaBMAAGwTAABuEwAAfBMAAH4TAACH EwAAjBMAAJATAACqEwAAxxMAAMwTAADREwAA7hMAAO8TAADwEwAA8hMAAPQTAAD1EwAA/xMAAA4U AAAVFAAAHxQAAE4UAAD48eoA3PHV3OrO6s7c6s7cAMcAwLmrx9Wdx4+Ij8ePx4iPxwDAgYjAegB6 wAAAAAAAAAAAAAAAAAAAAAANAAiBY0gEAGRoUkRVRg0BCIEESAIABWgHQ1VGDQAIgWNIAgBkaAdD VUYaAAiBAQiBBEgCAAVoB0NVRmNIBABkaFFEVUYAGgAIgQEIgQRIAgAFaAZDVUZjSAQAZGhRRFVG ABoACIEBCIEESAMABWjRQ1VGY0gEAGRoUURVRgANAQiBBEgDAAVo0UNVRg0BCIEESAQABWhSRFVG DQAIgWNIBABkaFFEVUYNAQiBBEgCAAVoBkNVRg0ACIFjSAIAZGgGQ1VGGgAIgQEIgQRIAgAFaAZD VUZjSAQAZGhQRFVGAA0BCIEESAQABWhQRFVGDQAIgWNIBABkaFBEVUYNAAiBY0gCAGRoBUNVRgAt ThQAAFgUAABZFAAAjhQAAAgVAAAbFQAAIhUAACwVAABHFQAASxUAAFgVAABsFQAAcBUAAH0VAACf FgAAoBYAAAUXAAAKFwAADxcAACMXAAAkFwAALxcAADgXAAA9FwAAQhcAAEMXAABEFwAAWhcAAFwX AACdFwAAoxcAAKUXAACqFwAArRcAALMXAAC1FwAAthcAALgXAADeFwAA6xcAAO0XAADvFwAA/RcA ABMYAAD48QDqAOPcANXOANXOAMcAwLkAtwCwqQDAuQCilI2GAH8AeLl/AHjAuQBxAAAAAAAAAA0B CIEESAMABWjWQ1VGDQEIgQRIAwAFaNVDVUYNAAiBY0gDAGRo1UNVRg0ACIFjSAMAZGjUQ1VGDQEI gQRIAwAFaNRDVUYaAAiBAQiBBEgDAAVo1ENVRmNIBABkaFdEVUYADQEIgQRIBAAFaFdEVUYNAQiB BEgCAAVoIUNVRg0ACIFjSAIAZGghQ1VGAzUIgQ0BCIEESAQABWhiRFVGDQAIgWNIBABkaGJEVUYN AAiBY0gDAGRo00NVRg0BCIEESAMABWjSQ1VGDQAIgWNIAwBkaNJDVUYNAQiBBEgEAAVoVERVRg0A CIFjSAQAZGhURFVGDQEIgQRIBAAFaFFEVUYNAQiBBEgEAAVoU0RVRg0ACIFjSAQAZGhTRFVGACsT GAAAFBgAABUYAAAvGAAAOxgAAEQYAABJGAAAgBgAAIEYAACDGAAAiBgAAJcYAACYGAAAmRgAALsY AADAGAAAxRgAAO4YAADvGAAA8BgAAPEYAAAAGgAAFxoAABwaAAAlGgAALxoAADMaAABEGgAAvBoA AL4aAADBGgAAwxoAAMQaAAAJGwAACxsAAAwbAAANGwAAgRsAAIobAADy6+Td1sjdAMEA3bqzAKyl ALqeALoAl5AAkACzgrOCe7OXdG0AZgAAAAAAAAAAAAANAAiBY0gCAGRoIUNVRg0BCIEESAQABWhm RFVGDQAIgWNIBABkaGZEVUYNAAiBY0gCAGRoHUNVRhoACIEBCIEESAIABWgdQ1VGY0gEAGRoYkRV RgANAQiBBEgEAAVoZURVRg0ACIFjSAQAZGhlRFVGDQAIgWNIAgBkaAhDVUYNAQiBBEgEAAVoaURV Rg0ACIFjSAQAZGhpRFVGDQAIgWNIBABkaGJEVUYNAQiBBEgEAAVoYkRVRg0BCIEESAMABWjXQ1VG GgAIgQEIgQRIAgAFaBxDVUZjSAMAZGjXQ1VGAA0ACIFjSAIAZGgcQ1VGDQAIgWNIAwBkaNdDVUYN AQiBBEgDAAVo1kNVRg0BCIEESAQABWhjRFVGGgAIgQEIgQRIAwAFaNZDVUZjSAQAZGhjRFVGJu8Y AADxGAAAABoAAAEaAABDGgAARBoAAAobAAALGwAAURsAAFIbAADvGwAAugAAAAAAAAAAAAAAALgA AAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAswAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAA AAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAbAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgEARcaA AQACAPVCVUYCAAAAAAAAAAAABAIABAIABAIAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAABAIAAyQBYSQBAAEAAABEAABDJAFFxoAAAAQAYkRVRgAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKihsA AI8bAABKHAAAUxwAAFgcAABcHAAAXRwAAF8cAAB3HAAAgxwAAI8cAACWHAAAmxwAAKQcAACoHAAA qxwAAKwcAACwHAAAtBwAALUcAADgHAAA5RwAAOocAADvHAAA8xwAABgdAAAbHQAAIh0AAGEdAACa HQAAnB0AAJ4dAAC7HQAAUB4AAFEeAABaHgAAWx4AAHUeAACzHgAAth4AALkeAADSHgAAAh8AAAcf AAD4APH4APEA7+bd7+bd793m793vANbPAMgAwcgAuqzPuqUAnpeQicF7iQB0AAAAAAAAAAAAAAAA AA0ACIFjSAQAZGhrRFVGGgAIgQEIgQRIAgAFaCJDVUZjSAMAZGjaQ1VGAA0ACIFjSAMAZGjaQ1VG DQEIgQRIAwAFaNtDVUYNAQiBBEgDAAVo3ENVRg0BCIEESAMABWjiQ1VGDQAIgWNIAwBkaNtDVUYa AAiBAQiBBEgDAAVo2kNVRmNIBABkaGpEVUYADQEIgQRIAwAFaNpDVUYNAAiBY0gCAGRoIkNVRg0B CIEESAIABWgiQ1VGDQEIgQRIBAAFaGpEVUYNAAiBY0gEAGRoakRVRhABCIEESAQABWhpRFVGNgiB ABAACIE2CIFjSAQAZGhpRFVGAAM2CIENAAiBY0gCAGRoIUNVRg0BCIEESAIABWghQ1VGACvvGwAA XhwAAF8cAAC1HAAAthwAADkdAAA6HQAAYR0AALgAAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAAsQAA AAAAAAAAAAAAALYAAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAAtgAAAAAAAAAAAAAAAGoAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgQARcaAAQACAPVC VUYCAAAAAAAAAAAABAIABAIABAIAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAABAAAAyQBYSQBAAEAAABGAAAKJgALRgEARcaAAQACAPVCVUYCAAAAAAAAAAAABAIA BAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAKAAAACkAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2EdAABR HgAA0x4AADofAAC4AAAAAAAAAAAAAAAAcQAAAAAAAAAAAAAAACoAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgQARcaAAQACAPVCVUYCAAAAAAAAAAAABAIA BAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAKAAAACkAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARgAACiYB C0YEAEXGgAEAAgD1QlVGAQAAAAAAAAAAAAQCAAQCAAQCAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAACAAEALgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAEYAAAomAQtGBABFxoABAAIA9UJVRgEAAAAAAAAAAAAEAgAE AgAEAgAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgABAC4AAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADBx8AAAwf AABQHwAAVR8AAFofAACMHwAAkR8AAJYfAACzHwAAvx8AAMQfAADNHwAA1h8AANofAADyHwAAIiAA ADEgAAA+IAAAXyAAAGAgAABhIAAAiCAAAIkgAACKIAAAQSEAAEIhAADIIQAAySEAAMohAAAcIgAA ZyIAAGoiAABrIgAAkyIAAJUiAAB7IwAAniMAAMojAADMIwAA9yMAAPgjAAAFJAAAGiQAAFAkAABg JAAAYSQAAGYkAAB1JAAAdiQAAHckAAB7JAAAfCQAAH4kAAD4APH4APH4AO/m3e/U7wDNxgC/uAC/ uAC2AL+4AK8ArwCoAKEAmgC2AJOMAIWaALaTAJMAAAANAQiBBEgEAAVobURVRg0BCIEESAIABWgm Q1VGDQAIgWNIAgBkaCZDVUYNAAiBY0gEAGRobURVRg0BCIEESAMABWjoQ1VGDQAIgWNIBABkaGxE VUYNAAiBY0gCAGRoJENVRgNIKgINAQiBBEgEAAVoZ0RVRg0ACIFjSAQAZGhnRFVGDQEIgQRIAwAF aOZDVUYNAAiBY0gDAGRo5kNVRhABCIEESAQABWhsRFVGNgiBABABCIEESAQABWhrRFVGNgiBABAA CIE2CIFjSAQAZGhrRFVGAAM2CIENAAiBY0gEAGRoa0RVRg0BCIEESAQABWhrRFVGADQ6HwAAch8A ALIfAACzHwAA8h8AAPMfAABAIAAAQSAAAAIhAAADIQAAnSEAAJ4hAAAbIgAAuAAAAAAAAAAAAAAA AHEAAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAagAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABvAAAA AAAAAAAAAAAAbwAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAbwAAAAAAAAAA AAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAAAAAAAAEAAADJAFhJAEAAQAAAEYAAAomAQtG BABFxoABAAIA9UJVRgEAAAAAAAAAAAAEAgAEAgAEAgAAAgAAAAIAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAgABAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgELRgQARcaAAQACAPVCVUYBAAAAAAAAAAAABAIABAIA BAIAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAQAuAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADBsiAAAcIgAA ZyIAAMMiAAA5IwAAnyMAAAAkAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAA AAC2AAAAAAAAAAAAAAAAbwAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAKJgALRgIARcaA AQACAPVCVUYCAAAAAAAAAAAEBAIABAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAARgAACiYAC0YCAEXGgAEAAgD1QlVGAgAAAAAAAAAABAQCAAQCAAQCAAAB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADACgAAAApAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGACQAAHgkAABX JQAAWCUAANwmAADdJgAA3ycAAOAnAAASKAAAEygAAE8pAAC4AAAAAAAAAAAAAAAAcQAAAAAAAAAA AAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAbwAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABv AAAAAAAAAAAAAAAAbQAAAAAAAAAAAAAAAG8AAAAAAAAAAAAAAABvAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAAEAAABGAAAKJgALRgMA RcaAAQACAPVCVUYCAAAAAAAAAAAEBAIABAIABAIAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAMAKAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAARgAACiYAC0YDAEXGgAEAAgD1QlVGAgAAAAAAAAAABAQCAAQCAAQC AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADACgAAAApAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp+JAAAgiQAAKEk AADAJAAAwyQAAO4kAADvJAAA8CQAAPEkAADyJAAA9yQAAP4kAAAFJQAAJiUAACclAABVJQAAayUA AGwlAABtJQAAgCUAAIklAACOJQAAqyUAALQlAAC5JQAAvSUAAMslAADNJQAAzyUAANAlAAB9JgAA fiYAALAmAAC0JgAADycAABAnAABUJwAA3ScAABQoAABfKAAAkygAAKEoAACnKAAAqigAAKsoAAD4 KAAA+PHq8QDj3NUA487HAMDHALmyAM7HAKukAJ0AndwAzgCWAKsAjwCIgXoAgXoAAAAAAAAAAAAA AAAAAAAADQAIgWNIBABkaHBEVUYNAQiBBEgEAAVocERVRg0BCIEESAQABWhvRFVGDQEIgQRIBAAF aG5EVUYNAQiBBEgDAAVo6kNVRg0ACIFjSAMAZGjpQ1VGDQEIgQRIAgAFaChDVUYNAAiBY0gCAGRo KENVRg0BCIEESAQABWhnRFVGDQAIgWNIBABkaGdEVUYNSCoCV8oHAQIAJ0NVRg0BCIEESAIABWgn Q1VGDQAIgWNIAgBkaCdDVUYNAQiBBEgEAAVobURVRg0BCIEESAMABWjpQ1VGDQAIgWNIBABkaG1E VUYNAQiBBEgDAAVo6ENVRg0BCIEESAIABWgmQ1VGDQAIgWNIAgBkaCZDVUYALfgoAAD5KAAATikA AE8pAABQKQAAZioAAGgqAABpKgAAcCoAANAqAADeKgAA3yoAAOoqAADrKgAA7SoAAO4qAADxKgAA /CoAAP4qAAD/KgAACSsAABErAAAlKwAAUCsAAGQrAABmKwAAaisAAMgrAADJKwAAyisAABQtAAAW LQAAYy0AAGQtAABlLQAAsDAAALIwAAC0MAAAvDAAAL4wAADAMAAA+DAAAPkwAAD46eLbANTN1M3G v8a/xr/Gv9S/xr/Gv9S4qZqpmqmTAIyFAH53AH53AHAAAAAAAAAAAAAADQEIgQRIBAAFaGdEVUYN AQiBBEgEAAVoh0pVZg0ACIFjSAQAZGiHSlVmDQAIgWNIAgBkaClDVUYNAQiBBEgCAAVoKUNVRg0A CIFjSAQAZGh0RFVGHQAIgQEIgQRIAwAFaO1DVUYMKgdjSAQAZGh0RFVGHQAIgQEIgQRIAwAFaO5D VUYMKgdjSAQAZGh0RFVGDQEIgQRIAwAFaO1DVUYNAQiBBEgEAAVoc0RVRg0BCIEESAQABWhyRFVG DQEIgQRIBAAFaHFEVUYNAQiBBEgEAAVodERVRg0BCIEESAQABWhwRFVGDQAIgWNIBABkaHBEVUYd AAiBAQiBBEgDAAVo60NVRgwqB2NIBABkaHBEVUYNAQiBBEgDAAVo60NVRgAqTykAAFApAABRKQAA nCkAAN0pAABnKgAAugAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAA AAAAAAAAAHUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQwAARcaA AAAEAHJEVUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAAAEQAAEMkAUXGgAAABABwRFVGAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVnKgAAaCoAAGMrAABk KwAAZSsAAGYrAABqKwAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAugAA AAAAAAAAAAAAAHUAAAAAAAAAAAAAAAB1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAAAQyQB RcaAAAADAO1DVUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAARAAAQyQBRcaAAAAEAHREVUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABmorAADJKwAAyisAAOgr AAANLAAAMiwAAFcsAAB8LAAAoSwAAMYsAADrLAAAES0AABUtAAAWLQAAIS0AACItAABNLwAATi8A AF8vAAC5LwAAATAAAHMwAAC6AAAAAAAAAAAAAAAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAAAAC6 AAAAAAAAAAAAAAAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAugAAAAAA AAAAAAAAALoAAAAAAAAAAAAAAAC6AAAAAAAAAAAAAAAAugAAAAAAAAAAAAAAALoAAAAAAAAAAAAA AAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAA AAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAAAAAAuAAAAAAAAAAAAAAAALgAAAAAAAAA AAAAAAAAAAAAAAAAAAEAAABEAABDJAFFxoAAAAMA7kNVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV+TAAAPowAAADMQAABDEA AAUxAAAIMQAACTEAADkxAAA6MQAASDEAAE0xAAB9MQAAjjEAAI8xAACoMQAArTEAAAYyAAAHMgAA 5DIAAOwyAAAeMwAAIDMAAAE0AAAJNAAAOzQAAD00AAAeNQAAJjUAADk1AAA6NQAAvDUAAL01AADZ NQAA2jUAANs1AAAYNgAAGTYAABo2AAChNgAAqTYAAME2AADDNgAAmzcAAKA3AACkNwAAyDcAANA3 AADjNwAA5TcAAMY4AADOOAAA4TgAAOI4AAD4APH4AOrb1ADNAM0AzcDNAM0AzQDNAM0AzQDNAM0A zbOmzbOmzQDNAM2ZzYQAzQDNAM0AKQAIgQEIgQRIAwAFaANEVUYMKgdDShIAT0oDAFFKAwBjSAQA ZGh1RFVGGQAIgUNKEgBPSgMAUUoDAGNIBABkaHVEVUYZAAiBQ0oSAE9KAwBRSgMAY0gBAGRoYVNV hhkBCIEESAEABWhhU1WGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIAwBkaPBDVUYMQ0oS AE9KAwBRSgMAAA0BCIEESAQABWhoRFVGHQAIgQEIgQRIAwAFaAREVUYMKgdjSAQAZGhoRFVGDQAI gWNIBABkaGhEVUYNAQiBBEgEAAVoZ0RVRg0ACIFjSAQAZGhnRFVGADRzMAAAOzEAADwxAABOMQAA YzEAAGwxAAB2MQAAdzEAAH0xAACPMQAABzIAADoyAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAA APcAAAAAAAAAAAAAAAD3AAAAAAAAAAAAAAAA9wAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAABnvAUA AAAAAAAAAAAA9wAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAAD3AAAAAAAAAAAAAAAA9wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEA AAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAA AAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/ AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/ AAAA/wAAAP801gYAAQoDbABh9gMAAAYAABYkAUlmAQAAAAABAAAACzoyAACdMgAA5TIAAOYyAADs MgAAHzMAACAzAABTMwAAtjMAAAI0AAADNAAACTQAADw0AAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAA AAAAAGl0BAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5 AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpdAQAAAAAAAAAAAAA+QAAAAAA AAAAAAAAAPkAAAAAAAAAAAAAAAAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAA BAEAAAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAA AAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/ BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8A AAD/AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8A AAD/AAAA/wAAAP801gYAAQoDbABh9gMAAAYAABYkAUlmAQAAAAAMPDQAAD00AABwNAAA0zQAAB81 AAAgNQAAJjUAADo1AAC9NQAAyzUAAKI2AACjNgAAqTYAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAA AAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpDAYAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkA AAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpnAQAAAAA AAAAAAAA+QAAAAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAE AQAABAEAAAQBAAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAA AAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8E AQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAA AP8AAAD/AAAA/xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAA AP8AAAD/AAAA/zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAAAAypNgAAwjYAAMM2AADRNgAAyTcA AMo3AADQNwAA5DcAAOU3AADzNwAAxzgAAMg4AADOOAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAA AAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGn4AwAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGkABgAAAAAA AAAAAAD5AAAAAAAAAAAAAAAAAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQB AAAEAQAABAEAAAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAA AAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQB AAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA /wAAAP8AAAD/G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA /wAAAP8AAAD/NNYGAAEKA2wAYfYDAAAGAAAWJAFJZgEAAAAADM44AADiOAAAZTkAAHM5AABHOgAA SDoAAE46AABiOgAAYzoAAHE6AABAOwAAQTsAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAPkAAAAAAAAAAAAAAABp5AMAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEA AAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAA AAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/ AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/ AAAA/wAAAP801gYAAQoDbABh9gMAAAYAABYkAUlmAQAAAAAL4jgAAGQ5AABlOQAAPToAAEI6AABG OgAATjoAAD87AABDOwAAWDsAAMw+AADOPgAA0D4AANg+AADaPgAA3D4AABQ/AAAVPwAAFj8AAB8/ AAAgPwAAIT8AACU/AAAmPwAAWj8AAFs/AABcPwAAaT8AAG4/AACePwAArz8AALA/AAAnQAAAKEAA AAVBAAANQQAAP0EAAEFBAAAiQgAAKkIAAFxCAABeQgAAP0MAAEdDAABaQwAAW0MAAN1DAADeQwAA +kMAAPtDAAD8QwAAOUQAADpEAAA7RAAAwkQAAPkA+ez5APkA5QDe1wDQyQDCuwDCuwC0pbvCAPkA +QD5APkA+QD5APkA+QD5APkA+ZiL+ZiL+QAAAAAZAAiBQ0oSAE9KAwBRSgMAY0gBAGRoYVNVhhkB CIEESAEABWhhU1WGQ0oSAE9KAwBRSgMAHQAIgQEIgQRIAwAFaAZEVUYMKgdjSAQAZGhoRFVGDQEI gQRIAwAFaAZEVUYNAAiBY0gEAGRoaERVRg0BCIEESAQABWhoRFVGDQEIgQRIBAAFaIhKVWYNAAiB Y0gEAGRoiEpVZg0BCIEESAQABWiHSlVmDQAIgWNIBABkaIdKVWYNAAiBY0gBAGRoWkNVRhkBCIEE SAIABWgrQ1VGQ0oSAE9KAwBRSgMADENKEgBPSgMAUUoDADZBOwAAQjsAAEM7AABZOwAAWjsAAFs7 AABnOwAAaDsAAGg9AABpPQAAez0AANU9AAAdPgAAjz4AAFs/AABcPwAAXT8AAG8/AACEPwAAjT8A AJc/AAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA /QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAA AAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAA AAAA/QAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAAsgAAAAAAAAAAAAAAALIA AAAAAAAAAAAAAACyAAAAAAAAAAAAAAAAsgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAABYkAUlm AQAAAABEAABDJAFFxoAAAAQAaERVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAFJc/AACYPwAAnj8AALA/AAAoQAAAW0AA AL5AAAAGQQAAB0EAAA1BAABAQQAAQUEAAHRBAABvvAUAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkA AAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAA AAAAAAAAb3QEAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAA AGkAAAAAAAAAAAAAAAAAAAYAABYkAUlmAQAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQB AAAEAQAABAEAAAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJ AAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT 1jAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrW EAAAAP8AAAD/AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3W EAAAAP8AAAD/AAAA/wAAAP801gYAAQoDbABh9gMAAAAMdEEAANdBAAAjQgAAJEIAACpCAABdQgAA XkIAAJFCAAD0QgAAQEMAAEFDAABHQwAAW0MAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaXQE AAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGkMBgAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA +QAAAAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEA AAQBAAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAA AAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA /wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/ AAAA/xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/ AAAA/zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAAAAxbQwAA3kMAAOxDAADDRAAAxEQAAMpEAADj RAAA5EQAAPJEAADMRQAAzUUAANNFAADnRQAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAA AAAAAAAAAAAAaSQEAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAA AAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaRAEAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5 AAAAAAAAAAAAAAAAAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQBAAAEAQAA BAEAAAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAAAAAAAAAA AAAABpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQBAAAAAAD/ BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA/wAAAP8A AAD/G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA/wAAAP8A AAD/NNYGAAEKA2wAYfYDAAAGAAAWJAFJZgEAAAAADMJEAADKRAAA4kQAAOREAADLRQAA00UAAOZF AADoRQAAz0YAANdGAADqRgAA60YAAG1HAABuRwAAVUgAAF1IAABTSQAAVkkAAJ9JAADaSQAA3EkA AA5KAAAmSgAAJ0oAAClKAABpSgAAakoAAIxKAACNSgAAjkoAAA9LAAAgSwAAIUsAACJLAABuTQAA b00AAHBNAAB+TQAAf00AAIBNAACkTQAApU0AAPZNAAACTgAAEk4AAG1PAAByTwAAfk8AAIZPAACH TwAAik8AAJFPAAAuUAAAM1AAADhQAABnUAAAalAAAAD5APkA+QD5APkA+QD5APkA8uvk8uTy5N3W 3c/Wz9by3QDIwQDIwQDBALqzAKylAKUApQCelwCQAAAAAA0ACIFjSAQAZGiRRFVGDQEIgQRIBAAF aJJEVUYNAAiBY0gEAGRokkRVRg0BCIEESAQABWiJSlVmDQAIgWNIBABkaIlKVWYNAQiBBEgEAAVo dkRVRg0ACIFjSAQAZGh2RFVGDQAIgWNIAwBkaAhEVUYNAQiBBEgDAAVoCERVRg0BCIEESAQABWiY RFVGDQEIgQRIBAAFaJlEVUYNAQiBBEgEAAVol0RVRg0BCIEESAQABWibRFVGDQEIgQRIBAAFaJpE VUYNAQiBBEgEAAVolkRVRgxDShIAT0oDAFFKAwA450UAAOhFAAD2RQAA0EYAANFGAADXRgAA60YA AG5HAAB8RwAAVkgAAFdIAABdSAAAcUgAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAA AAAAAAAAAGkYBgAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAA AAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAGn4AwAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAA AAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEAAAQB AAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAAAAAA AAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA/wQB AAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/AAAA /xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/AAAA /zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAAAAxxSAAAckgAAIBIAABUSQAAVUkAAFZJAAAoSgAA +QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGcAAAAA AAAAAAAAAABnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAABAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQBAAAEAQAABAEA AAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAAAAAAAAAAAAAA BpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQBAAAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA/wAAAP8AAAD/ G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA/wAAAP8AAAD/ NNYGAAEKA2wAYfYDAAAGAAAWJAFJZgEAAAAABihKAAApSgAAIUsAACJLAABaSwAAW0sAALoAAAAA AAAAAAAAAAC6AAAAAAAAAAAAAAAAdQAAAAAAAAAAAAAAADAAAAAAAAAAAAAAAAAuAAAAAAAAAAAA AAAAAAAAAAEAAABEAABDJAFFxoAAAAQAlkRVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEAABDJAFFxoAAAAQAl0RVRgAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABEAABDJAFFxoAAAAQAm0RVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFW0sAAA5NAAAPTQAAbE8AAG1PAACTTwAA7U8AADpQ AAC5UAAAgFEAAIFRAACTUQAAqFEAALFRAAC7UQAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9 AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAA AAAAAAAAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAPcAAAAAAAAAAAAA AAD3AAAAAAAAAAAAAAAA9wAAAAAAAAAAAAAAAPcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAGAAAWJAFJZgEAAAAAAQAAAA5qUAAAbVAAAJ5QAACgUAAAolAAAKNQAACmUAAAqVAA AK1QAACyUAAAt1AAAPZQAAD8UAAA/1AAAAFRAAACUQAABlEAAAtRAAAQUQAARVEAAEZRAABHUQAA T1EAAFBRAABRUQAAVFEAAFlRAABaUQAAXFEAAF1RAABeUQAAf1EAAI1RAACSUQAAwlEAANNRAADU UQAAS1IAAExSAACPUgAA0FIAABFTAABqUwAAbFMAAHFTAAD4APHqAPHqAOPcANXO3M4A1dwAx8AA 1cDVzgC5qpuqAJQAlACUAJSHepQAcwAAAAAAAA0ACIFjSAQAZGh3RFVGGQEIgQRIBAAFaHZEVUZD ShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gEAGRodkRVRgxDShIAT0oDAFFKAwAAHQAIgQEI gQRIAwAFaAlEVUYMKgdjSAQAZGh2RFVGHQAIgQEIgQRIAwAFaAhEVUYMKgdjSAQAZGh2RFVGDQEI gQRIAwAFaAhEVUYNAAiBY0gEAGRoaURVRg0BCIEESAQABWhpRFVGDQEIgQRIBAAFaJNEVUYNAAiB Y0gEAGRok0RVRg0BCIEESAQABWiJSlVmDQAIgWNIBABkaIlKVWYNAQiBBEgEAAVoiEpVZg0ACIFj SAQAZGiISlVmDQEIgQRIBAAFaJFEVUYALLtRAAC8UQAAwlEAANRRAABMUgAAf1IAACNTAABrUwAA bFMAAHdTAACqUwAAq1MAAONTAABvwAYAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAA AABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAb7QE AAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAA AAAAAAAAAAYAABYkAUlmAQAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEA AAQBAAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAA AAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEA AAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/ AAAA/wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/ AAAA/wAAAP801gYAAQoDbABh9gMAAAAMcVMAAHZTAAB3UwAAqVMAAKtTAADYUwAA3VMAAOJTAADw UwAANFQAADpUAACXVAAAmVQAAJ5UAACjVAAApFQAANZUAADYVAAABVUAAApVAAAPVQAAHlUAAB9V AAAgVQAAIVUAAGJVAACjVQAAAFYAAAJWAAAIVgAAOlYAADtWAAA8VgAAaVYAAG5WAAB9VgAAflYA AONWAADqVgAA61YAAOxWAADyVgAABVcAAAZXAAASVwAA+ADxAPHk1/Hk1/EA0PgA8QDxw7bxtsPx qZzxAPiPtvi2graCtnW2+ADxAPEAAAAAAAAAAAAAGQEIgQRIBAAFaIlEVUZDShIAT0oDAFFKAwAZ AQiBBEgEAAVoekRVRkNKEgBPSgMAUUoDABkBCIEESAEABWhpU1WGQ0oSAE9KAwBRSgMAGQEIgQRI BAAFaHlEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gEAGRoeURVRhkBCIEESAQABWh3 RFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaHdEVUYNAAiBY0gEAGRod0RVRhkB CIEESAQABWh2RFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaHZEVUYMQ0oSAE9K AwBRSgMAAA0BCIEESAQABWh3RFVGACzjUwAAOlQAAExUAACYVAAA+QAAAAAAAAAAAAAAALAAAAAA AAAAAAAAAAD5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASQAAFiQBQyQBRcaAAAAEAHZEVUYAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AABJZgEAAAAGAAAWJAFJZgEAAAAAA5hUAACZVAAApFQAANdUAADYVAAAEFUAALVVAAABVgAAAlYA AAhWAAA7VgAAPFYAAG+kBQAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAA AAAAAAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABvqAMAAAAAAAAA AAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAYAABYkAUlmAQAAAACPAAAWJAEXJAFJZgEAAAAClmwABdYYBAEAAAQBAAAEAQAABAEAAAQB AAAEAQAACNZcAASU/ycJuhJOHOIlAAaTCQAAAAAAAAAAAAAAAAAAAAAABpMJAAAAAAAAAAAAAAAA AAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAT1jAAAAD/BAEAAAAA AP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAU9gEAABrWEAAAAP8AAAD/AAAA /wAAAP8b1hAAAAD/AAAA/wAAAP8AAAD/HNYQAAAA/wAAAP8AAAD/AAAA/x3WEAAAAP8AAAD/AAAA /wAAAP801gYAAQoDbABh9gMAAAALPFYAAG9WAADSVgAA5FYAAOtWAAC2AAAAAAAAAAAAAAAAtgAA AAAAAAAAAAAAALAAAAAAAAAAAAAAAABnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABJ AAAWJAFDJAFFxoAAAAQAiURVRgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAElmAQAAAAYAABYkAUlmAQAAAEkAABYkAUMkAUXGgAAA BAB3RFVGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAASWYBAAAAAATrVgAA7FYAAPJWAAAGVwAAnVcAAKxXAACxWAAAslgAAL1YAADW WAAA11gAAOZYAADIWQAAbxgHAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAaQAA AAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAAb1wEAAAAAAAAAAAAAGkAAAAAAAAA AAAAAABpAAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAA AAAGAAAWJAFJZgEAAAAAjwAAFiQBFyQBSWYBAAAAApZsAAXWGAQBAAAEAQAABAEAAAQBAAAEAQAA BAEAAAjWXAAElP8nCboSThziJQAGkwkAAAAAAAAAAAAAAAAAAAAAAAaTCQAAAAAAAAAAAAAAAAAA AAAABpQJAAAAAAAAAAAAAAAAAAAAAAAGlAkAAAAAAAAAAAAAAAAAAAAAE9YwAAAA/wQBAAAAAAD/ BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAFPYBAAAa1hAAAAD/AAAA/wAAAP8A AAD/G9YQAAAA/wAAAP8AAAD/AAAA/xzWEAAAAP8AAAD/AAAA/wAAAP8d1hAAAAD/AAAA/wAAAP8A AAD/NNYGAAEKA2wAYfYDAAAADBJXAAAmVwAAOlcAAJxXAACdVwAAqVcAAKpXAACrVwAAulcAALtX AAC8VwAA+FcAAPpXAAD8VwAA/VcAACpYAABXWAAAsFgAALJYAAC3WAAAvFgAAL1YAADVWAAA11gA AONYAADkWAAA5VgAAPNYAAD4WAAA/VgAADdZAAA6WQAAPVkAAMdZAADJWQAAzlkAANNZAADUWQAA 51kAAOlZAAD1WQAA9lkAAPdZAAAGWgAACVoAAAxaAABGWgAAS1oAAFBaAADZWgAA21oAAOFaAAD1 WgAA9loAAAJbAAADWwAAUlsAAPLl3gDe0cTexNHe0cTe0cTeAL22AN4A3qmc3qmc3pyp3gC9tgDe AN6pnN6cqd6pnN4Ato+2j5yPAAAZAQiBBEgEAAVoeERVRkNKEgBPSgMAUUoDABkBCIEESAQABWiF RFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaIVEVUYNAQiBBEgEAAVoeERVRg0A CIFjSAQAZGh4RFVGGQEIgQRIBAAFaHlEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gE AGRoeURVRgxDShIAT0oDAFFKAwAAGQEIgQRIBAAFaHpEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9K AwBRSgMAY0gEAGRoekRVRgA4yFkAAMlZAADUWQAA6FkAAOlZAAD4WQAA2loAANtaAADhWgAA9VoA APZaAABvSAQAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABpAAAAAAAAAAAAAAAA aQAAAAAAAAAAAAAAAGkAAAAAAAAAAAAAAABvEAQAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAGkAAAAA AAAAAAAAAABpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BgAAFiQBSWYBAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEAAAQB AAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAAAAAA AAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA/wQB AAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/AAAA /xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/AAAA /zTWBgABCgNsAGH2AwAAAAr2WgAABFsAAN5bAADfWwAAtgAAAAAAAAAAAAAAALAAAAAAAAAAAAAA AAAg0AcAAAAAAAAAAAAAAAAAAAAAAAAAAI8AABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQB AAAEAQAABAEAAAQBAAAI1lwABJT/Jwm6Ek4c4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAA AAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAAAAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAA AP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA /wAAAP8AAAD/AAAA/xvWEAAAAP8AAAD/AAAA/wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA /wAAAP8AAAD/AAAA/zTWBgABCgNsAGH2AwAABgAAFiQBSWYBAAAASQAAFiQBQyQBRcaAAAAEAHhE VUYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAABJZgEAAAAAA1JbAABUWwAA3lsAAN9bAADlWwAA+FsAAPlbAAAFXAAAGVwAAC1cAACP XAAAkFwAAJxcAACdXAAAnlwAAO1cAAAaXQAAR10AAFddAACDXQAAr10AAMJdAADIXQAA0V0AANNd AADVXQAA110AANhdAADaXQAA3F0AAN1dAAD+XQAA/10AAAFeAAAQXgAAFF4AABheAABRXgAAVl4A AFteAACWXgAAwl4AAO5eAAAKXwAALV8AADJfAADy5d4A1wDXyr3XANfKvdfKvdewo9ew1wCclQCc lQDXyr3XiHvXe4jXsKPXAHQAAAANAAiBY0gEAGRoh0RVRhkACIFDShIAT0oDAFFKAwBjSAQAZGiR RFVGGQEIgQRIBAAFaJFEVUZDShIAT0oDAFFKAwANAQiBBEgEAAVohkRVRg0ACIFjSAQAZGiGRFVG GQEIgQRIBAAFaIlEVUZDShIAT0oDAFFKAwAZAAiBQ0oSAE9KAwBRSgMAY0gEAGRoiURVRhkBCIEE SAQABWiGRFVGQ0oSAE9KAwBRSgMAGQAIgUNKEgBPSgMAUUoDAGNIBABkaIZEVUYMQ0oSAE9KAwBR SgMAAA0BCIEESAQABWh4RFVGGQEIgQRIBAAFaHhEVUZDShIAT0oDAFFKAwAZAQiBBEgEAAVohURV RkNKEgBPSgMAUUoDAAAt31sAAOVbAAD5WwAAkFwAAJ9cAADSXQAA010AAN1dAADxXQAA8l0AAAJe AAALXwAADF8AAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA+QAAAAAAAAAAAAAAAPkAAAAAAAAA AAAAAAD5AAAAAAAAAAAAAAAAaeQEAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAA +QAAAAAAAAAAAAAAAPkAAAAAAAAAAAAAAAD5AAAAAAAAAAAAAAAAaQAAAAAAAAAAAAAAAAAAAI8A ABYkARckAUlmAQAAAAKWbAAF1hgEAQAABAEAAAQBAAAEAQAABAEAAAQBAAAI1lwABJT/Jwm6Ek4c 4iUABpMJAAAAAAAAAAAAAAAAAAAAAAAGkwkAAAAAAAAAAAAAAAAAAAAAAAaUCQAAAAAAAAAAAAAA AAAAAAAABpQJAAAAAAAAAAAAAAAAAAAAABPWMAAAAP8EAQAAAAAA/wQBAAAAAAD/BAEAAAAAAP8E AQAAAAAA/wQBAAAAAAD/BAEAABT2AQAAGtYQAAAA/wAAAP8AAAD/AAAA/xvWEAAAAP8AAAD/AAAA /wAAAP8c1hAAAAD/AAAA/wAAAP8AAAD/HdYQAAAA/wAAAP8AAAD/AAAA/zTWBgABCgNsAGH2AwAA BgAAFiQBSWYBAAAAAAwMXwAADV8AANRfAADVXwAAr2AAALBgAAA/YQAAQGEAAO5hAADvYQAA8GEA AFxjAABdYwAAXmMAAP0AAAAAAAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0AAAAA AAAAAAAAAAD9AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAALgAAAAAAAAAAAAAAAC4AAAAAAAAAAAA AAAA/QAAAAAAAAAAAAAAAP0AAAAAAAAAAAAAAAC2AAAAAAAAAAAAAAAA/QAAAAAAAAAAAAAAAP0A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAERAABEAABDJAFFxoAAAAQAlERV RgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAABAAAADTJfAAA3XwAAPl8AAEJfAABGXwAAsV8AALZfAAC7XwAA3l8AAONfAADoXwAA 7F8AAPBfAAD3XwAA+V8AAPtfAAB9YAAAgmAAAIdgAADLYAAA0GAAANVgAADgYAAA4mAAAORgAAAe YQAAPmEAAO1hAADwYQAA8WEAAB1iAAAkYgAAM2IAAD5iAABHYgAASmIAAFViAACBYgAAiWIAAJhi AACrYgAA5WIAAO5iAAD4YgAAXmMAAPgA+PEA8fgA6uMA6gDq4wDq4wDq4wDx+ADc1QDOAMe+xwC3 sACpoKkAmZIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAANAQiBBEgBAAVoWUNVRg0ACIFjSAEAZGhZQ1VGEAAIgTYIgWNI AgBkaPlCVUYADQAIgWNIAgBkaPlCVUYNAQiBBEgCAAVo+EJVRg0ACIFjSAIAZGj4QlVGEAEIgQRI AgAFaPlCVUY2CIEADQEIgQRIAgAFaPlCVUYNA2oAAAAAMEoSAFUIAQ0BCIEESAQABWiURFVGDQEI gQRIAQAFaFpDVUYNAQiBBEgEAAVoiERVRg0ACIFjSAQAZGiIRFVGDQAIgWNIBABkaIdEVUYNAQiB BEgEAAVoh0RVRgAsIAAxkGgBH7DQLyCw4D0hsC0FIrAtBSOQ8AMkkPADJbAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAUABMACgABAGkADwADAAAAAAAAAAAAOAAAQPH/AgA4AAwABgBOAG8AcgBtAGEA bAAAAAIAAAAYAENKGABfSAEEYUoYAG1ICQRzSAkEdEgJBDYAAUABAAIANgAMAAkASABlAGEAZABp AG4AZwAgADEAAAAOAAEAAyQBBiQBQCYAYSQBBABDShwAMgACQAEAAgAyAAwACQBIAGUAYQBkAGkA bgBnACAAMgAAAAgAAgAGJAFAJgEGADYIgV0IgTgAA0ABAAIAOAAMAAkASABlAGEAZABpAG4AZwAg ADMAAAAOAAMAAyQBBiQBQCYCYSQBBgA2CIFdCIEAAAAAAAAAAAAAAAA8AEFA8v+hADwADAAWAEQA ZQBmAGEAdQBsAHQAIABQAGEAcgBhAGcAcgBhAHAAaAAgAEYAbwBuAHQAAAAAAAAAAAAAAAAAKAA+ QAEA8gAoAAwABQBUAGkAdABsAGUAAAAIAA8AAyQBYSQBBABDShwAIgBXQKIAAQEiAAwABgBTAHQA cgBvAG4AZwAAAAYANQgBXAgBNgAdQAEAEgE2AAwADQBGAG8AbwB0AG4AbwB0AGUAIABUAGUAeAB0 AAAAAgARAAgAQ0oUAGFKFAA4ACZAogAhATgADAASAEYAbwBvAHQAbgBvAHQAZQAgAFIAZQBmAGUA cgBlAG4AYwBlAAAAAwBIKgEAOQUAAF5fAAABAAAAAABsAQAAbwEAAAAAAABeXwAABgAAygAABQD/ ////AAAAAAwAAAANAAAAHQEAAB4BAACLAQAAjAEAAJIBAACTAQAANQIAADYCAADYAgAA2QIAADsF AAA8BQAAjwUAAJAFAAA/BwAAQAcAAMsJAADMCQAAQQoAAEIKAADzCwAA9AsAAGkMAABqDAAAqQwA AKoMAAC4DAAAuQwAAIUOAACGDgAA8w8AAPQPAAAKEQAACxEAANsSAADcEgAAIxMAACQTAADvFAAA 8RQAAAAWAAABFgAAQxYAAEQWAAAKFwAACxcAAFEXAABSFwAA7xcAAF4YAABfGAAAtRgAALYYAAA5 GQAAOhkAAGEZAABRGgAA0xoAADobAAByGwAAshsAALMbAADyGwAA8xsAAEAcAABBHAAAAh0AAAMd AACdHQAAnh0AABseAAAcHgAAZx4AAMMeAAA5HwAAnx8AAAAgAAB4IAAAVyEAAFghAADcIgAA3SIA AN8jAADgIwAAEiQAABMkAABPJQAAUCUAAFElAACcJQAA3SUAAGcmAABoJgAAYycAAGQnAABlJwAA ZicAAGonAADJJwAAyicAAOgnAAANKAAAMigAAFcoAAB8KAAAoSgAAMYoAADrKAAAESkAABUpAAAW KQAAISkAACIpAABNKwAATisAAF8rAAC5KwAAASwAAHMsAAA7LQAAPC0AAE4tAABjLQAAbC0AAHYt AAB3LQAAfS0AAI8tAAAHLgAAOi4AAJ0uAADlLgAA5i4AAOwuAAAfLwAAIC8AAFMvAAC2LwAAAjAA AAMwAAAJMAAAPDAAAD0wAABwMAAA0zAAAB8xAAAgMQAAJjEAADoxAAC9MQAAyzEAAKIyAACjMgAA qTIAAMIyAADDMgAA0TIAAMkzAADKMwAA0DMAAOQzAADlMwAA8zMAAMc0AADINAAAzjQAAOI0AABl NQAAczUAAEc2AABINgAATjYAAGI2AABjNgAAcTYAAEA3AABBNwAAQjcAAEM3AABZNwAAWjcAAFs3 AABnNwAAaDcAAGg5AABpOQAAezkAANU5AAAdOgAAjzoAAFs7AABcOwAAXTsAAG87AACEOwAAjTsA AJc7AACYOwAAnjsAALA7AAAoPAAAWzwAAL48AAAGPQAABz0AAA09AABAPQAAQT0AAHQ9AADXPQAA Iz4AACQ+AAAqPgAAXT4AAF4+AACRPgAA9D4AAEA/AABBPwAARz8AAFs/AADePwAA7D8AAMNAAADE QAAAykAAAONAAADkQAAA8kAAAMxBAADNQQAA00EAAOdBAADoQQAA9kEAANBCAADRQgAA10IAAOtC AABuQwAAfEMAAFZEAABXRAAAXUQAAHFEAAByRAAAgEQAAFRFAABVRQAAVkUAAChGAAApRgAAIUcA ACJHAABaRwAAW0cAAA5JAAAPSQAAbEsAAG1LAACTSwAA7UsAADpMAAC5TAAAgE0AAIFNAACTTQAA qE0AALFNAAC7TQAAvE0AAMJNAADUTQAATE4AAH9OAAAjTwAAa08AAGxPAAB3TwAAqk8AAKtPAADj TwAAOlAAAExQAACYUAAAmVAAAKRQAADXUAAA2FAAABBRAAC1UQAAAVIAAAJSAAAIUgAAO1IAADxS AABvUgAA0lIAAOtSAADsUgAA8lIAAAZTAACdUwAArFMAALFUAACyVAAAvVQAANZUAADXVAAA5lQA AMhVAADJVQAA1FUAAOhVAADpVQAA+FUAANpWAADbVgAA4VYAAPVWAAD2VgAABFcAAN5XAADfVwAA 5VcAAPlXAACQWAAAn1gAANJZAADTWQAA3VkAAPFZAADyWQAAAloAAAtbAAAMWwAADVsAANRbAADV WwAAr1wAALBcAAA/XQAAQF0AAO5dAADvXQAAX18AAJgAAAAPMAAAAAAAAACAAAAAgJgAAAAAAAAA AAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAA AACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgCgAAAADAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACA jAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEA AJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgA AAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAMAAAAAAAAACAjAEAAJgAAAAA AAAAAAAAAACAjAEAAJgAAAAAMAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAMAAA AAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAMAAAAAAAAACAjAEAAJgAAAAAAAAAAAAA AACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACAjAEAAJgAAAAAAAAAAAAAAACA jAEAAJgAAAAAAAAAAAAAAACAjAEAAAgAAAABAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAqgwA AJgAAAAAMAAAAAAAAACAqgwAAJgAAAAAAAAAAAAAAACAqgwAAJgAAAAAMAAAAAAAAACAqgwAAJgA AAAAAAAAAAAAAACAqgwAAJgAAAAAMAAAAAAAAACAqgwAAJgAAAAAAAAAAAAAAACAqgwAAJgAAAAA MAAAAAAAAACAqgwAAJgAAAAAAAAAAAAAAACAqgwAAAgAAAABMAAAAAAAAACAAAAAgJgAAAAAAAAA AAAAAACA3BIAAJgAAAAAMAAAAAAAAACA3BIAAJgAAAAAMAAAAAAAAACA3BIAAJgAAAAAMAAAAAAA AACA3BIAAJgAAAAAMAAAAAAAAACA3BIAABgAAAACMAAAAAAAAACA3BIAAJgAAAAAAAAAAAAAAACA ARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYA AJgAAAAAAAAAAAAAAACAARYAAJgAASAAAAAAAAAAAACAARYAAJgAASAAAAEAAAAAAACAARYAAJgA AAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAA MAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgABCAAAAAAAAAAAACAARYAAJgBBCAAMAAA AAA6GQAAARYAAJgBBCAAMAEAAAA6GQAAARYAAJgABCAAMAEAAAAAAACAARYAAJgBBCAAMAAAAADT GgAAARYAAJgBBCAAMAEAAADTGgAAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACA ARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYA AJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgA AAAAAAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAAAAAAAAAAAAAACAARYAAJgAAAAA AAAAAAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAiAAAAAAAAAAAACAARYAAJgAAiAAMAEA AAAAAACAARYAAJgAAAAAMAAAAAAAAACAARYAAJgAAyAAMAAAAAAAAACAARYAAJgAAyAAMAEAAAAA AACAARYAAJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACA AAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgCgAAAADAAAAAAAAAACAAAAA gJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAMAAAAAAAAACAAAAAgJoAAAAAAAAAAAAAAACAuB4AAJgA AAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAAAAAAAAAAACAuB4AAJgAAAAA MAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAA AAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAA AACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACA AAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAA gJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoA AAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAAMAAAAAAAAACAAAAAgJoAAAAA AAAAAAAAAACAuB4AAJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAAAAAAAAAAACAuB4AAJgAAAAAAAAA AAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAA AACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACA AAAAgJgAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAA gKkAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgJwAAAAAAAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKsAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAA AAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACA AAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACA AAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAA gJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJhA AAAAAAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAA AAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAAAAAA AAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJpAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAA AACAAAAAgKlAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgKlAAAAAAAAAAAAAAACA AAAAgKlAAAAAAAAAAAAAAACAAAAAgJ4AAAAAAAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAA AACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACA AAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAA gJgAAAAAAAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhA AAAAAAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhAAAAAAAAAAAAAAACAAAAAgJgAAAAA MAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhAAAAAAAAA AAAAAACAAAAAgKlAAAAAAAAAAAAAAACAAAAAgKkAAAAAAAAAAAAAAACAAAAAgKlAAAAAAAAAAAAA AACAAAAAgKlAAAAAAAAAAAAAAACAAAAAgJwAAAAAAAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKsAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkA AAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAA AAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACA AAAAgKkAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKsAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKtA AAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAA AAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAA AACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACA AAAAgKsAAAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgKsA AAAAMAAAAAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAA MAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAA AAAAAACAAAAAgJkAAAAAMAAAAAAAAACAAAAAgKlAAAAAMAAAAAAAAACAAAAAgKlAAAAAMAAAAAAA AACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACAAAAAgKtAAAAAMAAAAAAAAACA AAAAgJlAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAAgKkAAAAAMAAAAAAAAACAAAAA gKkAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgKsAAAAAMAAAAAAAAACAAAAAgJkA AAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAA AAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAAAAAAAAAAACAAAAAgJgAAAAAMAAA AAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgJhAAAAAAAAAAAAA AACAAAAAgJgAAAAAMAAAAAAAAACAAAAAgAAEAABGDwAALhIAAE4UAAATGAAAihsAAAcfAAB+JAAA +CgAAPkwAADiOAAAwkQAAGpQAABxUwAAElcAAFJbAAAyXwAAXmMAADIAAAA2AAAANwAAADgAAAA5 AAAAOwAAAD4AAABCAAAAQwAAAEcAAABNAAAAUgAAAFcAAABZAAAAXgAAAGEAAABkAAAAAAQAAMwN AADvGAAA7xsAAGEdAAA6HwAAGyIAAAAkAABPKQAAZyoAAGorAABzMAAAOjIAADw0AACpNgAAzjgA AEE7AACXPwAAdEEAAFtDAADnRQAAcUgAAChKAABbSwAAu1EAAONTAACYVAAAPFYAAOtWAADIWQAA 9loAAN9bAAAMXwAAXmMAADMAAAA1AAAAOgAAADwAAAA9AAAAPwAAAEAAAABBAAAARAAAAEUAAABG AAAASAAAAEkAAABKAAAASwAAAEwAAABOAAAATwAAAFAAAABRAAAAUwAAAFQAAABVAAAAVgAAAFgA AABaAAAAWwAAAFwAAABdAAAAXwAAAGAAAABiAAAAYwAAAAAEAABdYwAANAAAAAAAAAAHAAAACwAA AGkHAAByBwAAdAoAAH0KAADeDAAA4gwAAMwNAADQDQAA4w0AAOcNAAAfEAAAIxAAAFgQAABcEAAA LBEAADARAAAAGQAACRkAAJMZAACiGQAATh0AAE8dAADsHgAA+R4AAFUfAABiHwAAUiAAAF8gAADh IAAA7iAAAOMiAADsIgAAWCQAAFwkAACeJQAAoCUAANMlAADaJQAA7yUAAPYlAAARJwAAJScAAJcq AACgKgAAjy0AAJgtAACvLQAAuS0AAM8tAADZLQAA7y0AAP4tAAAHLgAAEC4AACcuAAAxLgAAOi4A AEQuAACLLgAAmC4AAJ0uAACsLgAAIC8AACkvAABALwAASi8AAFMvAABdLwAApC8AALEvAAC2LwAA xS8AAD0wAABGMAAAXTAAAGcwAABwMAAAejAAAMEwAADOMAAA0zAAAOIwAAA6MQAAQzEAAFoxAABk MQAAejEAAIQxAACaMQAAqTEAAL0xAADGMQAAyzEAANUxAAAKMgAAFDIAAEgyAABVMgAAhDIAAJMy AADDMgAAzDIAANEyAADbMgAADzMAABkzAABMMwAAWTMAAIgzAACXMwAA5TMAAO4zAADzMwAA/TMA ADE0AAA7NAAAbjQAAHs0AACqNAAAuTQAAOI0AADrNAAAAjUAAAw1AAAiNQAALDUAAEI1AABRNQAA ZTUAAG41AABzNQAAfTUAALE1AAC7NQAA7jUAAPs1AAAqNgAAOTYAAGM2AABsNgAAcTYAAHs2AACv NgAAuTYAAOw2AAD5NgAAKDcAADc3AACJOAAAkjgAALA7AAC5OwAA0DsAANo7AADwOwAA+jsAABA8 AAAfPAAAKDwAADE8AABIPAAAUjwAAFs8AABlPAAArDwAALk8AAC+PAAAzTwAAEE9AABKPQAAYT0A AGs9AAB0PQAAfj0AAMU9AADSPQAA1z0AAOY9AABePgAAZz4AAH4+AACIPgAAkT4AAJs+AADiPgAA 7z4AAPQ+AAADPwAAWz8AAGQ/AAB7PwAAhT8AAJs/AAClPwAAuz8AAMo/AADePwAA5z8AAOw/AAD2 PwAAK0AAADVAAABpQAAAdkAAAKVAAAC0QAAA5EAAAO1AAADyQAAA/EAAADBBAAA6QQAAbUEAAHpB AACpQQAAuEEAAOhBAADxQQAA9kEAAABCAAA0QgAAPkIAAHFCAAB+QgAArUIAALxCAADrQgAA9EIA AAtDAAAVQwAAK0MAADVDAABLQwAAWkMAAG5DAAB3QwAAfEMAAIZDAAC6QwAAxEMAAPdDAAAERAAA M0QAAEJEAAByRAAAe0QAAIBEAACKRAAAvkQAAMhEAAD7RAAACEUAADdFAABGRQAAakUAAG5FAAAL RgAAD0YAAGpJAAB1SQAAekkAAIVJAACNSgAAlkoAANRNAADdTQAA9E0AAP5NAAAUTgAAHk4AADRO AABDTgAATE4AAFVOAABsTgAAdk4AAH9OAACJTgAAEU8AAB5PAAAjTwAAMk8AAKtPAAC0TwAAy08A ANVPAADjTwAA7U8AADpQAABHUAAATFAAAFtQAADYUAAA4VAAAPhQAAACUQAAEFEAABpRAACjUQAA sFEAALVRAADEUQAAPFIAAEVSAABcUgAAZlIAAG9SAAB5UgAAwFIAAM1SAADSUgAA4VIAAAZTAAAP UwAAOlMAAERTAABaUwAAZFMAAHpTAACJUwAAnVMAAKZTAACsUwAAtlMAAOtTAAD1UwAAV1QAAGRU AACTVAAAolQAANdUAADgVAAA5lQAAPBUAAApVQAAM1UAAGlVAAB2VQAApVUAALRVAADpVQAA8lUA APhVAAACVgAAOVYAAENWAAB7VgAAiFYAALdWAADGVgAA9lYAAP9WAAAEVwAADlcAAEJXAABMVwAA f1cAAIxXAAC7VwAAylcAAPlXAAACWAAALVgAADdYAABNWAAAV1gAAG1YAAB8WAAAkFgAAJlYAACf WAAAqVgAAN1YAADnWAAAR1kAAFRZAACvWQAAvlkAAPJZAAD7WQAAAloAAAxaAABEWgAATloAAIZa AACTWgAA7loAAP1aAADDWwAAzVsAAHNdAAB3XQAA8F0AAF9fAAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAH ABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA HAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAH ABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA HAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAH ABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcA HAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAc AAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcAHAAHABwA BwAcAAcAHAAHABwABwAcAAcAHAAHABwABwAcAAcABwAAAAAAsiwAALIsAACzLAAAtCwAAL4sAAC+ LAAAvywAAMAsAADZMQAA2jEAANsxAADbMQAAGDIAABkyAAAaMgAAGjIAAM46AADOOgAAzzoAANA6 AADaOgAA2joAANs6AADcOgAA+j8AAPs/AAA5QAAAOkAAADtAAAA7QAAAVkUAACJHAABySwAAfksA AIZLAACHSwAAiksAAJFLAAAzTAAAOEwAAGpMAABsTAAAbUwAAG1MAACgTAAAoEwAAKFMAACiTAAA pkwAAKhMAACpTAAAqUwAALJMAAC3TAAA/EwAAAJNAAALTQAAEE0AAFBNAABQTQAAVE0AAFlNAAAI UgAAOlIAABBaAAAUWgAAFVoAABVaAAAWWgAAFloAABdaAAAXWgAAGFoAABhaAABWWgAAW1oAAMJa AADDWgAAPl0AAO1dAADvXQAA8F0AAFxfAABfXwAAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAE AAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQA AwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAADAAQAAwAEAAMABAAD AAQAAwAEAAMABAADAAQAAwAEAAMABwAHAAcA//8UAAAADABSAHUAcwBzACAASABvAHUAcwBsAGUA eQBMAEMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAXABxAHUAYQBsAGMAbwBtAG0AXABl AHUAZABvAHIAYQBcAGEAdAB0AGEAYwBoAFwAQQBsAGcAbwByAGkAdABoAG0AIABmAG8AcgAgAEMA bwBuAHMAdAByAHUAYwB0AGkAbgBnACAAQwBSAEwAcwAxAC4AZABvAGMADABSAHUAcwBzACAASABv AHUAcwBsAGUAeQBMAEMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAXABxAHUAYQBsAGMA bwBtAG0AXABlAHUAZABvAHIAYQBcAGEAdAB0AGEAYwBoAFwAQQBsAGcAbwByAGkAdABoAG0AIABm AG8AcgAgAEMAbwBuAHMAdAByAHUAYwB0AGkAbgBnACAAQwBSAEwAcwAxAC4AZABvAGMACABUAGkA bQAgAFAAbwBsAGsALABBADoAXABBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwByACAAQwBvAG4AcwB0 AHIAdQBjAHQAaQBuAGcAIABDAFIATABzACAAZgBpAG4AYQBsAC4AZABvAGMAFABWAEEATABVAEUA RAAgAFMATwBOAFkAIABDAFUAUwBUAE8ATQBFAFIAaQBDADoAXABXAEkATgBEAE8AVwBTAFwAQQBw AHAAbABpAGMAYQB0AGkAbwBuACAARABhAHQAYQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBvAHIA ZABcAEEAdQB0AG8AUgBlAGMAbwB2AGUAcgB5ACAAcwBhAHYAZQAgAG8AZgAgAEEAbABnAG8AcgBp AHQAaABtACAAZgBvAHIAIABDAG8AbgBzAHQAcgB1AGMAdABpAG4AZwAgAEMAUgBMAHMAIABmAGkA bgBhAGwALgBhAHMAZAAUAFYAQQBMAFUARQBEACAAUwBPAE4AWQAgAEMAVQBTAFQATwBNAEUAUgA8 AEMAOgBcAFcASQBOAEQATwBXAFMAXABEAGUAcwBrAHQAbwBwAFwAQQBsAGcAbwByAGkAdABoAG0A IABmAG8AcgAgAEMAbwBuAHMAdAByAHUAYwB0AGkAbgBnACAAQwBSAEwAcwAgAGYAaQBuAGEAbAAu AGQAbwBjABQAVgBBAEwAVQBFAEQAIABTAE8ATgBZACAAQwBVAFMAVABPAE0ARQBSADwAQwA6AFwA VwBJAE4ARABPAFcAUwBcAEQAZQBzAGsAdABvAHAAXABBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwBy ACAAQwBvAG4AcwB0AHIAdQBjAHQAaQBuAGcAIABDAFIATABzACAAZgBpAG4AYQBsAC4AZABvAGMA FABWAEEATABVAEUARAAgAFMATwBOAFkAIABDAFUAUwBUAE8ATQBFAFIAPABDADoAXABXAEkATgBE AE8AVwBTAFwARABlAHMAawB0AG8AcABcAEEAbABnAG8AcgBpAHQAaABtACAAZgBvAHIAIABDAG8A bgBzAHQAcgB1AGMAdABpAG4AZwAgAEMAUgBMAHMAIABmAGkAbgBhAGwALgBkAG8AYwAUAFYAQQBM AFUARQBEACAAUwBPAE4AWQAgAEMAVQBTAFQATwBNAEUAUgA8AEMAOgBcAFcASQBOAEQATwBXAFMA XABEAGUAcwBrAHQAbwBwAFwAQQBsAGcAbwByAGkAdABoAG0AIABmAG8AcgAgAEMAbwBuAHMAdABy AHUAYwB0AGkAbgBnACAAQwBSAEwAcwAgAGYAaQBuAGEAbAAuAGQAbwBjAAgAVABpAG0AIABQAG8A bABrAGkAQwA6AFwAVwBJAE4ARABPAFcAUwBcAEEAcABwAGwAaQBjAGEAdABpAG8AbgAgAEQAYQB0 AGEAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAbwByAGQAXABBAHUAdABvAFIAZQBjAG8AdgBlAHIA eQAgAHMAYQB2AGUAIABvAGYAIABBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwByACAAQwBvAG4AcwB0 AHIAdQBjAHQAaQBuAGcAIABDAFIATABzACAAZgBpAG4AYQBsAC4AYQBzAGQACABUAGkAbQAgAFAA bwBsAGsAIgBDADoAXABXAEkATgBEAE8AVwBTAFwARABlAHMAawB0AG8AcABcAFAASwBJAFgAIABk AGUAbAB0AGEAcwAuAGQAbwBjAAQA1WoHBsaTbN7/D/8P/w//D/8P/w//D/8P/w8AAPgXsy/Gk2ze /w//D/8P/w//D/8P/w//D/8PEADgFKVJ6ALyNf8P/w//D/8P/w//D/8P/w//DxAAugbSZY7tlGH/ D/8P/w//D/8P/w//D/8P/w8QAAEAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAMYAAAPhNACEYSY/hXG BQAB0AIGXoTQAmCEmP5vKAADACgAAAApAAEAAAAEAAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAPhKAF EYSY/hXGBQABoAUGXoSgBWCEmP4CAAEALgABAAAAAoIBAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4Rw CBGETP8VxgUAAXAIBl6EcAhghEz/AgACAC4AAQAAAACAAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+E QAsRhJj+FcYFAAFACwZehEALYISY/gIAAwAuAAEAAAAEgAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAP hBAOEYSY/hXGBQABEA4GXoQQDmCEmP4CAAQALgABAAAAAoIBAAAAAAAAAAAAAAAAAAAAAAAAGAAA D4TgEBGETP8VxgUAAeAQBl6E4BBghEz/AgAFAC4AAQAAAACAAQAAAAAAAAAAAAAAAAAAAAAAABgA AA+EsBMRhJj+FcYFAAGwEwZehLATYISY/gIABgAuAAEAAAAEgAEAAAAAAAAAAAAAAAAAAAAAAAAY AAAPhIAWEYSY/hXGBQABgBYGXoSAFmCEmP4CAAcALgABAAAAAoIBAAAAAAAAAAAAAAAAAAAAAAAA GAAAD4RQGRGETP8VxgUAAVAZBl6EUBlghEz/AgAIAC4AAQAAAAAAAgAAAAAAAAAAAAAAAAAAAAAA AxgAAA+E0AIRhJj+FcYFAAHQAgZehNACYISY/m8oAAMAKAAAACkAAQAAAASAAQAAAAAAAAAAAAAA AAAAAAAAABgAAA+EoAURhJj+FcYFAAGgBQZehKAFYISY/gIAAQAuAAEAAAACggEAAAAAAAAAAAAA AAAAAAAAAAAYAAAPhHAIEYRM/xXGBQABcAgGXoRwCGCETP8CAAIALgABAAAAAIABAAAAAAAAAAAA AAAAAAAAAAAAGAAAD4RACxGEmP4VxgUAAUALBl6EQAtghJj+AgADAC4AAQAAAASAAQAAAAAAAAAA AAAAAAAAAAAAABgAAA+EEA4RhJj+FcYFAAEQDgZehBAOYISY/gIABAAuAAEAAAACggEAAAAAAAAA AAAAAAAAAAAAAAAYAAAPhOAQEYRM/xXGBQAB4BAGXoTgEGCETP8CAAUALgABAAAAAIABAAAAAAAA AAAAAAAAAAAAAAAAGAAAD4SwExGEmP4VxgUAAbATBl6EsBNghJj+AgAGAC4AAQAAAASAAQAAAAAA AAAAAAAAAAAAAAAAABgAAA+EgBYRhJj+FcYFAAGAFgZehIAWYISY/gIABwAuAAEAAAACggEAAAAA AAAAAAAAAAAAAAAAAAAYAAAPhFAZEYRM/xXGBQABUBkGXoRQGWCETP8CAAgALgABAAAABAACAAAA AAAAAAAAAAAAAAAAAAADGAAAD4TQAhGEmP4VxgUAAdACBl6E0AJghJj+bygAAwAoAAAAKQABAAAA BIABAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4SgBRGEmP4VxgUAAaAFBl6EoAVghJj+AgABAC4AAQAA AAKCAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+EcAgRhEz/FcYFAAFwCAZehHAIYIRM/wIAAgAuAAEA AAAAgAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAPhEALEYSY/hXGBQABQAsGXoRAC2CEmP4CAAMALgAB AAAABIABAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4QQDhGEmP4VxgUAARAOBl6EEA5ghJj+AgAEAC4A AQAAAAKCAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+E4BARhEz/FcYFAAHgEAZehOAQYIRM/wIABQAu AAEAAAAAgAEAAAAAAAAAAAAAAAAAAAAAAAAYAAAPhLATEYSY/hXGBQABsBMGXoSwE2CEmP4CAAYA LgABAAAABIABAAAAAAAAAAAAAAAAAAAAAAAAGAAAD4SAFhGEmP4VxgUAAYAWBl6EgBZghJj+AgAH AC4AAQAAAAKCAQAAAAAAAAAAAAAAAAAAAAAAABgAAA+EUBkRhEz/FcYFAAFQGQZehFAZYIRM/wIA CAAuAAEAAAAEEAIAAAAAAAAAAABoAQAAAAAAAAMYAAAPhNACEYSY/hXGBQAB0AIGXoTQAmCEmP5v KAADACgAAAApAAEAAAAEEAEAAAAAAAAAAABoAQAAAAAAAAAYAAAPhKAFEYSY/hXGBQABoAUGXoSg BWCEmP4CAAEALgABAAAAApIBAAAAAAAAAAAAaAEAAAAAAAAAGAAAD4RwCBGETP8VxgUAAXAIBl6E cAhghEz/AgACAC4AAQAAAACQAQAAAAAAAAAAAGgBAAAAAAAAABgAAA+EQAsRhJj+FcYFAAFACwZe hEALYISY/gIAAwAuAAEAAAAEkAEAAAAAAAAAAABoAQAAAAAAAAAYAAAPhBAOEYSY/hXGBQABEA4G XoQQDmCEmP4CAAQALgABAAAAApIBAAAAAAAAAAAAaAEAAAAAAAAAGAAAD4TgEBGETP8VxgUAAeAQ Bl6E4BBghEz/AgAFAC4AAQAAAACQAQAAAAAAAAAAAGgBAAAAAAAAABgAAA+EsBMRhJj+FcYFAAGw EwZehLATYISY/gIABgAuAAEAAAAEkAEAAAAAAAAAAABoAQAAAAAAAAAYAAAPhIAWEYSY/hXGBQAB gBYGXoSAFmCEmP4CAAcALgABAAAAApIBAAAAAAAAAAAAaAEAAAAAAAAAGAAAD4RQGRGETP8VxgUA AVAZBl6EUBlghEz/AgAIAC4ABAAAAPgXsy8AAAAAAAAAAAAAAADgFKVJAAAAAAAAAAAAAAAAugbS ZQAAAAAAAAAAAAAAANVqBwYAAAAAAAAAAAAAAAD///////////////////////8EAAAAAAAAAAAA AAD//wQAAAAAAAAAAAAAAAAAAAA7LQAAPC0AAE4tAABjLQAAbC0AAHYtAAB3LQAAfS0AAI8tAAAH LgAA5S4AAOYuAADsLgAAHy8AACAvAAACMAAAAzAAAAkwAAA8MAAAPTAAAB8xAAAgMQAAJjEAADox AAC9MQAAojIAAKMyAACpMgAAwjIAAMMyAADJMwAAyjMAANAzAADkMwAA5TMAAMc0AADINAAAzjQA AOI0AABlNQAARzYAAEg2AABONgAAYjYAAGM2AABANwAAQTcAAFs7AABdOwAAbzsAAIQ7AACNOwAA lzsAAJg7AACeOwAAsDsAACg8AAAGPQAABz0AAA09AABAPQAAQT0AACM+AAAkPgAAKj4AAF0+AABe PgAAQD8AAEE/AABHPwAAWz8AAN4/AADDQAAAxEAAAMpAAADjQAAA5EAAAMxBAADNQQAA00EAAOdB AADoQQAA0EIAANFCAADXQgAA60IAAG5DAABWRAAAV0QAAF1EAABxRAAAckQAAFRFAABVRQAAgE0A AIFNAACTTQAAqE0AALFNAAC7TQAAvE0AAMJNAADUTQAATE4AAGtPAABsTwAAd08AAKpPAACrTwAA mFAAAJlQAACkUAAA11AAANhQAAABUgAAAlIAAAhSAAA7UgAAPFIAAOtSAADsUgAA8lIAAAZTAACd UwAAsVQAALJUAAC9VAAA1lQAANdUAADIVQAAyVUAANRVAADoVQAA6VUAANpWAADbVgAA4VYAAPVW AAD2VgAA3lcAAN9XAADlVwAA+VcAAJBYAADSWQAA01kAAN1ZAADxWQAA8lkAAAtbAAAMWwAA710A APBdAABcXwAAX18AAAAAAAABAAAACAAAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAA AgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAAC AQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIB AAACAQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAFgEAAAEAAAAIAAAAAgEAAAIBAAACAQAAAgEA AB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAA AgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAAC AQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAWAQAAAQAAAAgA AAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAAAgEA AB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAACAQAA AgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAeAQAAAgEAAAIBAAAC AQAAAgEAAB4BAAACAQAAAgEAAAIBAAACAQAAHgEAAAIBAAACAQAAAgEAAAIBAAAWAQAAAd0AAAAA AAABAAAA/0APgAEAOlIAADpSAAAUnGQAAQABADpSAAAAAAEAOlIAACcJuhICEAAAAAAAAABeXwAA YAAACABAAAD//wUAAAAHAFUAbgBrAG4AbwB3AG4ACABUAGkAbQAgAFAAbwBsAGsADABEAGEAdgBp AGQAIABDAG8AbwBwAGUAcgAMAFIAdQBzAHMAIABIAG8AdQBzAGwAZQB5ABQAVgBBAEwAVQBFAEQA IABTAE8ATgBZACAAQwBVAFMAVABPAE0ARQBSAP//BQAIAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAAAAACAAAAAAAAAAAAAwAAAAAAAAAAAAQA//8FAAAAAAAAAAAAAAAAAP//AAACAP//AAAAAP// AAACAP//AAAAAAQAAABHFpABAAACAgYDBQQFAgMEhzoAAAAAAAAAAAAAAAAAAP8AAAAAAAAAVABp AG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4AAAA1FpABAgAFBQECAQcGAgUHAAAAAAAAABAAAAAA AAAAAAAAAIAAAAAAUwB5AG0AYgBvAGwAAAAzJpABAAACCwYEAgICAgIEhzoAAAAAAAAAAAAAAAAA AP8AAAAAAAAAQQByAGkAYQBsAAAAPzWQAQAAAgcDCQICBQIEBIc6AAAAAAAAAAAAAAAAAAD/AAAA AAAAAEMAbwB1AHIAaQBlAHIAIABOAGUAdwAAACIABABxiIwAAPDQAgAAaAEAAAAAnFNVhpxTVYZG U1WGAgAiAAAAlg0AAHVNAAABACcAAAAEAAMQpQAAAAAAAAAAAAAAAQABAAAAAQAAAAAAAAAhAwDw EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtBfADeAC0AIKCEjAAABAAGQBkAAAAGQAAAB9f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABXIQAAAAAAAAAAAAAA AAAAAAAAAAAAAgAAAAAAAAAAAAAygxEA8BAA3wMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAD//xIAAAAAAAAAPwBBAGwAZwBvAHIAaQB0AGgAbQAgAGYAbwByACAAQwBvAG4AcwB0AHIAdQBj AHQAaQBuAGcAIABDAFIATABzACAAZgByAG8AbQAgAGEAIABiAGEAcwBlACAAQwBSAEwAIABhAG4A ZAAgAGEAIABkAGUAbAB0AGEAIABDAFIATAAAAAAAAAAIAFQAaQBtACAAUABvAGwAawAIAFQAaQBt ACAAUABvAGwAawAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+/wAABAoCAAAAAAAAAAAAAAAAAAAAAAAB AAAA4IWf8vlPaBCrkQgAKyez2TAAAADAAQAAEgAAAAEAAACYAAAAAgAAAKAAAAADAAAA6AAAAAQA AAD0AAAABQAAAAgBAAAGAAAAFAEAAAcAAAAgAQAACAAAADQBAAAJAAAASAEAABIAAABUAQAACgAA AHABAAALAAAAfAEAAAwAAACIAQAADQAAAJQBAAAOAAAAoAEAAA8AAACoAQAAEAAAALABAAATAAAA uAEAAAIAAADkBAAAHgAAAEAAAABBbGdvcml0aG0gZm9yIENvbnN0cnVjdGluZyBDUkxzIGZyb20g YSBiYXNlIENSTCBhbmQgYSBkZWx0YSBDUkwAHgAAAAEAAAAAbGdvHgAAAAkAAABUaW0gUG9sawAg Zm8eAAAAAQAAAABpbSAeAAAAAQAAAABpbSAeAAAACwAAAE5vcm1hbC5kb3QAbx4AAAAJAAAAVGlt IFBvbGsAdABvHgAAAAIAAAAyAG0gHgAAABMAAABNaWNyb3NvZnQgV29yZCA5LjAAckAAAAAATO+/ BAAAAEAAAAAADIZ8c9nAAUAAAAAAeBLxftnAAUAAAAAAeBLxftnAAQMAAAABAAAAAwAAAJYNAAAD AAAAdU0AAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/v8AAAQKAgAAAAAAAAAAAAAAAAAAAAAAAQAAAALVzdWc LhsQk5cIACss+a4wAAAANAEAAAwAAAABAAAAaAAAAA8AAABwAAAABQAAAIgAAAAGAAAAkAAAABEA AACYAAAAFwAAAKAAAAALAAAAqAAAABAAAACwAAAAEwAAALgAAAAWAAAAwAAAAA0AAADIAAAADAAA ABQBAAACAAAA5AQAAB4AAAANAAAAQ1NEL0lUTC9OSVNUAABvAAMAAAClAAAAAwAAACcAAAADAAAA H18AAAMAAADtDgkACwAAAAAAAAALAAAAAAAAAAsAAAAAAAAACwAAAAAAAAAeEAAAAQAAAEAAAABB bGdvcml0aG0gZm9yIENvbnN0cnVjdGluZyBDUkxzIGZyb20gYSBiYXNlIENSTCBhbmQgYSBkZWx0 YSBDUkwADBAAAAIAAAAeAAAABgAAAFRpdGxlAAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAwAAAAQAAAAFAAAABgAAAAcAAAAIAAAACQAAAAoAAAAL AAAADAAAAA0AAAAOAAAADwAAABAAAAARAAAAEgAAABMAAAAUAAAAFQAAABYAAAAXAAAAGAAAABkA AAAaAAAAGwAAABwAAAAdAAAAHgAAAB8AAAAgAAAAIQAAACIAAAAjAAAAJAAAACUAAAAmAAAAJwAA ACgAAAApAAAAKgAAACsAAAAsAAAALQAAAC4AAAAvAAAAMAAAADEAAAAyAAAAMwAAADQAAAA1AAAA NgAAADcAAAA4AAAAOQAAADoAAAA7AAAAPAAAAD0AAAA+AAAAPwAAAEAAAABBAAAAQgAAAEMAAABE AAAARQAAAEYAAABHAAAASAAAAEkAAABKAAAASwAAAEwAAABNAAAATgAAAE8AAABQAAAAUQAAAFIA AABTAAAAVAAAAFUAAABWAAAAVwAAAFgAAABZAAAAWgAAAFsAAABcAAAAXQAAAF4AAABfAAAAYAAA AGEAAABiAAAAYwAAAGQAAABlAAAA/v///2cAAABoAAAAaQAAAGoAAABrAAAAbAAAAG0AAABuAAAA bwAAAHAAAABxAAAAcgAAAHMAAAB0AAAAdQAAAHYAAAB3AAAAeAAAAHkAAAB6AAAAewAAAHwAAAB9 AAAAfgAAAH8AAACAAAAAgQAAAIIAAACDAAAAhAAAAIUAAACGAAAAhwAAAIgAAACJAAAA/v///4sA AACMAAAAjQAAAI4AAACPAAAAkAAAAJEAAAD+////kwAAAJQAAACVAAAAlgAAAJcAAACYAAAAmQAA AP7////9/////f///50AAAD+/////v////7///////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAf//////////AwAAAAYJAgAAAAAAwAAAAAAAAEYAAAAA AAAAAAAAAACgoSoPf9nAAZ8AAACAAAAAAAAAADEAVABhAGIAbABlAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOAAIA////////////////AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZgAAAKlGAAAAAAAAVwBvAHIAZABEAG8AYwB1 AG0AZQBuAHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoAAgEFAAAA //////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIsoAAAAAAAAF AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAKAACAQIAAAAEAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AIoAAAAAEAAAAAAAAAUARABvAGMAdQBtAGUAbgB0AFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0A YQB0AGkAbwBuAAAAAAAAAAAAAAA4AAIB////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAkgAAAAAQAAAAAAAAAQBDAG8AbQBwAE8AYgBqAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAgEBAAAABgAAAP////8AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAagAAAAAAAABPAGIAagBlAGMAdABQAG8A bwBsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgABAP////// /////////wAAAAAAAAAAAAAAAAAAAAAAAAAAoKEqD3/ZwAGgoSoPf9nAAQAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQAAAP7///////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////8BAP7/AwoAAP////8GCQIAAAAAAMAAAAAAAABGGAAAAE1pY3Jvc29mdCBXb3Jk IERvY3VtZW50AAoAAABNU1dvcmREb2MAEAAAAFdvcmQuRG9jdW1lbnQuOAD0ObJxAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAA== --=====================_104696206==_-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA21196 for <ietf-pkix@imc.org>; Thu, 10 May 2001 11:37:12 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 10 May 2001 18:36:55 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA24424 for <ietf-pkix@imc.org>; Thu, 10 May 2001 14:37:14 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NWWPM>; Thu, 10 May 2001 14:37:13 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.11]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NWWP2; Thu, 10 May 2001 14:37:00 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis.Pinkas@bull.net Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010510143415.01896eb8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 10 May 2001 14:35:58 -0400 Subject: Re: delta CRLs In-Reply-To: <5.0.1.4.2.20010510090030.018a6e58@exna07.securitydynamics. com> References: <3AFA4F09.5AB02392@bull.net> <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: Please excuse the half-done message from this morning. My mailer and I had a disagreement... Anyway, since I was not going to get the full message out before the end of the business day in France, I took the time to coordinate a response with Tim Polk and David Cooper. This mail thread is quite long, so hopefully our coordination on the side will reduce the overall number of messages to the list and help to reach consensus faster. Here goes .... >There is difference between a base CRL and a full CRL : a base CRL MUST >include a freshestCRL extension (a.k.a. a Delta CRL distribution point), >whereas a full CRL may not include that extension. In other words, a base >CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. There is no requirement in X.509 to include any extension in a certificate or CRL advertising the availability of delta CRLs. PKIX makes the freshestCRL extension available for advertising the existence of delta CRLs, but again does not mandate its use. Furthermore, even if the freshestCRL extension is used, it may be placed in either the certificate or the full CRL. If the extension is placed in certificates, there is no need for it to be in the full CRL (but, it could be). Finally, if delta CRLs are being issued, and are being advertised through the freshestCRL CRL extension, then the extension should be included in all full CRLs for that scope, not just the base CRLs. If a relying party obtains the most recently issued full CRL for a scope from a repository, and that full CRL is not a base CRL, how will the relying party know that delta CRLs are available? >At any time a CA may issue a full CRL, whether or not a base CRL has already >been issued. This additional CRL SHOULD have nextUpdate equal to the >nextUpdate of the last issued full CRL. However, there is no guarantee that >this additional CRL will ever be seen by the relying party (because there >will be two CRLs matching the thisUpdate and nextUpdate rule and if one is >deleted, this is not seen by a relying party). The nextUpdate field in a full CRL (base or otherwise) should specify the time by which new revocation information will be available. So, if a new base CRL is issued once a day, but full CRLs are issued every hour, the nextUpdate field of each full CRL should one hour after that CRL's thisUpdate time. >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >they are a base CRL or delta CRL, CANNOT have the same CRL number. So a >delta CRL and a full CRL that cover the same scope and are issued at the >same time CANNOT have the same number. We disagree. If a full CRL and a delta CRL are issued at the same time for the same scope, then they ARE the same CRL and MUST have the same CRL number. >If a full CRL is issued, its CRL >number bears no relationship with the previous base CRL, if any. Again, we disagree. A sequence of CRLs for a given scope must contain a monotonically increasing sequence of CRL numbers. Relying parties that do not process delta CRLs, and thus do not recognize the non-critical freshestCRL extension, will not be able to distinguish between those full CRLs that are base CRLs and those full CRLs that are not base CRLs. The CRL numbers for these full CRLs must be from one monotonically increasing sequence. >The only >relationship between the numbers is defined by the rule that CRLs numbers >are strictly increasing. As Santosh said : "the CRL number is unique >whether it is a base or a delta ". > >This is fairly important to be able to unambiguously (and thus uniquely) >refer to a CRL by only providing its CRL number. Exactly. If a full CRL and the delta CRL are issued for the same scope at the same time, they are the same CRL. The CRL number unambiguously and uniquely refers to this ONE CRL. >Besides the fact that a CRL issued later MUST have a higher CRL number, full >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL >number (for the same or no stream identifier). If you agree that delta thisUpdate > base thisUpdate implies delta CRL number > base CRL, then you are acknowledging that the CRL numbers of the full CRLs and delta CRLs are not independent. >As Santosh said : "a check based on thisUpdate is more general and >preferred [to the use of CRL numbers]. " > >Related to the three rules mentioned by Russ : > >1) the first rule is not understandable to me. >2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). >3) we will debate the hold condition, once we will have sorted the main > issue. > >Russ said : "If separate number sequence is used, then you will have to >periodically fetch base CRLs ". This is true. > >Tim said that he would *not* like to be forced to download new base CRLs. >This is the core of the "dispute". Our goal should be to allow delta CRL enabled clients to obtain accurate information in the most efficient manner possible. Forcing clients to periodically download full CRLs, when this is not necessary, is inefficient. > From the definition of what a delta CRL is, it is *not* possible to >get rid of the fetching of base CRLs. Unless we add a new sentence to >expand/change that definition, base CRL fetching will remain mandatory. True. However, if one performs validations frequently enough, it is possible to obtain a single full CRL and then subsequently download only delta CRLs. We need to require that full CRL be issued periodically so that clients whose locally stored information is not sufficiently up-to-date to apply the delta CRLs being issued can obtain the full CRLs that they need, but we should not require clients to download full CRLs when it is not necessary for them to do so. >Remember that the goal of delta CRLs is to provide the freshest information, >and to my knowledge the goal was not to get rid of the fetching of base CRLs >(which may less frequent due to the support of delta CRLs). Yes, but the goal should be to minimize the fetching of full CRLs. >If I understand correctly, Tim/David/Russ would like to *always* achieve the >following property : it is possible to reconstruct the current CRL by using >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been >issued at the same time a base CRL was issued and which contains updates >made to the *previous* base. > >By this way the fetching of base CRLs could be avoided. However, note that >it is perfectly " legal " to stop issuing base and delta CRLs during some >period of time and to issue full CRLs instead (see the difference between >"full" and "base" at the top of this e-mail). In other words there is no >need to issue a new base CRL at the end of the validity period of the >previous base CRL. Doing this would mandate to prescribe issuing rules >for CAs that we have not prescripted. You are mixing apples and oranges. Obviously the scheme of keeping up-to-date by obtaining a base from 1990 and then only downloading deltas will only work so long as deltas continue to be issued. If the CRL issuer ceases to issue deltas, then the relying parties will have to revert to downloading full CRLs. >I will now raise a series of questions, for which I believe we have >different answers. Tim/David/Russ do not hesitate to correct >if my guess is wrong. ;-) > >Common point: > >1) What will be the value of the nextUpdate field from the last issued delta >CRL for a given base CRL ? > >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to >the value of nextUpdate from the base CRL. > >Tim/David/Russ: ??? The nextUpdate field in a base CRL states when the next full CRL will be available. This is important for supporting clients that do not handle delta CRLs. The nextUpdate field in a delta CRL states when the next CRL (either a delta CRL or a full CRL) will be available. As a general rule, if the CA is continuing to issue deltas, the nextUpdate in the delta will be the time by which the next delta will be available. If this is the last delta that the CA is going to issue, then the nextUpdate in the delta will be the time by which the next full CRL will be available. ("Available" SHOULD reflect distribution delays associated with the repository architecture.) >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > >Denis: No. >Tim/David/Russ : ??? No. A CA never is required to issue deltas. However, it would be helpful to delta CRL enabled clients to allow them to construct the full CRL. If the full CRL contains a freshestCRL extension, then it is a very good idea to generate a delta CRL at the same time. In this way, any client will be able to find a current delta CRL. >3) Does a CA needs to issue a new base CRL at the end of the validity of a >current base CRL ? > >Denis: No. >Tim/David/Russ : ??? No. HOWEVER, the CA must issue a new full CRL by the nextUpdate in the previously issued full CRL (whether that full CRL is a base CRL or not). There is no requirement that the next full CRL be a base CRL. (The CA could quit issuing deltas, etc. etc.) Every base CRL MUST be a full CRL, but not every full CRL is a base CRL. But, a CA could make every full CRL a base CRL if they wanted to. >4) Does a CA needs to issue a delta CRL at the same time a new base is >issued ? > >Denis: Yes. The delta CRL refers to the *new* base. >Tim/David/Russ : ??? No. HOWEVER, in practice we belive that CAs will do so. The delta CRL needs to exist so that clients can follow the freshest CRL extension (either in a certificate or a base CRL). The delta CRL that is issued at the same time SHOULD point to a previously issued full CRL (which will then, by definition be a base CRL) whenever possible. There is no information to add to the new base CRL! By providing the delta as an update to a previous base CRL, clients can download the delta CRL to construct the new base CRL. >The last point highlights the most noticeable difference. Other differences >appears when considering the guaranty to get the freshest information : >using the traditional scheme and the thisUpdate and nextUpdate fields the >guaranty to get the freshest information is obtained, but cannot be obtained >using the other scheme. :-( > >Several people are referring to the X.509 document for arguments to support >that discussion. However, it is important to remember that we are defining >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, >but only what we believe is relevant. PKIX is a profile of X.509. PKIX may impose additional requirements beyond those in X.509 or may exclude features that are optional in X.509, but otherwise PKIX must be consistent with X.509. In that context, references to X.509 are appropriate. >We first need to clearly define the processing rules applicable to the >relying parties. These rules will certainly contain SHALL/MUST statements, >but may also include some MAY statements which may even be conditional to >what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). No. The relying party needs a full CRL (either one that has been downloaded from a repository or one that has been locally generated) against which the delta CRL of interest may be applied. There is no requirement that the full CRL be a base CRL. > It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. It may construct an updated CRL by combining the delta CRL with any full CRL whose CRL number is greater than or equal to the CRL number of the referenced base. By saying "equal" instead of "greater than or equal" we would be hiding useful information from implementors. We should not be hiding useful information. > Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. As stated above, the nextUpdate field in a base CRL specifies the time by which new revocation information will be available through full CRLs. A delta CRL may be applied to a base CRL as long as the CRL number in the base CRL is greater than or equal to the CRL number of the base CRL referenced by the delta CRL. The nextUpdate time of the base CRL is irrelevant. > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. Same problem as above. Need to say "greater than or equal to". >We also need to clearly separate the issuing rules applicable for the CAs. >These rules will certainly contain SHALL statements, but could also include >some MAY statements. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, This is an unnecessary statement. A delta CRL must include a BaseCRLNumber. The CRL specified by that BaseCRLNumber is by definition a base CRL. Of course, the referenced base CRL MUST be a full CRL. > i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). While it might be a good idea to mandate the inclusion of the frestestCRL extension in full CRLs that are issued for scopes in which delta CRLs are also being issued, there is currently no such requirement in the draft PKIX profile. > For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. This sentence has several problems: 1) The nextUpdate time of a base CRL is the time when the next full CRL will be available, which may precede the time that the next base CRL will be issued. 2) There is no requirement that a delta CRL use the most recently issued base CRL as its base. I suppose that we could add this requirement for the PKIX profile, but why? Does it really simplify the client? Or, does it just make it a wee bit harder to make a conforming CA that supports delta CRLs? 3) If the thisUpdate time of one delta CRL must equal the nextUpdate time of the previously issued delta CRL, then no time can be allotted to account for propagation delays between when a delta-CRL is issued and when it is available in repositories for relying parties to obtain. Thus, there would be gaps between when the nextUpdate time of one delta-CRL was reached and when the next delta-CRL was available. 4) There is nothing in either X.509 or the PKIX profile that prevents a CA from issuing an unscheduled (or "emergency") delta CRL. And, there should not be! Many CAs intend to issue a new CRL (delta or otherwise) immediately upon the revocation of a certificate due to key compromise. When such an "emergency" delta CRL is issued, there will be two delta CRLs for which T falls between thisUpdate and nextUpdate. While it is true that there is no guarantee that relying parties will obtain the fresher of these two delta CRLs, that is no reason to prevent the CA from issuing the "emergency" delta. Some clients will obtain the emergency CRL. >In his e-mail from Wednesday, May 9, David said that delta-CRL processing >rules could be base on time instead of CRL numbers. This is a point of which >I strongly agree. Let us do it! > >(However, there is no need to add to PKIX, as he suggested, the support of >the baseUpdateTime extension from X.509 which would even more complicate the >problem.) No. In order to base delta CRL processing on time, the baseUpdateTime extension must be present in the delta CRL. Furthermore, the presence of this extension would not complicate the problem. baseUpdateTime is a non-critical extension that merely provides useful information. If you don't think that the information provided by baseUpdateTime is useful, ignore it. Since the extension is non-critical and can be ignored, its presence can not complicate the problem. At 09:05 AM 5/10/2001 -0400, Housley, Russ wrote: >Denis: > >>There is difference between a base CRL and a full CRL > >You are quite right. I, for one, will try to be more careful about the >use of them. > >>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >>they are a base CRL or delta CRL, CANNOT have the same CRL number. > >I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) >and a delta CRL issued at the same time as that full CRL may actually >represent the same revocation information. In this case, they are the >same CRL, and they should have the same number. There have been several >tables posted that illustrate this numbering scheme, and I do not see any >text in X.509-200 that indicates this scheme is [snip - truncate - the message is too long anyway] Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA19648 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:55:48 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 10 May 2001 17:55:30 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA21233; Thu, 10 May 2001 13:55:48 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NWVZ4>; Thu, 10 May 2001 13:55:47 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.11]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NWVZQ; Thu, 10 May 2001 13:55:37 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010510111424.01873878@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 10 May 2001 11:15:25 -0400 Subject: RE: delta CRLs In-Reply-To: <8D7EC1912E25D411A32100D0B76953978DE98C@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: >In general, my reading of the standard is that a base CRL need not have >freshest CRL extension in it. That is correct. The freshest CRL extension is OPTIONAL. And, it can appear in either the certificate or the base CRL or both. Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA17738 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:14:38 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K4X9NKRQ>; Thu, 10 May 2001 13:14:09 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE9B4@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Sharon Boeyen <sharon.boeyen@entrust.com>, "'Denis Pinkas'" <Denis.Pinkas@bull.net>, Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 13:03:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D973.34078B70" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D973.34078B70 Content-Type: text/plain; charset="iso-8859-1" I agree with Sharon. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Thursday, May 10, 2001 1:04 PM To: 'Denis Pinkas'; Carlin Covey; Sharon Boeyen Cc: ietf-pkix@imc.org Subject: RE: delta CRLs A full CRL is a CRL that is complete for a given scope. A base CRL is a CRL that is the foundation for a delta CRL. I think the reason the wording in the definitions doesn't tie them together any more than that is because of a nuance where a delta CRL may reference a base CRL that was never actually issued as a full CRL. This is the case where the delta provides updates from a certain point in time, but it may be the case, in some environments, that full CRLs are never issued and the relying parties always build their local full CRLs from deltas. I realize that is not the case PKIX describes, but that's at least one reason the 509 definitions are the way they are (and yes there are definitions in clause 3 for both base CRL and full CRL). So, the term base is only relevant when used in the context of a delta that points to it. As for freshestRevocationInfo, that is not mandated by 509, in the same way that other extensions are not. It is one way to indicate where to go to find deltas but there can be others (e.g. perhaps the relying parties know that there is one indirect CRL that provides delta info for all CAs inside an organization - perhaps this info is listed on their web site). If PKIX wanted to mandate it they could, but 509 certainly does not. Cheers, Sharon > -----Original Message----- > From: Denis Pinkas [ mailto:Denis.Pinkas@bull.net <mailto:Denis.Pinkas@bull.net> ] > Sent: Thursday, May 10, 2001 12:30 PM > To: Carlin Covey; Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > > Carlin and Sharon (at the same time), > > > Denis, > > > Now I'm confused again (or still). > > :-) > > > I agree that there is a difference > > between a base CRL and a full CRL. However, my > understanding was that a CRL > > is a "base CRL" with respect to some delta CRL only by > virtue of having been > > so identified in that delta CRL. > > I believe that a base CRL must include the Freshest CRL > extension (a.k.a. > Delta CRL Distribution Point) defined in section 4.2.1.16. It > indicates both > that the service exists and where to fetch the information. It is a > non-critical extension so that a base CRL may also be used as > a full CL for > relying parties not supporting delta CRLs. > > > According to the PKIX profile, this base CRL must be a full CRL > > (complete for the intended scope). > > I believe that X.509 does not require that a base CRL be a full CRL. > > You just say above: "According to the PKIX profile, this base > CRL must be a > full CRL (complete for the intended scope". So do you mean > that X.509 and > PKIX are taking different approaches ? > > Regards, > > Denis > > > Regards, > > > > Carlin > > > > ____________________________ > > > > - Carlin Covey > > Cylink Corporation > > > > -----Original Message----- > > From: Denis Pinkas [ mailto:Denis.Pinkas@bull.net <mailto:Denis.Pinkas@bull.net> ] > > Sent: Thursday, May 10, 2001 1:19 AM > > Cc: ietf-pkix@imc.org > > Subject: Re: delta CRLs > > > > Tim, David, Russ, Santosh, Carlin, and many others ... > > > > There is difference between a base CRL and a full CRL : a > base CRL MUST > > include a freshestCRL extension (a.k.a. a Delta CRL > distribution point), > > whereas a full CRL may not include that extension. In other > words, a base > > CRL is a also a full CRL, but a full CRL is not necessarily > a base CRL. > > > > At any time a CA may issue a full CRL, whether or not a > base CRL has already > > been issued. This additional CRL SHOULD have nextUpdate equal to the > > nextUpdate of the last issued full CRL. However, there is > no guarantee that > > this additional CRL will ever be seen by the relying party > (because there > > will be two CRLs matching the thisUpdate and nextUpdate > rule and if one is > > deleted, this is not seen by a relying party). > > > > Due to the fact that CRLs numbers are strictly increasing, > two CRLs whether > > they are a base CRL or delta CRL, CANNOT have the same CRL > number. So a > > delta CRL and a full CRL that cover the same scope and are > issued at the > > same time CANNOT have the same number. If a full CRL is > issued, its CRL > > number bears no relationship with the previous base CRL, if > any. The only > > relationship between the numbers is defined by the rule > that CRLs numbers > > are strictly increasing. As Santosh said : "the CRL number is unique > > whether it is a base or a delta ". > > > > This is fairly important to be able to unambiguously (and > thus uniquely) > > refer to a CRL by only providing its CRL number. > > > > Besides the fact that a CRL issued later MUST have a higher > CRL number, full > > CRLs and delta CRLs have independent numbering rules. As > noticed by Santosh, > > " if the delta thisUpdate > base thisUpdate, delta CRL > number > base CRL > > number (for the same or no stream identifier). > > > > As Santosh said : "a check based on thisUpdate is more general and > > preferred [to the use of CRL numbers]. " > > > > Related to the three rules mentioned by Russ : > > > > 1) the first rule is not understandable to me. > > 2) the second rule does not say anything more than the > basic rule valid > > for any CRL (i.e. a CRL issued later MUST have a higher > CRL number). > > 3) we will debate the hold condition, once we will have > sorted the main > > issue. > > > > Russ said : "If separate number sequence is used, then you > will have to > > periodically fetch base CRLs ". This is true. > > > > Tim said that he would *not* like to be forced to download > new base CRLs. > > This is the core of the "dispute". > > > > >From the definition of what a delta CRL is, it is *not* possible to > > get rid of the fetching of base CRLs. Unless we add a new > sentence to > > expand/change that definition, base CRL fetching will > remain mandatory. > > > > Remember that the goal of delta CRLs is to provide the > freshest information, > > and to my knowledge the goal was not to get rid of the > fetching of base CRLs > > (which may less frequent due to the support of delta CRLs). > > > > If I understand correctly, Tim/David/Russ would like to > *always* achieve the > > following property : it is possible to reconstruct the > current CRL by using > > a base CRL from, e.g. 1990, i.e. by capturing every delta > CRL that has been > > issued at the same time a base CRL was issued and which > contains updates > > made to the *previous* base. > > > > By this way the fetching of base CRLs could be avoided. > However, note that > > it is perfectly " legal " to stop issuing base and delta > CRLs during some > > period of time and to issue full CRLs instead (see the > difference between > > "full" and "base" at the top of this e-mail). In other > words there is no > > need to issue a new base CRL at the end of the validity > period of the > > previous base CRL. Doing this would mandate to prescribe > issuing rules > > for CAs that we have not prescripted. > > > > I will now raise a series of questions, for which I believe we have > > different answers. Tim/David/Russ do not hesitate to correct > > if my guess is wrong. ;-) > > > > Common point: > > > > 1) What will be the value of the nextUpdate field from the > last issued delta > > CRL for a given base CRL ? > > > > Denis: the nextUpdate field from the last issued delta CRL > MUST be equal to > > the value of nextUpdate from the base CRL. > > > > Tim/David/Russ: ??? > > > > 2) Does a CA needs to issue a delta CRL at the time a full > CRL is issued ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 3) Does a CA needs to issue a new base CRL at the end of > the validity of a > > current base CRL ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 4) Does a CA needs to issue a delta CRL at the same time a > new base is > > issued ? > > > > Denis: Yes. The delta CRL refers to the *new* base. > > Tim/David/Russ : Yes. The delta CRL refers to the > *previous* base. [Note > > that there can be no previous at all, or the "previous" may > even be three > > months old]. > > > > The last point highlights the most noticeable difference. > Other differences > > appears when considering the guaranty to get the freshest > information : > > using the traditional scheme and the thisUpdate and > nextUpdate fields the > > guaranty to get the freshest information is obtained, but > cannot be obtained > > using the other scheme. :-( > > > > Several people are referring to the X.509 document for > arguments to support > > that discussion. However, it is important to remember that > we are defining > > PKIX, not X.509, so we DO NOT need to copy and paste > everything from X.509, > > but only what we believe is relevant. > > > > We first need to clearly define the processing rules > applicable to the > > relying parties. These rules will certainly contain > SHALL/MUST statements, > > but may also include some MAY statements which may even be > conditional to > > what the CA is doing. (I let Tim/David or Russ provide the > MAY statement). > > > > Here is a proposal for the MUST statement, based on the > previous text I > > produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). It may then construct > > an updated CRL for that base, for a specific time T, by combining > > it with a delta CRL which contains a delta CRL indicator > extension > > with the same CRL number as the base CRL. Applications > that support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally > reconstructed CRL > > based on the current base CRL, and combining it with a > delta CRL which > > contains a delta CRL indicator extension with the same > CRL number as > > the base CRL. > > > > We also need to clearly separate the issuing rules > applicable for the CAs. > > These rules will certainly contain SHALL statements, but > could also include > > some MAY statements. (I let Tim/David or Russ provide the > MAY statement). > > > > Here is a proposal for the MUST statement, based on the > previous text I > > produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > > > In his e-mail from Wednesday, May 9, David said that > delta-CRL processing > > rules could be base on time instead of CRL numbers. This is > a point of which > > I strongly agree. Let us do it! > > > > (However, there is no need to add to PKIX, as he suggested, > the support of > > the baseUpdateTime extension from X.509 which would even > more complicate the > > problem.) > > > > Regards, > > > > Denis > ------_=_NextPart_001_01C0D973.34078B70 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: delta CRLs</TITLE> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=981451217-10052001>I agree with Sharon.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=981451217-10052001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Thursday, May 10, 2001 1:04 PM<BR><B>To:</B> 'Denis Pinkas'; Carlin Covey; Sharon Boeyen<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV> <P><FONT size=2>A full CRL is a CRL that is complete for a given scope. A base CRL is a CRL</FONT> <BR><FONT size=2>that is the foundation for a delta CRL. I think the reason the wording in </FONT><BR><FONT size=2>the definitions doesn't tie them together any more than that is because of </FONT><BR><FONT size=2>a nuance where a delta CRL may reference a base CRL that was never actually </FONT><BR><FONT size=2>issued as a full CRL. This is the case where the delta provides updates </FONT><BR><FONT size=2>from a certain point in time, but it may be the case, in some environments, </FONT><BR><FONT size=2>that full CRLs are never issued and the relying parties always build their </FONT><BR><FONT size=2>local full CRLs from deltas. I realize that is not the case PKIX describes, </FONT><BR><FONT size=2>but that's at least one reason the 509 definitions are the way they are (and</FONT> <BR><FONT size=2>yes there are definitions in clause 3 for both base CRL and full CRL).</FONT> <BR><FONT size=2>So, the term base is only relevant when used in the context of a delta that</FONT> <BR><FONT size=2>points to it. </FONT></P> <P><FONT size=2>As for freshestRevocationInfo, that is not mandated by 509, in the same </FONT><BR><FONT size=2>way that other extensions are not. It is one way to indicate where to </FONT><BR><FONT size=2>go to find deltas but there can be others (e.g. perhaps the relying </FONT><BR><FONT size=2>parties know that there is one indirect CRL that provides delta info</FONT> <BR><FONT size=2>for all CAs inside an organization - perhaps this info is listed on </FONT><BR><FONT size=2>their web site). If PKIX wanted to mandate it they could, but 509 </FONT><BR><FONT size=2>certainly does not.</FONT> </P> <P><FONT size=2>Cheers,</FONT> <BR><FONT size=2>Sharon</FONT> </P> <P><FONT size=2>> -----Original Message-----</FONT> <BR><FONT size=2>> From: Denis Pinkas [<A href="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT size=2>> Sent: Thursday, May 10, 2001 12:30 PM</FONT> <BR><FONT size=2>> To: Carlin Covey; Sharon Boeyen</FONT> <BR><FONT size=2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: Re: delta CRLs</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Carlin and Sharon (at the same time),</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> > Denis,</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> > Now I'm confused again (or still). </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> :-)</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> > I agree that there is a difference</FONT> <BR><FONT size=2>> > between a base CRL and a full CRL. However, my </FONT><BR><FONT size=2>> understanding was that a CRL</FONT> <BR><FONT size=2>> > is a "base CRL" with respect to some delta CRL only by </FONT><BR><FONT size=2>> virtue of having been</FONT> <BR><FONT size=2>> > so identified in that delta CRL. </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> I believe that a base CRL must include the Freshest CRL </FONT><BR><FONT size=2>> extension (a.k.a.</FONT> <BR><FONT size=2>> Delta CRL Distribution Point) defined in section 4.2.1.16. It </FONT><BR><FONT size=2>> indicates both</FONT> <BR><FONT size=2>> that the service exists and where to fetch the information. It is a</FONT> <BR><FONT size=2>> non-critical extension so that a base CRL may also be used as </FONT><BR><FONT size=2>> a full CL for</FONT> <BR><FONT size=2>> relying parties not supporting delta CRLs.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> > According to the PKIX profile, this base CRL must be a full CRL </FONT><BR><FONT size=2>> > (complete for the intended scope). </FONT><BR><FONT size=2>> > I believe that X.509 does not require that a base CRL be a full CRL.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> You just say above: "According to the PKIX profile, this base </FONT><BR><FONT size=2>> CRL must be a</FONT> <BR><FONT size=2>> full CRL (complete for the intended scope". So do you mean </FONT><BR><FONT size=2>> that X.509 and</FONT> <BR><FONT size=2>> PKIX are taking different approaches ?</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Regards,</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Denis</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> > Regards,</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Carlin</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > ____________________________</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > - Carlin Covey</FONT> <BR><FONT size=2>> > Cylink Corporation</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > -----Original Message-----</FONT> <BR><FONT size=2>> > From: Denis Pinkas [<A href="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT size=2>> > Sent: Thursday, May 10, 2001 1:19 AM</FONT> <BR><FONT size=2>> > Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> > Subject: Re: delta CRLs</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Tim, David, Russ, Santosh, Carlin, and many others ...</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > There is difference between a base CRL and a full CRL : a </FONT><BR><FONT size=2>> base CRL MUST</FONT> <BR><FONT size=2>> > include a freshestCRL extension (a.k.a. a Delta CRL </FONT><BR><FONT size=2>> distribution point),</FONT> <BR><FONT size=2>> > whereas a full CRL may not include that extension. In other </FONT><BR><FONT size=2>> words, a base</FONT> <BR><FONT size=2>> > CRL is a also a full CRL, but a full CRL is not necessarily </FONT><BR><FONT size=2>> a base CRL.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > At any time a CA may issue a full CRL, whether or not a </FONT><BR><FONT size=2>> base CRL has already</FONT> <BR><FONT size=2>> > been issued. This additional CRL SHOULD have nextUpdate equal to the</FONT> <BR><FONT size=2>> > nextUpdate of the last issued full CRL. However, there is </FONT><BR><FONT size=2>> no guarantee that</FONT> <BR><FONT size=2>> > this additional CRL will ever be seen by the relying party </FONT><BR><FONT size=2>> (because there</FONT> <BR><FONT size=2>> > will be two CRLs matching the thisUpdate and nextUpdate </FONT><BR><FONT size=2>> rule and if one is</FONT> <BR><FONT size=2>> > deleted, this is not seen by a relying party).</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Due to the fact that CRLs numbers are strictly increasing, </FONT><BR><FONT size=2>> two CRLs whether</FONT> <BR><FONT size=2>> > they are a base CRL or delta CRL, CANNOT have the same CRL </FONT><BR><FONT size=2>> number. So a</FONT> <BR><FONT size=2>> > delta CRL and a full CRL that cover the same scope and are </FONT><BR><FONT size=2>> issued at the</FONT> <BR><FONT size=2>> > same time CANNOT have the same number. If a full CRL is </FONT><BR><FONT size=2>> issued, its CRL</FONT> <BR><FONT size=2>> > number bears no relationship with the previous base CRL, if </FONT><BR><FONT size=2>> any. The only</FONT> <BR><FONT size=2>> > relationship between the numbers is defined by the rule </FONT><BR><FONT size=2>> that CRLs numbers</FONT> <BR><FONT size=2>> > are strictly increasing. As Santosh said : "the CRL number is unique</FONT> <BR><FONT size=2>> > whether it is a base or a delta ".</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > This is fairly important to be able to unambiguously (and </FONT><BR><FONT size=2>> thus uniquely)</FONT> <BR><FONT size=2>> > refer to a CRL by only providing its CRL number.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Besides the fact that a CRL issued later MUST have a higher </FONT><BR><FONT size=2>> CRL number, full</FONT> <BR><FONT size=2>> > CRLs and delta CRLs have independent numbering rules. As </FONT><BR><FONT size=2>> noticed by Santosh,</FONT> <BR><FONT size=2>> > " if the delta thisUpdate > base thisUpdate, delta CRL </FONT><BR><FONT size=2>> number > base CRL</FONT> <BR><FONT size=2>> > number (for the same or no stream identifier).</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > As Santosh said : "a check based on thisUpdate is more general and</FONT> <BR><FONT size=2>> > preferred [to the use of CRL numbers]. "</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Related to the three rules mentioned by Russ :</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > 1) the first rule is not understandable to me.</FONT> <BR><FONT size=2>> > 2) the second rule does not say anything more than the </FONT><BR><FONT size=2>> basic rule valid</FONT> <BR><FONT size=2>> > for any CRL (i.e. a CRL issued later MUST have a higher </FONT><BR><FONT size=2>> CRL number).</FONT> <BR><FONT size=2>> > 3) we will debate the hold condition, once we will have </FONT><BR><FONT size=2>> sorted the main</FONT> <BR><FONT size=2>> > issue.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Russ said : "If separate number sequence is used, then you </FONT><BR><FONT size=2>> will have to</FONT> <BR><FONT size=2>> > periodically fetch base CRLs ". This is true.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Tim said that he would *not* like to be forced to download </FONT><BR><FONT size=2>> new base CRLs.</FONT> <BR><FONT size=2>> > This is the core of the "dispute".</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > >From the definition of what a delta CRL is, it is *not* possible to</FONT> <BR><FONT size=2>> > get rid of the fetching of base CRLs. Unless we add a new </FONT><BR><FONT size=2>> sentence to</FONT> <BR><FONT size=2>> > expand/change that definition, base CRL fetching will </FONT><BR><FONT size=2>> remain mandatory.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Remember that the goal of delta CRLs is to provide the </FONT><BR><FONT size=2>> freshest information,</FONT> <BR><FONT size=2>> > and to my knowledge the goal was not to get rid of the </FONT><BR><FONT size=2>> fetching of base CRLs</FONT> <BR><FONT size=2>> > (which may less frequent due to the support of delta CRLs).</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > If I understand correctly, Tim/David/Russ would like to </FONT><BR><FONT size=2>> *always* achieve the</FONT> <BR><FONT size=2>> > following property : it is possible to reconstruct the </FONT><BR><FONT size=2>> current CRL by using</FONT> <BR><FONT size=2>> > a base CRL from, e.g. 1990, i.e. by capturing every delta </FONT><BR><FONT size=2>> CRL that has been</FONT> <BR><FONT size=2>> > issued at the same time a base CRL was issued and which </FONT><BR><FONT size=2>> contains updates</FONT> <BR><FONT size=2>> > made to the *previous* base.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > By this way the fetching of base CRLs could be avoided. </FONT><BR><FONT size=2>> However, note that</FONT> <BR><FONT size=2>> > it is perfectly " legal " to stop issuing base and delta </FONT><BR><FONT size=2>> CRLs during some</FONT> <BR><FONT size=2>> > period of time and to issue full CRLs instead (see the </FONT><BR><FONT size=2>> difference between</FONT> <BR><FONT size=2>> > "full" and "base" at the top of this e-mail). In other </FONT><BR><FONT size=2>> words there is no</FONT> <BR><FONT size=2>> > need to issue a new base CRL at the end of the validity </FONT><BR><FONT size=2>> period of the</FONT> <BR><FONT size=2>> > previous base CRL. Doing this would mandate to prescribe </FONT><BR><FONT size=2>> issuing rules</FONT> <BR><FONT size=2>> > for CAs that we have not prescripted.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > I will now raise a series of questions, for which I believe we have</FONT> <BR><FONT size=2>> > different answers. Tim/David/Russ do not hesitate to correct</FONT> <BR><FONT size=2>> > if my guess is wrong. ;-)</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Common point:</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > 1) What will be the value of the nextUpdate field from the </FONT><BR><FONT size=2>> last issued delta</FONT> <BR><FONT size=2>> > CRL for a given base CRL ?</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Denis: the nextUpdate field from the last issued delta CRL </FONT><BR><FONT size=2>> MUST be equal to</FONT> <BR><FONT size=2>> > the value of nextUpdate from the base CRL.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Tim/David/Russ: ???</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > 2) Does a CA needs to issue a delta CRL at the time a full </FONT><BR><FONT size=2>> CRL is issued ?</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Denis: No.</FONT> <BR><FONT size=2>> > Tim/David/Russ : ???</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > 3) Does a CA needs to issue a new base CRL at the end of </FONT><BR><FONT size=2>> the validity of a</FONT> <BR><FONT size=2>> > current base CRL ?</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Denis: No.</FONT> <BR><FONT size=2>> > Tim/David/Russ : ???</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > 4) Does a CA needs to issue a delta CRL at the same time a </FONT><BR><FONT size=2>> new base is</FONT> <BR><FONT size=2>> > issued ?</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Denis: Yes. The delta CRL refers to the *new* base.</FONT> <BR><FONT size=2>> > Tim/David/Russ : Yes. The delta CRL refers to the </FONT><BR><FONT size=2>> *previous* base. [Note</FONT> <BR><FONT size=2>> > that there can be no previous at all, or the "previous" may </FONT><BR><FONT size=2>> even be three</FONT> <BR><FONT size=2>> > months old].</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > The last point highlights the most noticeable difference. </FONT><BR><FONT size=2>> Other differences</FONT> <BR><FONT size=2>> > appears when considering the guaranty to get the freshest </FONT><BR><FONT size=2>> information :</FONT> <BR><FONT size=2>> > using the traditional scheme and the thisUpdate and </FONT><BR><FONT size=2>> nextUpdate fields the</FONT> <BR><FONT size=2>> > guaranty to get the freshest information is obtained, but </FONT><BR><FONT size=2>> cannot be obtained</FONT> <BR><FONT size=2>> > using the other scheme. :-(</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Several people are referring to the X.509 document for </FONT><BR><FONT size=2>> arguments to support</FONT> <BR><FONT size=2>> > that discussion. However, it is important to remember that </FONT><BR><FONT size=2>> we are defining</FONT> <BR><FONT size=2>> > PKIX, not X.509, so we DO NOT need to copy and paste </FONT><BR><FONT size=2>> everything from X.509,</FONT> <BR><FONT size=2>> > but only what we believe is relevant.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > We first need to clearly define the processing rules </FONT><BR><FONT size=2>> applicable to the</FONT> <BR><FONT size=2>> > relying parties. These rules will certainly contain </FONT><BR><FONT size=2>> SHALL/MUST statements,</FONT> <BR><FONT size=2>> > but may also include some MAY statements which may even be </FONT><BR><FONT size=2>> conditional to</FONT> <BR><FONT size=2>> > what the CA is doing. (I let Tim/David or Russ provide the </FONT><BR><FONT size=2>> MAY statement).</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Here is a proposal for the MUST statement, based on the </FONT><BR><FONT size=2>> previous text I</FONT> <BR><FONT size=2>> > produced:</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > An application that is wishing to take advantage of delta CRLs</FONT> <BR><FONT size=2>> > for a given scope, MUST first find a base CRL for that scope,</FONT> <BR><FONT size=2>> > i.e. a full CRL that that contains a freshestCRL extension</FONT> <BR><FONT size=2>> > (a.k.a. a Delta CRL distribution point). It may then construct</FONT> <BR><FONT size=2>> > an updated CRL for that base, for a specific time T, by combining</FONT> <BR><FONT size=2>> > it with a delta CRL which contains a delta CRL indicator </FONT><BR><FONT size=2>> extension</FONT> <BR><FONT size=2>> > with the same CRL number as the base CRL. Applications </FONT><BR><FONT size=2>> that support</FONT> <BR><FONT size=2>> > delta CRLs MUST ensure that time T falls between thisUpdate and</FONT> <BR><FONT size=2>> > nextUpdate for both the base CRL and the delta CRL.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Note: An application could also reconstruct an updated CRL, for</FONT> <BR><FONT size=2>> > a specific time T, by using a previously locally </FONT><BR><FONT size=2>> reconstructed CRL</FONT> <BR><FONT size=2>> > based on the current base CRL, and combining it with a </FONT><BR><FONT size=2>> delta CRL which</FONT> <BR><FONT size=2>> > contains a delta CRL indicator extension with the same </FONT><BR><FONT size=2>> CRL number as</FONT> <BR><FONT size=2>> > the base CRL.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > We also need to clearly separate the issuing rules </FONT><BR><FONT size=2>> applicable for the CAs.</FONT> <BR><FONT size=2>> > These rules will certainly contain SHALL statements, but </FONT><BR><FONT size=2>> could also include</FONT> <BR><FONT size=2>> > some MAY statements. (I let Tim/David or Russ provide the </FONT><BR><FONT size=2>> MAY statement).</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Here is a proposal for the MUST statement, based on the </FONT><BR><FONT size=2>> previous text I</FONT> <BR><FONT size=2>> > produced:</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full</FONT> <BR><FONT size=2>> > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT size=2>> > distribution point). For any time T until the nextUpdate time</FONT> <BR><FONT size=2>> > indicated in a base CRL, the CA MUST provide one and only one</FONT> <BR><FONT size=2>> > delta CRL that refers to that base CRL and for which time T</FONT> <BR><FONT size=2>> > falls between thisUpdate and nextUpdate from the delta CRL.</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > In his e-mail from Wednesday, May 9, David said that </FONT><BR><FONT size=2>> delta-CRL processing</FONT> <BR><FONT size=2>> > rules could be base on time instead of CRL numbers. This is </FONT><BR><FONT size=2>> a point of which</FONT> <BR><FONT size=2>> > I strongly agree. Let us do it!</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > (However, there is no need to add to PKIX, as he suggested, </FONT><BR><FONT size=2>> the support of</FONT> <BR><FONT size=2>> > the baseUpdateTime extension from X.509 which would even </FONT><BR><FONT size=2>> more complicate the</FONT> <BR><FONT size=2>> > problem.)</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Regards,</FONT> <BR><FONT size=2>> > </FONT><BR><FONT size=2>> > Denis</FONT> <BR><FONT size=2>> </FONT></P></BODY></HTML> ------_=_NextPart_001_01C0D973.34078B70-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA17518 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:13:00 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K4X9NKQN>; Thu, 10 May 2001 13:12:32 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE9B3@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Denis Pinkas <Denis.Pinkas@bull.net>, Santosh Chokhani <chokhani@cygnacom.com> Cc: Carlin Covey <ccovey@cylink.com>, Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 13:03:17 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D973.1BA812C0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D973.1BA812C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Denis: See comments in-line. -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 12:53 PM To: Santosh Chokhani Cc: Carlin Covey; Sharon Boeyen; ietf-pkix@imc.org Subject: Re: delta CRLs Santosh, Let me send you a reply just before leaving my office tonight. > Denis: >=20 > I do not agree with you. Any CRL that is not a delta CRL (i.e., > deltaCRLIndicator extension is absent), is a base CRL for some scope = as > defined in CRLScope extension and/or the IDP extension. I do not agree with you either. For a CRL to be a base CRL, there needs first to be a delta CRL for it. In a closed environment, you could say = that this is sufficient because there is fixed point of contact to fetch = delta CRLs from and that this point is known using "out-of-bansds" means. We = all know what this means in terms of scalability. :-( [Santosh Says: The above is not relevant. If I wanted to be rude I = would say that it is hogwash and mumbo jumbo. The idea is very simple. A = CRL that is not a delta, is a base. You can take a delta and apply it to a = base and get the current information. That base must be issued at the time = or later than the referenced base (meaning simply a CRL that is not a = delta CRL and has the referenced CRL number, nothing more, nothing less, assuming = no cRLStreamIdentifier per PKIX profile). Further more this base must be issued earlier than the delta. Because, if the base was issued later = than the delta, you might as well use the base w/o delta.] Until the CRL distribution point is used, noone knew where to fecth = CRLs from. The same will apply for delta CRLs. If we want to use delta CRLs = in an open environment, then we need the freshest CRL extension to be = present. [Santosh Says: Thanks this paragraph at least makes sense, albeit it is wrong. But it is not Kafkaism. You can alternatively query the = deltaCRL attribute for the CA entry] There are other side advantages: 1=B0 it allows to know when delta CRLs are supported, otherwise fetches = in the repository would be done for nothing. So it saves time and/or = increases performances. [Santosh Says: I agree with you. But, this a sound engineering = decision and can not be made a requirement] 2=B0 it allows to make sure that a delta scheme is supported and by = using additional rules, it allows to make sure to get the freshest delta = CRL.=20 [Santosh Says: You can simply query the deltaCRL attribute for = freshest] I hope this clarifies the point. [Santosh Say: I hope you see that while freshestCRL being a desirable extension, is not a requirement to implement delta CRL.] Regards, Denis =20 =20 > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Thursday, May 10, 2001 12:30 PM > To: Carlin Covey; Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs >=20 > Carlin and Sharon (at the same time), >=20 > > Denis, >=20 > > Now I'm confused again (or still). >=20 > :-) >=20 > > I agree that there is a difference > > between a base CRL and a full CRL. However, my understanding was = that a > CRL > > is a "base CRL" with respect to some delta CRL only by virtue of = having > been > > so identified in that delta CRL. >=20 > I believe that a base CRL must include the Freshest CRL extension = (a.k.a. > Delta CRL Distribution Point) defined in section 4.2.1.16. It = indicates > both > that the service exists and where to fetch the information. It is a > non-critical extension so that a base CRL may also be used as a full = CL > for > relying parties not supporting delta CRLs. >=20 > > According to the PKIX profile, this base CRL must be a full CRL > > (complete for the intended scope). > > I believe that X.509 does not require that a base CRL be a full = CRL. >=20 > You just say above: "According to the PKIX profile, this base CRL = must be > a > full CRL (complete for the intended scope". So do you mean that X.509 = and > PKIX are taking different approaches ? >=20 > Regards, >=20 > Denis >=20 > > Regards, > > > > Carlin > > > > ____________________________ > > > > - Carlin Covey > > Cylink Corporation > > > > -----Original Message----- > > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > > Sent: Thursday, May 10, 2001 1:19 AM > > Cc: ietf-pkix@imc.org > > Subject: Re: delta CRLs > > > > Tim, David, Russ, Santosh, Carlin, and many others ... > > > > There is difference between a base CRL and a full CRL : a base CRL = MUST > > include a freshestCRL extension (a.k.a. a Delta CRL distribution = point), >=20 > > whereas a full CRL may not include that extension. In other words, = a > base > > CRL is a also a full CRL, but a full CRL is not necessarily a base = CRL. > > > > At any time a CA may issue a full CRL, whether or not a base CRL = has > already > > been issued. This additional CRL SHOULD have nextUpdate equal to = the > > nextUpdate of the last issued full CRL. However, there is no = guarantee > that > > this additional CRL will ever be seen by the relying party (because > there > > will be two CRLs matching the thisUpdate and nextUpdate rule and if = one > is > > deleted, this is not seen by a relying party). > > > > Due to the fact that CRLs numbers are strictly increasing, two CRLs > whether > > they are a base CRL or delta CRL, CANNOT have the same CRL number. = So a > > delta CRL and a full CRL that cover the same scope and are issued = at the >=20 > > same time CANNOT have the same number. If a full CRL is issued, its = CRL > > number bears no relationship with the previous base CRL, if any. = The > only > > relationship between the numbers is defined by the rule that CRLs > numbers > > are strictly increasing. As Santosh said : "the CRL number is = unique > > whether it is a base or a delta ". > > > > This is fairly important to be able to unambiguously (and thus = uniquely) >=20 > > refer to a CRL by only providing its CRL number. > > > > Besides the fact that a CRL issued later MUST have a higher CRL = number, > full > > CRLs and delta CRLs have independent numbering rules. As noticed by > Santosh, > > " if the delta thisUpdate > base thisUpdate, delta CRL number > = base CRL >=20 > > number (for the same or no stream identifier). > > > > As Santosh said : "a check based on thisUpdate is more general and > > preferred [to the use of CRL numbers]. " > > > > Related to the three rules mentioned by Russ : > > > > 1) the first rule is not understandable to me. > > 2) the second rule does not say anything more than the basic rule = valid > > for any CRL (i.e. a CRL issued later MUST have a higher CRL = number). > > 3) we will debate the hold condition, once we will have sorted the = main > > issue. > > > > Russ said : "If separate number sequence is used, then you will = have to > > periodically fetch base CRLs ". This is true. > > > > Tim said that he would *not* like to be forced to download new base > CRLs. > > This is the core of the "dispute". > > > > >From the definition of what a delta CRL is, it is *not* possible = to > > get rid of the fetching of base CRLs. Unless we add a new sentence = to > > expand/change that definition, base CRL fetching will remain = mandatory. > > > > Remember that the goal of delta CRLs is to provide the freshest > information, > > and to my knowledge the goal was not to get rid of the fetching of = base > CRLs > > (which may less frequent due to the support of delta CRLs). > > > > If I understand correctly, Tim/David/Russ would like to *always* = achieve > the > > following property : it is possible to reconstruct the current CRL = by > using > > a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that = has > been > > issued at the same time a base CRL was issued and which contains = updates >=20 > > made to the *previous* base. > > > > By this way the fetching of base CRLs could be avoided. However, = note > that > > it is perfectly " legal " to stop issuing base and delta CRLs = during > some > > period of time and to issue full CRLs instead (see the difference > between > > "full" and "base" at the top of this e-mail). In other words there = is no >=20 > > need to issue a new base CRL at the end of the validity period of = the > > previous base CRL. Doing this would mandate to prescribe issuing = rules > > for CAs that we have not prescripted. > > > > I will now raise a series of questions, for which I believe we have > > different answers. Tim/David/Russ do not hesitate to correct > > if my guess is wrong. ;-) > > > > Common point: > > > > 1) What will be the value of the nextUpdate field from the last = issued > delta > > CRL for a given base CRL ? > > > > Denis: the nextUpdate field from the last issued delta CRL MUST be = equal > to > > the value of nextUpdate from the base CRL. > > > > Tim/David/Russ: ??? > > > > 2) Does a CA needs to issue a delta CRL at the time a full CRL is = issued > ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 3) Does a CA needs to issue a new base CRL at the end of the = validity of > a > > current base CRL ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 4) Does a CA needs to issue a delta CRL at the same time a new base = is > > issued ? > > > > Denis: Yes. The delta CRL refers to the *new* base. > > Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. = [Note >=20 > > that there can be no previous at all, or the "previous" may even be > three > > months old]. > > > > The last point highlights the most noticeable difference. Other > differences > > appears when considering the guaranty to get the freshest = information : > > using the traditional scheme and the thisUpdate and nextUpdate = fields > the > > guaranty to get the freshest information is obtained, but cannot be > obtained > > using the other scheme. :-( > > > > Several people are referring to the X.509 document for arguments to > support > > that discussion. However, it is important to remember that we are > defining > > PKIX, not X.509, so we DO NOT need to copy and paste everything = from > X.509, > > but only what we believe is relevant. > > > > We first need to clearly define the processing rules applicable to = the > > relying parties. These rules will certainly contain SHALL/MUST > statements, > > but may also include some MAY statements which may even be = conditional > to > > what the CA is doing. (I let Tim/David or Russ provide the MAY > statement). > > > > Here is a proposal for the MUST statement, based on the previous = text I > > produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). It may then construct > > an updated CRL for that base, for a specific time T, by = combining > > it with a delta CRL which contains a delta CRL indicator = extension > > with the same CRL number as the base CRL. Applications that = support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally reconstructed = CRL > > based on the current base CRL, and combining it with a delta CRL > which > > contains a delta CRL indicator extension with the same CRL = number as > > the base CRL. > > > > We also need to clearly separate the issuing rules applicable for = the > CAs. > > These rules will certainly contain SHALL statements, but could also > include > > some MAY statements. (I let Tim/David or Russ provide the MAY > statement). > > > > Here is a proposal for the MUST statement, based on the previous = text I > > produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a = full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > > > In his e-mail from Wednesday, May 9, David said that delta-CRL > processing > > rules could be base on time instead of CRL numbers. This is a point = of > which > > I strongly agree. Let us do it! > > > > (However, there is no need to add to PKIX, as he suggested, the = support > of > > the baseUpdateTime extension from X.509 which would even more = complicate > the > > problem.) > > > > Regards, > > > > Denis ------_=_NextPart_001_01C0D973.1BA812C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Denis:</FONT> </P> <P><FONT SIZE=3D2>See comments in-line.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 12:53 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: Carlin Covey; Sharon Boeyen; = ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh,</FONT> </P> <P><FONT SIZE=3D2>Let me send you a reply just before leaving my office = tonight.</FONT> </P> <P><FONT SIZE=3D2>> Denis:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I do not agree with you. Any CRL that is = not a delta CRL (i.e.,</FONT> <BR><FONT SIZE=3D2>> deltaCRLIndicator extension is absent), is a = base CRL for some scope as</FONT> <BR><FONT SIZE=3D2>> defined in CRLScope extension and/or the IDP = extension.</FONT> </P> <P><FONT SIZE=3D2>I do not agree with you either. For a CRL to be a = base CRL, there needs</FONT> <BR><FONT SIZE=3D2>first to be a delta CRL for it. In a closed = environment, you could say that</FONT> <BR><FONT SIZE=3D2>this is sufficient because there is fixed point of = contact to fetch delta</FONT> <BR><FONT SIZE=3D2>CRLs from and that this point is known using = "out-of-bansds" means. We all</FONT> <BR><FONT SIZE=3D2>know what this means in terms of scalability. = :-(</FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: The above is not relevant. = If I wanted to be rude I would say that it is hogwash and mumbo = jumbo. The idea is very simple. A CRL that is not a delta, = is a base. You can take a delta and apply it to a base and get = the current information. That base must be issued at the time or = later than the referenced base (meaning simply a CRL that is not a = delta CRL and has the referenced CRL number, nothing more, nothing = less, assuming no cRLStreamIdentifier per PKIX profile). Further = more this base must be issued earlier than the delta. Because, if = the base was issued later than the delta, you might as well use the = base w/o delta.]</FONT></P> <P><FONT SIZE=3D2>Until the CRL distribution point is used, noone knew = where to fecth CRLs</FONT> <BR><FONT SIZE=3D2>from. The same will apply for delta CRLs. If we want = to use delta CRLs in an</FONT> <BR><FONT SIZE=3D2>open environment, then we need the freshest CRL = extension to be present.</FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: Thanks this paragraph at least makes = sense, albeit it is wrong. But it is not Kafkaism. You can = alternatively query the deltaCRL attribute for the CA entry]</FONT></P> <P><FONT SIZE=3D2>There are other side advantages:</FONT> </P> <P><FONT SIZE=3D2>1=B0 it allows to know when delta CRLs are supported, = otherwise fetches in the</FONT> <BR><FONT SIZE=3D2> repository would be done for nothing. = So it saves time and/or increases</FONT> <BR><FONT SIZE=3D2> performances.</FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: I agree with you. But, this a = sound engineering decision and can not be made a requirement]</FONT> </P> <P><FONT SIZE=3D2>2=B0 it allows to make sure that a delta scheme is = supported and by using</FONT> <BR><FONT SIZE=3D2> additional rules, it allows to make = sure to get the freshest delta CRL. </FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: You can simply query the deltaCRL = attribute for freshest]</FONT> </P> <P><FONT SIZE=3D2>I hope this clarifies the point.</FONT> </P> <P><FONT SIZE=3D2>[Santosh Say: I hope you see that while freshestCRL = being a desirable extension, is not a requirement to implement delta = CRL.]</FONT></P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Denis</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, May 10, 2001 12:30 PM</FONT> <BR><FONT SIZE=3D2>> To: Carlin Covey; Sharon Boeyen</FONT> <BR><FONT SIZE=3D2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Re: delta CRLs</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Carlin and Sharon (at the same time),</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > Denis,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > Now I'm confused again (or still).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> :-)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > I agree that there is a difference</FONT> <BR><FONT SIZE=3D2>> > between a base CRL and a full CRL. = However, my understanding was that a</FONT> <BR><FONT SIZE=3D2>> CRL</FONT> <BR><FONT SIZE=3D2>> > is a "base CRL" with respect to = some delta CRL only by virtue of having</FONT> <BR><FONT SIZE=3D2>> been</FONT> <BR><FONT SIZE=3D2>> > so identified in that delta CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I believe that a base CRL must include the = Freshest CRL extension (a.k.a.</FONT> <BR><FONT SIZE=3D2>> Delta CRL Distribution Point) defined in = section 4.2.1.16. It indicates</FONT> <BR><FONT SIZE=3D2>> both</FONT> <BR><FONT SIZE=3D2>> that the service exists and where to fetch the = information. It is a</FONT> <BR><FONT SIZE=3D2>> non-critical extension so that a base CRL may = also be used as a full CL</FONT> <BR><FONT SIZE=3D2>> for</FONT> <BR><FONT SIZE=3D2>> relying parties not supporting delta = CRLs.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > According to the PKIX profile, this base = CRL must be a full CRL</FONT> <BR><FONT SIZE=3D2>> > (complete for the intended scope).</FONT> <BR><FONT SIZE=3D2>> > I believe that X.509 does not require that = a base CRL be a full CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> You just say above: "According to the PKIX = profile, this base CRL must be</FONT> <BR><FONT SIZE=3D2>> a</FONT> <BR><FONT SIZE=3D2>> full CRL (complete for the intended = scope". So do you mean that X.509 and</FONT> <BR><FONT SIZE=3D2>> PKIX are taking different approaches ?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Regards,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > Regards,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Carlin</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > ____________________________</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > - Carlin Covey</FONT> <BR><FONT SIZE=3D2>> > Cylink = Corporation</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> > From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>> > Sent: Thursday, May 10, 2001 1:19 = AM</FONT> <BR><FONT SIZE=3D2>> > Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> > Subject: Re: delta CRLs</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Tim, David, Russ, Santosh, Carlin, and = many others ...</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > There is difference between a base CRL and = a full CRL : a base CRL MUST</FONT> <BR><FONT SIZE=3D2>> > include a freshestCRL extension (a.k.a. a = Delta CRL distribution point),</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > whereas a full CRL may not include that = extension. In other words, a</FONT> <BR><FONT SIZE=3D2>> base</FONT> <BR><FONT SIZE=3D2>> > CRL is a also a full CRL, but a full CRL = is not necessarily a base CRL.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > At any time a CA may issue a full CRL, = whether or not a base CRL has</FONT> <BR><FONT SIZE=3D2>> already</FONT> <BR><FONT SIZE=3D2>> > been issued. This additional CRL SHOULD = have nextUpdate equal to the</FONT> <BR><FONT SIZE=3D2>> > nextUpdate of the last issued full CRL. = However, there is no guarantee</FONT> <BR><FONT SIZE=3D2>> that</FONT> <BR><FONT SIZE=3D2>> > this additional CRL will ever be seen by = the relying party (because</FONT> <BR><FONT SIZE=3D2>> there</FONT> <BR><FONT SIZE=3D2>> > will be two CRLs matching the thisUpdate = and nextUpdate rule and if one</FONT> <BR><FONT SIZE=3D2>> is</FONT> <BR><FONT SIZE=3D2>> > deleted, this is not seen by a relying = party).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Due to the fact that CRLs numbers are = strictly increasing, two CRLs</FONT> <BR><FONT SIZE=3D2>> whether</FONT> <BR><FONT SIZE=3D2>> > they are a base CRL or delta CRL, CANNOT = have the same CRL number. So a</FONT> <BR><FONT SIZE=3D2>> > delta CRL and a full CRL that cover the = same scope and are issued at the</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > same time CANNOT have the same number. If = a full CRL is issued, its CRL</FONT> <BR><FONT SIZE=3D2>> > number bears no relationship with the = previous base CRL, if any. The</FONT> <BR><FONT SIZE=3D2>> only</FONT> <BR><FONT SIZE=3D2>> > relationship between the numbers is = defined by the rule that CRLs</FONT> <BR><FONT SIZE=3D2>> numbers</FONT> <BR><FONT SIZE=3D2>> > are strictly increasing. As Santosh said : = "the CRL number is unique</FONT> <BR><FONT SIZE=3D2>> > whether it is a base or a delta = ".</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > This is fairly important to be able to = unambiguously (and thus uniquely)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > refer to a CRL by only providing its CRL = number.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Besides the fact that a CRL issued later = MUST have a higher CRL number,</FONT> <BR><FONT SIZE=3D2>> full</FONT> <BR><FONT SIZE=3D2>> > CRLs and delta CRLs have independent = numbering rules. As noticed by</FONT> <BR><FONT SIZE=3D2>> Santosh,</FONT> <BR><FONT SIZE=3D2>> > " if the delta thisUpdate > base = thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > number (for the same or no stream = identifier).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > As Santosh said : "a check based on = thisUpdate is more general and</FONT> <BR><FONT SIZE=3D2>> > preferred [to the use of CRL numbers]. = "</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Related to the three rules mentioned by = Russ :</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 1) the first rule is not understandable to = me.</FONT> <BR><FONT SIZE=3D2>> > 2) the second rule does not say anything = more than the basic rule valid</FONT> <BR><FONT SIZE=3D2>> > for any CRL (i.e. a CRL = issued later MUST have a higher CRL number).</FONT> <BR><FONT SIZE=3D2>> > 3) we will debate the hold condition, once = we will have sorted the main</FONT> <BR><FONT SIZE=3D2>> > issue.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Russ said : "If separate number = sequence is used, then you will have to</FONT> <BR><FONT SIZE=3D2>> > periodically fetch base CRLs ". This = is true.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Tim said that he would *not* like to be = forced to download new base</FONT> <BR><FONT SIZE=3D2>> CRLs.</FONT> <BR><FONT SIZE=3D2>> > This is the core of the = "dispute".</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > >From the definition of what a delta = CRL is, it is *not* possible to</FONT> <BR><FONT SIZE=3D2>> > get rid of the fetching of base CRLs. = Unless we add a new sentence to</FONT> <BR><FONT SIZE=3D2>> > expand/change that definition, base CRL = fetching will remain mandatory.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Remember that the goal of delta CRLs is to = provide the freshest</FONT> <BR><FONT SIZE=3D2>> information,</FONT> <BR><FONT SIZE=3D2>> > and to my knowledge the goal was not to = get rid of the fetching of base</FONT> <BR><FONT SIZE=3D2>> CRLs</FONT> <BR><FONT SIZE=3D2>> > (which may less frequent due to the = support of delta CRLs).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > If I understand correctly, Tim/David/Russ = would like to *always* achieve</FONT> <BR><FONT SIZE=3D2>> the</FONT> <BR><FONT SIZE=3D2>> > following property : it is possible to = reconstruct the current CRL by</FONT> <BR><FONT SIZE=3D2>> using</FONT> <BR><FONT SIZE=3D2>> > a base CRL from, e.g. 1990, i.e. by = capturing every delta CRL that has</FONT> <BR><FONT SIZE=3D2>> been</FONT> <BR><FONT SIZE=3D2>> > issued at the same time a base CRL was = issued and which contains updates</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > made to the *previous* base.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > By this way the fetching of base CRLs = could be avoided. However, note</FONT> <BR><FONT SIZE=3D2>> that</FONT> <BR><FONT SIZE=3D2>> > it is perfectly " legal " to = stop issuing base and delta CRLs during</FONT> <BR><FONT SIZE=3D2>> some</FONT> <BR><FONT SIZE=3D2>> > period of time and to issue full CRLs = instead (see the difference</FONT> <BR><FONT SIZE=3D2>> between</FONT> <BR><FONT SIZE=3D2>> > "full" and "base" at = the top of this e-mail). In other words there is no</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > need to issue a new base CRL at the end of = the validity period of the</FONT> <BR><FONT SIZE=3D2>> > previous base CRL. Doing this would = mandate to prescribe issuing rules</FONT> <BR><FONT SIZE=3D2>> > for CAs that we have not = prescripted.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > I will now raise a series of questions, = for which I believe we have</FONT> <BR><FONT SIZE=3D2>> > different answers. Tim/David/Russ do not = hesitate to correct</FONT> <BR><FONT SIZE=3D2>> > if my guess is wrong. ;-)</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Common point:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 1) What will be the value of the = nextUpdate field from the last issued</FONT> <BR><FONT SIZE=3D2>> delta</FONT> <BR><FONT SIZE=3D2>> > CRL for a given base CRL ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Denis: the nextUpdate field from the last = issued delta CRL MUST be equal</FONT> <BR><FONT SIZE=3D2>> to</FONT> <BR><FONT SIZE=3D2>> > the value of nextUpdate from the base = CRL.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Tim/David/Russ: ???</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 2) Does a CA needs to issue a delta CRL at = the time a full CRL is issued</FONT> <BR><FONT SIZE=3D2>> ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Denis: No.</FONT> <BR><FONT SIZE=3D2>> > Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 3) Does a CA needs to issue a new base CRL = at the end of the validity of</FONT> <BR><FONT SIZE=3D2>> a</FONT> <BR><FONT SIZE=3D2>> > current base CRL ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Denis: No.</FONT> <BR><FONT SIZE=3D2>> > Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > 4) Does a CA needs to issue a delta CRL at = the same time a new base is</FONT> <BR><FONT SIZE=3D2>> > issued ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Denis: Yes. The delta CRL refers to the = *new* base.</FONT> <BR><FONT SIZE=3D2>> > Tim/David/Russ : Yes. The delta CRL refers = to the *previous* base. [Note</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> > that there can be no previous at all, or = the "previous" may even be</FONT> <BR><FONT SIZE=3D2>> three</FONT> <BR><FONT SIZE=3D2>> > months old].</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > The last point highlights the most = noticeable difference. Other</FONT> <BR><FONT SIZE=3D2>> differences</FONT> <BR><FONT SIZE=3D2>> > appears when considering the guaranty to = get the freshest information :</FONT> <BR><FONT SIZE=3D2>> > using the traditional scheme and the = thisUpdate and nextUpdate fields</FONT> <BR><FONT SIZE=3D2>> the</FONT> <BR><FONT SIZE=3D2>> > guaranty to get the freshest information = is obtained, but cannot be</FONT> <BR><FONT SIZE=3D2>> obtained</FONT> <BR><FONT SIZE=3D2>> > using the other scheme. :-(</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Several people are referring to the X.509 = document for arguments to</FONT> <BR><FONT SIZE=3D2>> support</FONT> <BR><FONT SIZE=3D2>> > that discussion. However, it is important = to remember that we are</FONT> <BR><FONT SIZE=3D2>> defining</FONT> <BR><FONT SIZE=3D2>> > PKIX, not X.509, so we DO NOT need to copy = and paste everything from</FONT> <BR><FONT SIZE=3D2>> X.509,</FONT> <BR><FONT SIZE=3D2>> > but only what we believe is = relevant.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > We first need to clearly define the = processing rules applicable to the</FONT> <BR><FONT SIZE=3D2>> > relying parties. These rules will = certainly contain SHALL/MUST</FONT> <BR><FONT SIZE=3D2>> statements,</FONT> <BR><FONT SIZE=3D2>> > but may also include some MAY statements = which may even be conditional</FONT> <BR><FONT SIZE=3D2>> to</FONT> <BR><FONT SIZE=3D2>> > what the CA is doing. (I let Tim/David or = Russ provide the MAY</FONT> <BR><FONT SIZE=3D2>> statement).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Here is a proposal for the MUST statement, = based on the previous text I</FONT> <BR><FONT SIZE=3D2>> > produced:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > An application that is = wishing to take advantage of delta CRLs</FONT> <BR><FONT SIZE=3D2>> > for a given scope, MUST = first find a base CRL for that scope,</FONT> <BR><FONT SIZE=3D2>> > i.e. a full CRL that = that contains a freshestCRL extension</FONT> <BR><FONT SIZE=3D2>> > (a.k.a. a Delta CRL = distribution point). It may then construct</FONT> <BR><FONT SIZE=3D2>> > an updated CRL for that = base, for a specific time T, by combining</FONT> <BR><FONT SIZE=3D2>> > it with a delta CRL = which contains a delta CRL indicator extension</FONT> <BR><FONT SIZE=3D2>> > with the same CRL number = as the base CRL. Applications that support</FONT> <BR><FONT SIZE=3D2>> > delta CRLs MUST ensure = that time T falls between thisUpdate and</FONT> <BR><FONT SIZE=3D2>> > nextUpdate for both the = base CRL and the delta CRL.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Note: An application = could also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=3D2>> > a specific time T, by = using a previously locally reconstructed CRL</FONT> <BR><FONT SIZE=3D2>> > based on the current = base CRL, and combining it with a delta CRL</FONT> <BR><FONT SIZE=3D2>> which</FONT> <BR><FONT SIZE=3D2>> > contains a delta CRL = indicator extension with the same CRL number as</FONT> <BR><FONT SIZE=3D2>> > the base CRL.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > We also need to clearly separate the = issuing rules applicable for the</FONT> <BR><FONT SIZE=3D2>> CAs.</FONT> <BR><FONT SIZE=3D2>> > These rules will certainly contain SHALL = statements, but could also</FONT> <BR><FONT SIZE=3D2>> include</FONT> <BR><FONT SIZE=3D2>> > some MAY statements. (I let Tim/David or = Russ provide the MAY</FONT> <BR><FONT SIZE=3D2>> statement).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Here is a proposal for the MUST statement, = based on the previous text I</FONT> <BR><FONT SIZE=3D2>> > produced:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > A CA that supports = delta-CRLs, MUST issue a base CRL, i.e. a full</FONT> <BR><FONT SIZE=3D2>> > CRL that contains a = freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT SIZE=3D2>> > distribution point). For = any time T until the nextUpdate time</FONT> <BR><FONT SIZE=3D2>> > indicated in a base CRL, = the CA MUST provide one and only one</FONT> <BR><FONT SIZE=3D2>> > delta CRL that refers to = that base CRL and for which time T</FONT> <BR><FONT SIZE=3D2>> > falls between thisUpdate = and nextUpdate from the delta CRL.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > In his e-mail from Wednesday, May 9, David = said that delta-CRL</FONT> <BR><FONT SIZE=3D2>> processing</FONT> <BR><FONT SIZE=3D2>> > rules could be base on time instead of CRL = numbers. This is a point of</FONT> <BR><FONT SIZE=3D2>> which</FONT> <BR><FONT SIZE=3D2>> > I strongly agree. Let us do it!</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > (However, there is no need to add to PKIX, = as he suggested, the support</FONT> <BR><FONT SIZE=3D2>> of</FONT> <BR><FONT SIZE=3D2>> > the baseUpdateTime extension from X.509 = which would even more complicate</FONT> <BR><FONT SIZE=3D2>> the</FONT> <BR><FONT SIZE=3D2>> > problem.)</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Regards,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > Denis</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D973.1BA812C0-- Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA16963 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:09:22 -0700 (PDT) Received: from laptop (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f4AH8sJ15297; Thu, 10 May 2001 10:08:54 -0700 (PDT) From: "Michael Myers" <mike@traceroutesecurity.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net>, "Dr S N Henson" <drh@celocom.com> Cc: <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Thu, 10 May 2001 10:08:29 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDAENNCAAA.mike@traceroutesecurity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <3AFAB9C3.5DDE31E2@bull.net> Steve, Denis, all: A few points on this thread as it relates to OCSP, and especially to the current OCSPv2 work. First, among Steve Kent's DPV/DPD requirements assertions coming out of San Diego was the following: "1.3 A client request to a DPV server can specify the time relative to which the validation is to be performed. If omitted, the current time is assumed." In response the OCSPv2 editorial team added a validAt Generalized time field to DPVOptions in the OCSPv2 I-D: "DPVOptions :: = SEQUENCE{ initialPolicySet [0] EXPLICIT PolicyList OPTIONAL, trustPoints [1] SEQUENCE OF ReqCert OPTIONAL, validAt [2] GeneralizedTime OPTIONAL, revInfo [3] SEQUENCE OF RevocationInfo OPTIONAL }" Thus in the presence of the practice of certificate suspension, a certificate's status may be "valid" at {validAt = N}, "invalid" at {validAt = N+t}, at again "valid" at {validAt = N+t+x}. I assume signature validation would track correspondingly but leave that issue for those working on signature validation to deal with. Also, originally established in RFC2560 and maintained in the OCSPv2 I-D is the Archive Cutoff extension (this reference is from the OCSPv2 I-D but the essential text is the same in RFC2560): "8.4 Archive Cutoff An OCSP responder MAY retain information relevant to a certificate's validity beyond a certificate's expiration. The date obtained by subtracting this retention interval value from the producedAt time in an ORS or DPV response is defined as the certificate's "archive cutoff" date. Applications would use an archive cutoff date to contribute to a proof that a digital signature was (or was not) reliable on the date it was produced even if the certificate needed to validate the signature has long since expired. OCSP servers SHOULD include an archive cutoff date extension in responses where applicable. If included, this value SHALL be provided as an OCSP singleExtensions extension identified by id- pkix-ocsp-archive-cutoff and of syntax GeneralizedTime. id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } ArchiveCutoff ::= GeneralizedTime To illustrate, if a server is operated with a 7-year retention interval policy and status was produced at time t1 then the value for ArchiveCutoff in the response would be (t1 - 7 years)." Thus a relying party is informed by its chosen responding party that beyond the identified archive cutoff date, no further information is available. Among other effects, this sets a window on the effective use of the validAt DPVOptions field. Mike Michael Myers t: +415.819.1362 e: mailto:mike@traceroutesecurity.com w: http://www.traceroutesecurity.com Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA16766 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:08:38 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KVA79Z72; Thu, 10 May 2001 10:02:56 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Thu, 10 May 2001 10:07:56 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGMEGICEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <3AFAC206.CE45C32C@bull.net> Denis said: So do you mean that X.509 and PKIX are taking different approaches ? Carlin says: Well, yes, they are taking different approaches in that PKIX has defined a subset of certain X.509 features. As of a few weeks ago, we added wording to the PKIX profile to mandate the deltaCRLIndicator extension in delta CRLs. Prior to that its usage was discussed in the profile, but there was no text saying that this extension was the required way to identify delta CRLs. When the deltaCRLIndicator extension is used to identify a CRL as a delta CRL, the base CRL must be a full CRL. But X.509 also permits a delta CRL to be identified by a cRLScope extension, in which case the base CRL could another delta CRL. (Thanks, David Cooper, for confirming my understanding.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 9:30 AM To: Carlin Covey; Sharon Boeyen Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Carlin and Sharon (at the same time), > Denis, > Now I'm confused again (or still). :-) > I agree that there is a difference > between a base CRL and a full CRL. However, my understanding was that a CRL > is a "base CRL" with respect to some delta CRL only by virtue of having been > so identified in that delta CRL. I believe that a base CRL must include the Freshest CRL extension (a.k.a. Delta CRL Distribution Point) defined in section 4.2.1.16. It indicates both that the service exists and where to fetch the information. It is a non-critical extension so that a base CRL may also be used as a full CL for relying parties not supporting delta CRLs. > According to the PKIX profile, this base CRL must be a full CRL > (complete for the intended scope). > I believe that X.509 does not require that a base CRL be a full CRL. You just say above: "According to the PKIX profile, this base CRL must be a full CRL (complete for the intended scope". So do you mean that X.509 and PKIX are taking different approaches ? Regards, Denis > Regards, > > Carlin > > ____________________________ > > - Carlin Covey > Cylink Corporation > > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Thursday, May 10, 2001 1:19 AM > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > Tim, David, Russ, Santosh, Carlin, and many others ... > > There is difference between a base CRL and a full CRL : a base CRL MUST > include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > whereas a full CRL may not include that extension. In other words, a base > CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > At any time a CA may issue a full CRL, whether or not a base CRL has already > been issued. This additional CRL SHOULD have nextUpdate equal to the > nextUpdate of the last issued full CRL. However, there is no guarantee that > this additional CRL will ever be seen by the relying party (because there > will be two CRLs matching the thisUpdate and nextUpdate rule and if one is > deleted, this is not seen by a relying party). > > Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > delta CRL and a full CRL that cover the same scope and are issued at the > same time CANNOT have the same number. If a full CRL is issued, its CRL > number bears no relationship with the previous base CRL, if any. The only > relationship between the numbers is defined by the rule that CRLs numbers > are strictly increasing. As Santosh said : "the CRL number is unique > whether it is a base or a delta ". > > This is fairly important to be able to unambiguously (and thus uniquely) > refer to a CRL by only providing its CRL number. > > Besides the fact that a CRL issued later MUST have a higher CRL number, full > CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, > " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > number (for the same or no stream identifier). > > As Santosh said : "a check based on thisUpdate is more general and > preferred [to the use of CRL numbers]. " > > Related to the three rules mentioned by Russ : > > 1) the first rule is not understandable to me. > 2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > 3) we will debate the hold condition, once we will have sorted the main > issue. > > Russ said : "If separate number sequence is used, then you will have to > periodically fetch base CRLs ". This is true. > > Tim said that he would *not* like to be forced to download new base CRLs. > This is the core of the "dispute". > > >From the definition of what a delta CRL is, it is *not* possible to > get rid of the fetching of base CRLs. Unless we add a new sentence to > expand/change that definition, base CRL fetching will remain mandatory. > > Remember that the goal of delta CRLs is to provide the freshest information, > and to my knowledge the goal was not to get rid of the fetching of base CRLs > (which may less frequent due to the support of delta CRLs). > > If I understand correctly, Tim/David/Russ would like to *always* achieve the > following property : it is possible to reconstruct the current CRL by using > a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been > issued at the same time a base CRL was issued and which contains updates > made to the *previous* base. > > By this way the fetching of base CRLs could be avoided. However, note that > it is perfectly " legal " to stop issuing base and delta CRLs during some > period of time and to issue full CRLs instead (see the difference between > "full" and "base" at the top of this e-mail). In other words there is no > need to issue a new base CRL at the end of the validity period of the > previous base CRL. Doing this would mandate to prescribe issuing rules > for CAs that we have not prescripted. > > I will now raise a series of questions, for which I believe we have > different answers. Tim/David/Russ do not hesitate to correct > if my guess is wrong. ;-) > > Common point: > > 1) What will be the value of the nextUpdate field from the last issued delta > CRL for a given base CRL ? > > Denis: the nextUpdate field from the last issued delta CRL MUST be equal to > the value of nextUpdate from the base CRL. > > Tim/David/Russ: ??? > > 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > > Denis: No. > Tim/David/Russ : ??? > > 3) Does a CA needs to issue a new base CRL at the end of the validity of a > current base CRL ? > > Denis: No. > Tim/David/Russ : ??? > > 4) Does a CA needs to issue a delta CRL at the same time a new base is > issued ? > > Denis: Yes. The delta CRL refers to the *new* base. > Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note > that there can be no previous at all, or the "previous" may even be three > months old]. > > The last point highlights the most noticeable difference. Other differences > appears when considering the guaranty to get the freshest information : > using the traditional scheme and the thisUpdate and nextUpdate fields the > guaranty to get the freshest information is obtained, but cannot be obtained > using the other scheme. :-( > > Several people are referring to the X.509 document for arguments to support > that discussion. However, it is important to remember that we are defining > PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, > but only what we believe is relevant. > > We first need to clearly define the processing rules applicable to the > relying parties. These rules will certainly contain SHALL/MUST statements, > but may also include some MAY statements which may even be conditional to > what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. > > We also need to clearly separate the issuing rules applicable for the CAs. > These rules will certainly contain SHALL statements, but could also include > some MAY statements. (I let Tim/David or Russ provide the MAY statement). > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. > > In his e-mail from Wednesday, May 9, David said that delta-CRL processing > rules could be base on time instead of CRL numbers. This is a point of which > I strongly agree. Let us do it! > > (However, there is no need to add to PKIX, as he suggested, the support of > the baseUpdateTime extension from X.509 which would even more complicate the > problem.) > > Regards, > > Denis Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA16326 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:04:50 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432YV3G>; Thu, 10 May 2001 13:04:21 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4062@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Denis Pinkas'" <Denis.Pinkas@bull.net>, Carlin Covey <ccovey@cylink.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 13:04:19 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D973.40CFCAC0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D973.40CFCAC0 Content-Type: text/plain A full CRL is a CRL that is complete for a given scope. A base CRL is a CRL that is the foundation for a delta CRL. I think the reason the wording in the definitions doesn't tie them together any more than that is because of a nuance where a delta CRL may reference a base CRL that was never actually issued as a full CRL. This is the case where the delta provides updates from a certain point in time, but it may be the case, in some environments, that full CRLs are never issued and the relying parties always build their local full CRLs from deltas. I realize that is not the case PKIX describes, but that's at least one reason the 509 definitions are the way they are (and yes there are definitions in clause 3 for both base CRL and full CRL). So, the term base is only relevant when used in the context of a delta that points to it. As for freshestRevocationInfo, that is not mandated by 509, in the same way that other extensions are not. It is one way to indicate where to go to find deltas but there can be others (e.g. perhaps the relying parties know that there is one indirect CRL that provides delta info for all CAs inside an organization - perhaps this info is listed on their web site). If PKIX wanted to mandate it they could, but 509 certainly does not. Cheers, Sharon > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Thursday, May 10, 2001 12:30 PM > To: Carlin Covey; Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > > Carlin and Sharon (at the same time), > > > Denis, > > > Now I'm confused again (or still). > > :-) > > > I agree that there is a difference > > between a base CRL and a full CRL. However, my > understanding was that a CRL > > is a "base CRL" with respect to some delta CRL only by > virtue of having been > > so identified in that delta CRL. > > I believe that a base CRL must include the Freshest CRL > extension (a.k.a. > Delta CRL Distribution Point) defined in section 4.2.1.16. It > indicates both > that the service exists and where to fetch the information. It is a > non-critical extension so that a base CRL may also be used as > a full CL for > relying parties not supporting delta CRLs. > > > According to the PKIX profile, this base CRL must be a full CRL > > (complete for the intended scope). > > I believe that X.509 does not require that a base CRL be a full CRL. > > You just say above: "According to the PKIX profile, this base > CRL must be a > full CRL (complete for the intended scope". So do you mean > that X.509 and > PKIX are taking different approaches ? > > Regards, > > Denis > > > Regards, > > > > Carlin > > > > ____________________________ > > > > - Carlin Covey > > Cylink Corporation > > > > -----Original Message----- > > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > > Sent: Thursday, May 10, 2001 1:19 AM > > Cc: ietf-pkix@imc.org > > Subject: Re: delta CRLs > > > > Tim, David, Russ, Santosh, Carlin, and many others ... > > > > There is difference between a base CRL and a full CRL : a > base CRL MUST > > include a freshestCRL extension (a.k.a. a Delta CRL > distribution point), > > whereas a full CRL may not include that extension. In other > words, a base > > CRL is a also a full CRL, but a full CRL is not necessarily > a base CRL. > > > > At any time a CA may issue a full CRL, whether or not a > base CRL has already > > been issued. This additional CRL SHOULD have nextUpdate equal to the > > nextUpdate of the last issued full CRL. However, there is > no guarantee that > > this additional CRL will ever be seen by the relying party > (because there > > will be two CRLs matching the thisUpdate and nextUpdate > rule and if one is > > deleted, this is not seen by a relying party). > > > > Due to the fact that CRLs numbers are strictly increasing, > two CRLs whether > > they are a base CRL or delta CRL, CANNOT have the same CRL > number. So a > > delta CRL and a full CRL that cover the same scope and are > issued at the > > same time CANNOT have the same number. If a full CRL is > issued, its CRL > > number bears no relationship with the previous base CRL, if > any. The only > > relationship between the numbers is defined by the rule > that CRLs numbers > > are strictly increasing. As Santosh said : "the CRL number is unique > > whether it is a base or a delta ". > > > > This is fairly important to be able to unambiguously (and > thus uniquely) > > refer to a CRL by only providing its CRL number. > > > > Besides the fact that a CRL issued later MUST have a higher > CRL number, full > > CRLs and delta CRLs have independent numbering rules. As > noticed by Santosh, > > " if the delta thisUpdate > base thisUpdate, delta CRL > number > base CRL > > number (for the same or no stream identifier). > > > > As Santosh said : "a check based on thisUpdate is more general and > > preferred [to the use of CRL numbers]. " > > > > Related to the three rules mentioned by Russ : > > > > 1) the first rule is not understandable to me. > > 2) the second rule does not say anything more than the > basic rule valid > > for any CRL (i.e. a CRL issued later MUST have a higher > CRL number). > > 3) we will debate the hold condition, once we will have > sorted the main > > issue. > > > > Russ said : "If separate number sequence is used, then you > will have to > > periodically fetch base CRLs ". This is true. > > > > Tim said that he would *not* like to be forced to download > new base CRLs. > > This is the core of the "dispute". > > > > >From the definition of what a delta CRL is, it is *not* possible to > > get rid of the fetching of base CRLs. Unless we add a new > sentence to > > expand/change that definition, base CRL fetching will > remain mandatory. > > > > Remember that the goal of delta CRLs is to provide the > freshest information, > > and to my knowledge the goal was not to get rid of the > fetching of base CRLs > > (which may less frequent due to the support of delta CRLs). > > > > If I understand correctly, Tim/David/Russ would like to > *always* achieve the > > following property : it is possible to reconstruct the > current CRL by using > > a base CRL from, e.g. 1990, i.e. by capturing every delta > CRL that has been > > issued at the same time a base CRL was issued and which > contains updates > > made to the *previous* base. > > > > By this way the fetching of base CRLs could be avoided. > However, note that > > it is perfectly " legal " to stop issuing base and delta > CRLs during some > > period of time and to issue full CRLs instead (see the > difference between > > "full" and "base" at the top of this e-mail). In other > words there is no > > need to issue a new base CRL at the end of the validity > period of the > > previous base CRL. Doing this would mandate to prescribe > issuing rules > > for CAs that we have not prescripted. > > > > I will now raise a series of questions, for which I believe we have > > different answers. Tim/David/Russ do not hesitate to correct > > if my guess is wrong. ;-) > > > > Common point: > > > > 1) What will be the value of the nextUpdate field from the > last issued delta > > CRL for a given base CRL ? > > > > Denis: the nextUpdate field from the last issued delta CRL > MUST be equal to > > the value of nextUpdate from the base CRL. > > > > Tim/David/Russ: ??? > > > > 2) Does a CA needs to issue a delta CRL at the time a full > CRL is issued ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 3) Does a CA needs to issue a new base CRL at the end of > the validity of a > > current base CRL ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 4) Does a CA needs to issue a delta CRL at the same time a > new base is > > issued ? > > > > Denis: Yes. The delta CRL refers to the *new* base. > > Tim/David/Russ : Yes. The delta CRL refers to the > *previous* base. [Note > > that there can be no previous at all, or the "previous" may > even be three > > months old]. > > > > The last point highlights the most noticeable difference. > Other differences > > appears when considering the guaranty to get the freshest > information : > > using the traditional scheme and the thisUpdate and > nextUpdate fields the > > guaranty to get the freshest information is obtained, but > cannot be obtained > > using the other scheme. :-( > > > > Several people are referring to the X.509 document for > arguments to support > > that discussion. However, it is important to remember that > we are defining > > PKIX, not X.509, so we DO NOT need to copy and paste > everything from X.509, > > but only what we believe is relevant. > > > > We first need to clearly define the processing rules > applicable to the > > relying parties. These rules will certainly contain > SHALL/MUST statements, > > but may also include some MAY statements which may even be > conditional to > > what the CA is doing. (I let Tim/David or Russ provide the > MAY statement). > > > > Here is a proposal for the MUST statement, based on the > previous text I > > produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). It may then construct > > an updated CRL for that base, for a specific time T, by combining > > it with a delta CRL which contains a delta CRL indicator > extension > > with the same CRL number as the base CRL. Applications > that support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally > reconstructed CRL > > based on the current base CRL, and combining it with a > delta CRL which > > contains a delta CRL indicator extension with the same > CRL number as > > the base CRL. > > > > We also need to clearly separate the issuing rules > applicable for the CAs. > > These rules will certainly contain SHALL statements, but > could also include > > some MAY statements. (I let Tim/David or Russ provide the > MAY statement). > > > > Here is a proposal for the MUST statement, based on the > previous text I > > produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > > > In his e-mail from Wednesday, May 9, David said that > delta-CRL processing > > rules could be base on time instead of CRL numbers. This is > a point of which > > I strongly agree. Let us do it! > > > > (However, there is no need to add to PKIX, as he suggested, > the support of > > the baseUpdateTime extension from X.509 which would even > more complicate the > > problem.) > > > > Regards, > > > > Denis > ------_=_NextPart_001_01C0D973.40CFCAC0 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>A full CRL is a CRL that is complete for a given scope. A base CRL is a CRL</FONT> <BR><FONT SIZE=2>that is the foundation for a delta CRL. I think the reason the wording in </FONT> <BR><FONT SIZE=2>the definitions doesn't tie them together any more than that is because of </FONT> <BR><FONT SIZE=2>a nuance where a delta CRL may reference a base CRL that was never actually </FONT> <BR><FONT SIZE=2>issued as a full CRL. This is the case where the delta provides updates </FONT> <BR><FONT SIZE=2>from a certain point in time, but it may be the case, in some environments, </FONT> <BR><FONT SIZE=2>that full CRLs are never issued and the relying parties always build their </FONT> <BR><FONT SIZE=2>local full CRLs from deltas. I realize that is not the case PKIX describes, </FONT> <BR><FONT SIZE=2>but that's at least one reason the 509 definitions are the way they are (and</FONT> <BR><FONT SIZE=2>yes there are definitions in clause 3 for both base CRL and full CRL).</FONT> <BR><FONT SIZE=2>So, the term base is only relevant when used in the context of a delta that</FONT> <BR><FONT SIZE=2>points to it. </FONT> </P> <P><FONT SIZE=2>As for freshestRevocationInfo, that is not mandated by 509, in the same </FONT> <BR><FONT SIZE=2>way that other extensions are not. It is one way to indicate where to </FONT> <BR><FONT SIZE=2>go to find deltas but there can be others (e.g. perhaps the relying </FONT> <BR><FONT SIZE=2>parties know that there is one indirect CRL that provides delta info</FONT> <BR><FONT SIZE=2>for all CAs inside an organization - perhaps this info is listed on </FONT> <BR><FONT SIZE=2>their web site). If PKIX wanted to mandate it they could, but 509 </FONT> <BR><FONT SIZE=2>certainly does not.</FONT> </P> <P><FONT SIZE=2>Cheers,</FONT> <BR><FONT SIZE=2>Sharon</FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Denis Pinkas [<A HREF="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT SIZE=2>> Sent: Thursday, May 10, 2001 12:30 PM</FONT> <BR><FONT SIZE=2>> To: Carlin Covey; Sharon Boeyen</FONT> <BR><FONT SIZE=2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: Re: delta CRLs</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Carlin and Sharon (at the same time),</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > Denis,</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > Now I'm confused again (or still). </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> :-)</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > I agree that there is a difference</FONT> <BR><FONT SIZE=2>> > between a base CRL and a full CRL. However, my </FONT> <BR><FONT SIZE=2>> understanding was that a CRL</FONT> <BR><FONT SIZE=2>> > is a "base CRL" with respect to some delta CRL only by </FONT> <BR><FONT SIZE=2>> virtue of having been</FONT> <BR><FONT SIZE=2>> > so identified in that delta CRL. </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> I believe that a base CRL must include the Freshest CRL </FONT> <BR><FONT SIZE=2>> extension (a.k.a.</FONT> <BR><FONT SIZE=2>> Delta CRL Distribution Point) defined in section 4.2.1.16. It </FONT> <BR><FONT SIZE=2>> indicates both</FONT> <BR><FONT SIZE=2>> that the service exists and where to fetch the information. It is a</FONT> <BR><FONT SIZE=2>> non-critical extension so that a base CRL may also be used as </FONT> <BR><FONT SIZE=2>> a full CL for</FONT> <BR><FONT SIZE=2>> relying parties not supporting delta CRLs.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > According to the PKIX profile, this base CRL must be a full CRL </FONT> <BR><FONT SIZE=2>> > (complete for the intended scope). </FONT> <BR><FONT SIZE=2>> > I believe that X.509 does not require that a base CRL be a full CRL.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> You just say above: "According to the PKIX profile, this base </FONT> <BR><FONT SIZE=2>> CRL must be a</FONT> <BR><FONT SIZE=2>> full CRL (complete for the intended scope". So do you mean </FONT> <BR><FONT SIZE=2>> that X.509 and</FONT> <BR><FONT SIZE=2>> PKIX are taking different approaches ?</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Regards,</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Denis</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > Regards,</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Carlin</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > ____________________________</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > - Carlin Covey</FONT> <BR><FONT SIZE=2>> > Cylink Corporation</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > -----Original Message-----</FONT> <BR><FONT SIZE=2>> > From: Denis Pinkas [<A HREF="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT SIZE=2>> > Sent: Thursday, May 10, 2001 1:19 AM</FONT> <BR><FONT SIZE=2>> > Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> > Subject: Re: delta CRLs</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Tim, David, Russ, Santosh, Carlin, and many others ...</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > There is difference between a base CRL and a full CRL : a </FONT> <BR><FONT SIZE=2>> base CRL MUST</FONT> <BR><FONT SIZE=2>> > include a freshestCRL extension (a.k.a. a Delta CRL </FONT> <BR><FONT SIZE=2>> distribution point),</FONT> <BR><FONT SIZE=2>> > whereas a full CRL may not include that extension. In other </FONT> <BR><FONT SIZE=2>> words, a base</FONT> <BR><FONT SIZE=2>> > CRL is a also a full CRL, but a full CRL is not necessarily </FONT> <BR><FONT SIZE=2>> a base CRL.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > At any time a CA may issue a full CRL, whether or not a </FONT> <BR><FONT SIZE=2>> base CRL has already</FONT> <BR><FONT SIZE=2>> > been issued. This additional CRL SHOULD have nextUpdate equal to the</FONT> <BR><FONT SIZE=2>> > nextUpdate of the last issued full CRL. However, there is </FONT> <BR><FONT SIZE=2>> no guarantee that</FONT> <BR><FONT SIZE=2>> > this additional CRL will ever be seen by the relying party </FONT> <BR><FONT SIZE=2>> (because there</FONT> <BR><FONT SIZE=2>> > will be two CRLs matching the thisUpdate and nextUpdate </FONT> <BR><FONT SIZE=2>> rule and if one is</FONT> <BR><FONT SIZE=2>> > deleted, this is not seen by a relying party).</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Due to the fact that CRLs numbers are strictly increasing, </FONT> <BR><FONT SIZE=2>> two CRLs whether</FONT> <BR><FONT SIZE=2>> > they are a base CRL or delta CRL, CANNOT have the same CRL </FONT> <BR><FONT SIZE=2>> number. So a</FONT> <BR><FONT SIZE=2>> > delta CRL and a full CRL that cover the same scope and are </FONT> <BR><FONT SIZE=2>> issued at the</FONT> <BR><FONT SIZE=2>> > same time CANNOT have the same number. If a full CRL is </FONT> <BR><FONT SIZE=2>> issued, its CRL</FONT> <BR><FONT SIZE=2>> > number bears no relationship with the previous base CRL, if </FONT> <BR><FONT SIZE=2>> any. The only</FONT> <BR><FONT SIZE=2>> > relationship between the numbers is defined by the rule </FONT> <BR><FONT SIZE=2>> that CRLs numbers</FONT> <BR><FONT SIZE=2>> > are strictly increasing. As Santosh said : "the CRL number is unique</FONT> <BR><FONT SIZE=2>> > whether it is a base or a delta ".</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > This is fairly important to be able to unambiguously (and </FONT> <BR><FONT SIZE=2>> thus uniquely)</FONT> <BR><FONT SIZE=2>> > refer to a CRL by only providing its CRL number.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Besides the fact that a CRL issued later MUST have a higher </FONT> <BR><FONT SIZE=2>> CRL number, full</FONT> <BR><FONT SIZE=2>> > CRLs and delta CRLs have independent numbering rules. As </FONT> <BR><FONT SIZE=2>> noticed by Santosh,</FONT> <BR><FONT SIZE=2>> > " if the delta thisUpdate > base thisUpdate, delta CRL </FONT> <BR><FONT SIZE=2>> number > base CRL</FONT> <BR><FONT SIZE=2>> > number (for the same or no stream identifier).</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > As Santosh said : "a check based on thisUpdate is more general and</FONT> <BR><FONT SIZE=2>> > preferred [to the use of CRL numbers]. "</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Related to the three rules mentioned by Russ :</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > 1) the first rule is not understandable to me.</FONT> <BR><FONT SIZE=2>> > 2) the second rule does not say anything more than the </FONT> <BR><FONT SIZE=2>> basic rule valid</FONT> <BR><FONT SIZE=2>> > for any CRL (i.e. a CRL issued later MUST have a higher </FONT> <BR><FONT SIZE=2>> CRL number).</FONT> <BR><FONT SIZE=2>> > 3) we will debate the hold condition, once we will have </FONT> <BR><FONT SIZE=2>> sorted the main</FONT> <BR><FONT SIZE=2>> > issue.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Russ said : "If separate number sequence is used, then you </FONT> <BR><FONT SIZE=2>> will have to</FONT> <BR><FONT SIZE=2>> > periodically fetch base CRLs ". This is true.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Tim said that he would *not* like to be forced to download </FONT> <BR><FONT SIZE=2>> new base CRLs.</FONT> <BR><FONT SIZE=2>> > This is the core of the "dispute".</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > >From the definition of what a delta CRL is, it is *not* possible to</FONT> <BR><FONT SIZE=2>> > get rid of the fetching of base CRLs. Unless we add a new </FONT> <BR><FONT SIZE=2>> sentence to</FONT> <BR><FONT SIZE=2>> > expand/change that definition, base CRL fetching will </FONT> <BR><FONT SIZE=2>> remain mandatory.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Remember that the goal of delta CRLs is to provide the </FONT> <BR><FONT SIZE=2>> freshest information,</FONT> <BR><FONT SIZE=2>> > and to my knowledge the goal was not to get rid of the </FONT> <BR><FONT SIZE=2>> fetching of base CRLs</FONT> <BR><FONT SIZE=2>> > (which may less frequent due to the support of delta CRLs).</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > If I understand correctly, Tim/David/Russ would like to </FONT> <BR><FONT SIZE=2>> *always* achieve the</FONT> <BR><FONT SIZE=2>> > following property : it is possible to reconstruct the </FONT> <BR><FONT SIZE=2>> current CRL by using</FONT> <BR><FONT SIZE=2>> > a base CRL from, e.g. 1990, i.e. by capturing every delta </FONT> <BR><FONT SIZE=2>> CRL that has been</FONT> <BR><FONT SIZE=2>> > issued at the same time a base CRL was issued and which </FONT> <BR><FONT SIZE=2>> contains updates</FONT> <BR><FONT SIZE=2>> > made to the *previous* base.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > By this way the fetching of base CRLs could be avoided. </FONT> <BR><FONT SIZE=2>> However, note that</FONT> <BR><FONT SIZE=2>> > it is perfectly " legal " to stop issuing base and delta </FONT> <BR><FONT SIZE=2>> CRLs during some</FONT> <BR><FONT SIZE=2>> > period of time and to issue full CRLs instead (see the </FONT> <BR><FONT SIZE=2>> difference between</FONT> <BR><FONT SIZE=2>> > "full" and "base" at the top of this e-mail). In other </FONT> <BR><FONT SIZE=2>> words there is no</FONT> <BR><FONT SIZE=2>> > need to issue a new base CRL at the end of the validity </FONT> <BR><FONT SIZE=2>> period of the</FONT> <BR><FONT SIZE=2>> > previous base CRL. Doing this would mandate to prescribe </FONT> <BR><FONT SIZE=2>> issuing rules</FONT> <BR><FONT SIZE=2>> > for CAs that we have not prescripted.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > I will now raise a series of questions, for which I believe we have</FONT> <BR><FONT SIZE=2>> > different answers. Tim/David/Russ do not hesitate to correct</FONT> <BR><FONT SIZE=2>> > if my guess is wrong. ;-)</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Common point:</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > 1) What will be the value of the nextUpdate field from the </FONT> <BR><FONT SIZE=2>> last issued delta</FONT> <BR><FONT SIZE=2>> > CRL for a given base CRL ?</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Denis: the nextUpdate field from the last issued delta CRL </FONT> <BR><FONT SIZE=2>> MUST be equal to</FONT> <BR><FONT SIZE=2>> > the value of nextUpdate from the base CRL.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Tim/David/Russ: ???</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > 2) Does a CA needs to issue a delta CRL at the time a full </FONT> <BR><FONT SIZE=2>> CRL is issued ?</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Denis: No.</FONT> <BR><FONT SIZE=2>> > Tim/David/Russ : ???</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > 3) Does a CA needs to issue a new base CRL at the end of </FONT> <BR><FONT SIZE=2>> the validity of a</FONT> <BR><FONT SIZE=2>> > current base CRL ?</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Denis: No.</FONT> <BR><FONT SIZE=2>> > Tim/David/Russ : ???</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > 4) Does a CA needs to issue a delta CRL at the same time a </FONT> <BR><FONT SIZE=2>> new base is</FONT> <BR><FONT SIZE=2>> > issued ?</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Denis: Yes. The delta CRL refers to the *new* base.</FONT> <BR><FONT SIZE=2>> > Tim/David/Russ : Yes. The delta CRL refers to the </FONT> <BR><FONT SIZE=2>> *previous* base. [Note</FONT> <BR><FONT SIZE=2>> > that there can be no previous at all, or the "previous" may </FONT> <BR><FONT SIZE=2>> even be three</FONT> <BR><FONT SIZE=2>> > months old].</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > The last point highlights the most noticeable difference. </FONT> <BR><FONT SIZE=2>> Other differences</FONT> <BR><FONT SIZE=2>> > appears when considering the guaranty to get the freshest </FONT> <BR><FONT SIZE=2>> information :</FONT> <BR><FONT SIZE=2>> > using the traditional scheme and the thisUpdate and </FONT> <BR><FONT SIZE=2>> nextUpdate fields the</FONT> <BR><FONT SIZE=2>> > guaranty to get the freshest information is obtained, but </FONT> <BR><FONT SIZE=2>> cannot be obtained</FONT> <BR><FONT SIZE=2>> > using the other scheme. :-(</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Several people are referring to the X.509 document for </FONT> <BR><FONT SIZE=2>> arguments to support</FONT> <BR><FONT SIZE=2>> > that discussion. However, it is important to remember that </FONT> <BR><FONT SIZE=2>> we are defining</FONT> <BR><FONT SIZE=2>> > PKIX, not X.509, so we DO NOT need to copy and paste </FONT> <BR><FONT SIZE=2>> everything from X.509,</FONT> <BR><FONT SIZE=2>> > but only what we believe is relevant.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > We first need to clearly define the processing rules </FONT> <BR><FONT SIZE=2>> applicable to the</FONT> <BR><FONT SIZE=2>> > relying parties. These rules will certainly contain </FONT> <BR><FONT SIZE=2>> SHALL/MUST statements,</FONT> <BR><FONT SIZE=2>> > but may also include some MAY statements which may even be </FONT> <BR><FONT SIZE=2>> conditional to</FONT> <BR><FONT SIZE=2>> > what the CA is doing. (I let Tim/David or Russ provide the </FONT> <BR><FONT SIZE=2>> MAY statement).</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Here is a proposal for the MUST statement, based on the </FONT> <BR><FONT SIZE=2>> previous text I</FONT> <BR><FONT SIZE=2>> > produced:</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > An application that is wishing to take advantage of delta CRLs</FONT> <BR><FONT SIZE=2>> > for a given scope, MUST first find a base CRL for that scope,</FONT> <BR><FONT SIZE=2>> > i.e. a full CRL that that contains a freshestCRL extension</FONT> <BR><FONT SIZE=2>> > (a.k.a. a Delta CRL distribution point). It may then construct</FONT> <BR><FONT SIZE=2>> > an updated CRL for that base, for a specific time T, by combining</FONT> <BR><FONT SIZE=2>> > it with a delta CRL which contains a delta CRL indicator </FONT> <BR><FONT SIZE=2>> extension</FONT> <BR><FONT SIZE=2>> > with the same CRL number as the base CRL. Applications </FONT> <BR><FONT SIZE=2>> that support</FONT> <BR><FONT SIZE=2>> > delta CRLs MUST ensure that time T falls between thisUpdate and</FONT> <BR><FONT SIZE=2>> > nextUpdate for both the base CRL and the delta CRL.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Note: An application could also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=2>> > a specific time T, by using a previously locally </FONT> <BR><FONT SIZE=2>> reconstructed CRL</FONT> <BR><FONT SIZE=2>> > based on the current base CRL, and combining it with a </FONT> <BR><FONT SIZE=2>> delta CRL which</FONT> <BR><FONT SIZE=2>> > contains a delta CRL indicator extension with the same </FONT> <BR><FONT SIZE=2>> CRL number as</FONT> <BR><FONT SIZE=2>> > the base CRL.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > We also need to clearly separate the issuing rules </FONT> <BR><FONT SIZE=2>> applicable for the CAs.</FONT> <BR><FONT SIZE=2>> > These rules will certainly contain SHALL statements, but </FONT> <BR><FONT SIZE=2>> could also include</FONT> <BR><FONT SIZE=2>> > some MAY statements. (I let Tim/David or Russ provide the </FONT> <BR><FONT SIZE=2>> MAY statement).</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Here is a proposal for the MUST statement, based on the </FONT> <BR><FONT SIZE=2>> previous text I</FONT> <BR><FONT SIZE=2>> > produced:</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full</FONT> <BR><FONT SIZE=2>> > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT SIZE=2>> > distribution point). For any time T until the nextUpdate time</FONT> <BR><FONT SIZE=2>> > indicated in a base CRL, the CA MUST provide one and only one</FONT> <BR><FONT SIZE=2>> > delta CRL that refers to that base CRL and for which time T</FONT> <BR><FONT SIZE=2>> > falls between thisUpdate and nextUpdate from the delta CRL.</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > In his e-mail from Wednesday, May 9, David said that </FONT> <BR><FONT SIZE=2>> delta-CRL processing</FONT> <BR><FONT SIZE=2>> > rules could be base on time instead of CRL numbers. This is </FONT> <BR><FONT SIZE=2>> a point of which</FONT> <BR><FONT SIZE=2>> > I strongly agree. Let us do it!</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > (However, there is no need to add to PKIX, as he suggested, </FONT> <BR><FONT SIZE=2>> the support of</FONT> <BR><FONT SIZE=2>> > the baseUpdateTime extension from X.509 which would even </FONT> <BR><FONT SIZE=2>> more complicate the</FONT> <BR><FONT SIZE=2>> > problem.)</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Regards,</FONT> <BR><FONT SIZE=2>> > </FONT> <BR><FONT SIZE=2>> > Denis</FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D973.40CFCAC0-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA15430 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:54:45 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA53128; Thu, 10 May 2001 18:54:46 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA04174; Thu, 10 May 2001 18:54:11 +0200 Message-ID: <3AFAC761.571FEFDF@bull.net> Date: Thu, 10 May 2001 18:52:49 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Santosh Chokhani <chokhani@cygnacom.com> CC: Carlin Covey <ccovey@cylink.com>, Sharon Boeyen <sharon.boeyen@entrust.com>, ietf-pkix@imc.org Subject: Re: delta CRLs References: <8D7EC1912E25D411A32100D0B76953978DE9AA@scygmxs01.cygnacom.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id JAA15432 Santosh, Let me send you a reply just before leaving my office tonight. > Denis: > > I do not agree with you. Any CRL that is not a delta CRL (i.e., > deltaCRLIndicator extension is absent), is a base CRL for some scope as > defined in CRLScope extension and/or the IDP extension. I do not agree with you either. For a CRL to be a base CRL, there needs first to be a delta CRL for it. In a closed environment, you could say that this is sufficient because there is fixed point of contact to fetch delta CRLs from and that this point is known using "out-of-bansds" means. We all know what this means in terms of scalability. :-( Until the CRL distribution point is used, noone knew where to fecth CRLs from. The same will apply for delta CRLs. If we want to use delta CRLs in an open environment, then we need the freshest CRL extension to be present. There are other side advantages: 1° it allows to know when delta CRLs are supported, otherwise fetches in the repository would be done for nothing. So it saves time and/or increases performances. 2° it allows to make sure that a delta scheme is supported and by using additional rules, it allows to make sure to get the freshest delta CRL. I hope this clarifies the point. Regards, Denis > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Thursday, May 10, 2001 12:30 PM > To: Carlin Covey; Sharon Boeyen > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > Carlin and Sharon (at the same time), > > > Denis, > > > Now I'm confused again (or still). > > :-) > > > I agree that there is a difference > > between a base CRL and a full CRL. However, my understanding was that a > CRL > > is a "base CRL" with respect to some delta CRL only by virtue of having > been > > so identified in that delta CRL. > > I believe that a base CRL must include the Freshest CRL extension (a.k.a. > Delta CRL Distribution Point) defined in section 4.2.1.16. It indicates > both > that the service exists and where to fetch the information. It is a > non-critical extension so that a base CRL may also be used as a full CL > for > relying parties not supporting delta CRLs. > > > According to the PKIX profile, this base CRL must be a full CRL > > (complete for the intended scope). > > I believe that X.509 does not require that a base CRL be a full CRL. > > You just say above: "According to the PKIX profile, this base CRL must be > a > full CRL (complete for the intended scope". So do you mean that X.509 and > PKIX are taking different approaches ? > > Regards, > > Denis > > > Regards, > > > > Carlin > > > > ____________________________ > > > > - Carlin Covey > > Cylink Corporation > > > > -----Original Message----- > > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > > Sent: Thursday, May 10, 2001 1:19 AM > > Cc: ietf-pkix@imc.org > > Subject: Re: delta CRLs > > > > Tim, David, Russ, Santosh, Carlin, and many others ... > > > > There is difference between a base CRL and a full CRL : a base CRL MUST > > include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > > > whereas a full CRL may not include that extension. In other words, a > base > > CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > > > At any time a CA may issue a full CRL, whether or not a base CRL has > already > > been issued. This additional CRL SHOULD have nextUpdate equal to the > > nextUpdate of the last issued full CRL. However, there is no guarantee > that > > this additional CRL will ever be seen by the relying party (because > there > > will be two CRLs matching the thisUpdate and nextUpdate rule and if one > is > > deleted, this is not seen by a relying party). > > > > Due to the fact that CRLs numbers are strictly increasing, two CRLs > whether > > they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > > delta CRL and a full CRL that cover the same scope and are issued at the > > > same time CANNOT have the same number. If a full CRL is issued, its CRL > > number bears no relationship with the previous base CRL, if any. The > only > > relationship between the numbers is defined by the rule that CRLs > numbers > > are strictly increasing. As Santosh said : "the CRL number is unique > > whether it is a base or a delta ". > > > > This is fairly important to be able to unambiguously (and thus uniquely) > > > refer to a CRL by only providing its CRL number. > > > > Besides the fact that a CRL issued later MUST have a higher CRL number, > full > > CRLs and delta CRLs have independent numbering rules. As noticed by > Santosh, > > " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > > > number (for the same or no stream identifier). > > > > As Santosh said : "a check based on thisUpdate is more general and > > preferred [to the use of CRL numbers]. " > > > > Related to the three rules mentioned by Russ : > > > > 1) the first rule is not understandable to me. > > 2) the second rule does not say anything more than the basic rule valid > > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > > 3) we will debate the hold condition, once we will have sorted the main > > issue. > > > > Russ said : "If separate number sequence is used, then you will have to > > periodically fetch base CRLs ". This is true. > > > > Tim said that he would *not* like to be forced to download new base > CRLs. > > This is the core of the "dispute". > > > > >From the definition of what a delta CRL is, it is *not* possible to > > get rid of the fetching of base CRLs. Unless we add a new sentence to > > expand/change that definition, base CRL fetching will remain mandatory. > > > > Remember that the goal of delta CRLs is to provide the freshest > information, > > and to my knowledge the goal was not to get rid of the fetching of base > CRLs > > (which may less frequent due to the support of delta CRLs). > > > > If I understand correctly, Tim/David/Russ would like to *always* achieve > the > > following property : it is possible to reconstruct the current CRL by > using > > a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has > been > > issued at the same time a base CRL was issued and which contains updates > > > made to the *previous* base. > > > > By this way the fetching of base CRLs could be avoided. However, note > that > > it is perfectly " legal " to stop issuing base and delta CRLs during > some > > period of time and to issue full CRLs instead (see the difference > between > > "full" and "base" at the top of this e-mail). In other words there is no > > > need to issue a new base CRL at the end of the validity period of the > > previous base CRL. Doing this would mandate to prescribe issuing rules > > for CAs that we have not prescripted. > > > > I will now raise a series of questions, for which I believe we have > > different answers. Tim/David/Russ do not hesitate to correct > > if my guess is wrong. ;-) > > > > Common point: > > > > 1) What will be the value of the nextUpdate field from the last issued > delta > > CRL for a given base CRL ? > > > > Denis: the nextUpdate field from the last issued delta CRL MUST be equal > to > > the value of nextUpdate from the base CRL. > > > > Tim/David/Russ: ??? > > > > 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued > ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 3) Does a CA needs to issue a new base CRL at the end of the validity of > a > > current base CRL ? > > > > Denis: No. > > Tim/David/Russ : ??? > > > > 4) Does a CA needs to issue a delta CRL at the same time a new base is > > issued ? > > > > Denis: Yes. The delta CRL refers to the *new* base. > > Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note > > > that there can be no previous at all, or the "previous" may even be > three > > months old]. > > > > The last point highlights the most noticeable difference. Other > differences > > appears when considering the guaranty to get the freshest information : > > using the traditional scheme and the thisUpdate and nextUpdate fields > the > > guaranty to get the freshest information is obtained, but cannot be > obtained > > using the other scheme. :-( > > > > Several people are referring to the X.509 document for arguments to > support > > that discussion. However, it is important to remember that we are > defining > > PKIX, not X.509, so we DO NOT need to copy and paste everything from > X.509, > > but only what we believe is relevant. > > > > We first need to clearly define the processing rules applicable to the > > relying parties. These rules will certainly contain SHALL/MUST > statements, > > but may also include some MAY statements which may even be conditional > to > > what the CA is doing. (I let Tim/David or Russ provide the MAY > statement). > > > > Here is a proposal for the MUST statement, based on the previous text I > > produced: > > > > An application that is wishing to take advantage of delta CRLs > > for a given scope, MUST first find a base CRL for that scope, > > i.e. a full CRL that that contains a freshestCRL extension > > (a.k.a. a Delta CRL distribution point). It may then construct > > an updated CRL for that base, for a specific time T, by combining > > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. Applications that support > > delta CRLs MUST ensure that time T falls between thisUpdate and > > nextUpdate for both the base CRL and the delta CRL. > > > > Note: An application could also reconstruct an updated CRL, for > > a specific time T, by using a previously locally reconstructed CRL > > based on the current base CRL, and combining it with a delta CRL > which > > contains a delta CRL indicator extension with the same CRL number as > > the base CRL. > > > > We also need to clearly separate the issuing rules applicable for the > CAs. > > These rules will certainly contain SHALL statements, but could also > include > > some MAY statements. (I let Tim/David or Russ provide the MAY > statement). > > > > Here is a proposal for the MUST statement, based on the previous text I > > produced: > > > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > > distribution point). For any time T until the nextUpdate time > > indicated in a base CRL, the CA MUST provide one and only one > > delta CRL that refers to that base CRL and for which time T > > falls between thisUpdate and nextUpdate from the delta CRL. > > > > In his e-mail from Wednesday, May 9, David said that delta-CRL > processing > > rules could be base on time instead of CRL numbers. This is a point of > which > > I strongly agree. Let us do it! > > > > (However, there is no need to add to PKIX, as he suggested, the support > of > > the baseUpdateTime extension from X.509 which would even more complicate > the > > problem.) > > > > Regards, > > > > Denis Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA14931 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:51:44 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KVA79ZY7; Thu, 10 May 2001 09:45:58 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Thu, 10 May 2001 09:50:58 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGOEGHCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <3AFA4F09.5AB02392@bull.net> Denis, Now I'm confused again (or still). I agree that there is a difference between a base CRL and a full CRL. However, my understanding was that a CRL is a "base CRL" with respect to some delta CRL only by virtue of having been so identified in that delta CRL. According to the PKIX profile, this base CRL must be a full CRL (complete for the intended scope). I believe that X.509 does not require that a base CRL be a full CRL. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 1:19 AM Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Tim, David, Russ, Santosh, Carlin, and many others ... There is difference between a base CRL and a full CRL : a base CRL MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point), whereas a full CRL may not include that extension. In other words, a base CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. At any time a CA may issue a full CRL, whether or not a base CRL has already been issued. This additional CRL SHOULD have nextUpdate equal to the nextUpdate of the last issued full CRL. However, there is no guarantee that this additional CRL will ever be seen by the relying party (because there will be two CRLs matching the thisUpdate and nextUpdate rule and if one is deleted, this is not seen by a relying party). Due to the fact that CRLs numbers are strictly increasing, two CRLs whether they are a base CRL or delta CRL, CANNOT have the same CRL number. So a delta CRL and a full CRL that cover the same scope and are issued at the same time CANNOT have the same number. If a full CRL is issued, its CRL number bears no relationship with the previous base CRL, if any. The only relationship between the numbers is defined by the rule that CRLs numbers are strictly increasing. As Santosh said : "the CRL number is unique whether it is a base or a delta ". This is fairly important to be able to unambiguously (and thus uniquely) refer to a CRL by only providing its CRL number. Besides the fact that a CRL issued later MUST have a higher CRL number, full CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL number (for the same or no stream identifier). As Santosh said : "a check based on thisUpdate is more general and preferred [to the use of CRL numbers]. " Related to the three rules mentioned by Russ : 1) the first rule is not understandable to me. 2) the second rule does not say anything more than the basic rule valid for any CRL (i.e. a CRL issued later MUST have a higher CRL number). 3) we will debate the hold condition, once we will have sorted the main issue. Russ said : "If separate number sequence is used, then you will have to periodically fetch base CRLs ". This is true. Tim said that he would *not* like to be forced to download new base CRLs. This is the core of the "dispute". >From the definition of what a delta CRL is, it is *not* possible to get rid of the fetching of base CRLs. Unless we add a new sentence to expand/change that definition, base CRL fetching will remain mandatory. Remember that the goal of delta CRLs is to provide the freshest information, and to my knowledge the goal was not to get rid of the fetching of base CRLs (which may less frequent due to the support of delta CRLs). If I understand correctly, Tim/David/Russ would like to *always* achieve the following property : it is possible to reconstruct the current CRL by using a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been issued at the same time a base CRL was issued and which contains updates made to the *previous* base. By this way the fetching of base CRLs could be avoided. However, note that it is perfectly " legal " to stop issuing base and delta CRLs during some period of time and to issue full CRLs instead (see the difference between "full" and "base" at the top of this e-mail). In other words there is no need to issue a new base CRL at the end of the validity period of the previous base CRL. Doing this would mandate to prescribe issuing rules for CAs that we have not prescripted. I will now raise a series of questions, for which I believe we have different answers. Tim/David/Russ do not hesitate to correct if my guess is wrong. ;-) Common point: 1) What will be the value of the nextUpdate field from the last issued delta CRL for a given base CRL ? Denis: the nextUpdate field from the last issued delta CRL MUST be equal to the value of nextUpdate from the base CRL. Tim/David/Russ: ??? 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? Denis: No. Tim/David/Russ : ??? 3) Does a CA needs to issue a new base CRL at the end of the validity of a current base CRL ? Denis: No. Tim/David/Russ : ??? 4) Does a CA needs to issue a delta CRL at the same time a new base is issued ? Denis: Yes. The delta CRL refers to the *new* base. Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note that there can be no previous at all, or the "previous" may even be three months old]. The last point highlights the most noticeable difference. Other differences appears when considering the guaranty to get the freshest information : using the traditional scheme and the thisUpdate and nextUpdate fields the guaranty to get the freshest information is obtained, but cannot be obtained using the other scheme. :-( Several people are referring to the X.509 document for arguments to support that discussion. However, it is important to remember that we are defining PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, but only what we believe is relevant. We first need to clearly define the processing rules applicable to the relying parties. These rules will certainly contain SHALL/MUST statements, but may also include some MAY statements which may even be conditional to what the CA is doing. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: An application that is wishing to take advantage of delta CRLs for a given scope, MUST first find a base CRL for that scope, i.e. a full CRL that that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). It may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. We also need to clearly separate the issuing rules applicable for the CAs. These rules will certainly contain SHALL statements, but could also include some MAY statements. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full CRL that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). For any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. In his e-mail from Wednesday, May 9, David said that delta-CRL processing rules could be base on time instead of CRL numbers. This is a point of which I strongly agree. Let us do it! (However, there is no need to add to PKIX, as he suggested, the support of the baseUpdateTime extension from X.509 which would even more complicate the problem.) Regards, Denis Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA14009 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:38:45 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K4X9NJ6W>; Thu, 10 May 2001 12:38:14 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE9AA@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Denis Pinkas <Denis.Pinkas@bull.net>, Carlin Covey <ccovey@cylink.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 12:28:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D96E.500FB310" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D96E.500FB310 Content-Type: text/plain; charset="iso-8859-1" Denis: I do not agree with you. Any CRL that is not a delta CRL (i.e., deltaCRLIndicator extension is absent), is a base CRL for some scope as defined in CRLScope extension and/or the IDP extension. -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 12:30 PM To: Carlin Covey; Sharon Boeyen Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Carlin and Sharon (at the same time), > Denis, > Now I'm confused again (or still). :-) > I agree that there is a difference > between a base CRL and a full CRL. However, my understanding was that a CRL > is a "base CRL" with respect to some delta CRL only by virtue of having been > so identified in that delta CRL. I believe that a base CRL must include the Freshest CRL extension (a.k.a. Delta CRL Distribution Point) defined in section 4.2.1.16. It indicates both that the service exists and where to fetch the information. It is a non-critical extension so that a base CRL may also be used as a full CL for relying parties not supporting delta CRLs. > According to the PKIX profile, this base CRL must be a full CRL > (complete for the intended scope). > I believe that X.509 does not require that a base CRL be a full CRL. You just say above: "According to the PKIX profile, this base CRL must be a full CRL (complete for the intended scope". So do you mean that X.509 and PKIX are taking different approaches ? Regards, Denis > Regards, > > Carlin > > ____________________________ > > - Carlin Covey > Cylink Corporation > > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Thursday, May 10, 2001 1:19 AM > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > Tim, David, Russ, Santosh, Carlin, and many others ... > > There is difference between a base CRL and a full CRL : a base CRL MUST > include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > whereas a full CRL may not include that extension. In other words, a base > CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > At any time a CA may issue a full CRL, whether or not a base CRL has already > been issued. This additional CRL SHOULD have nextUpdate equal to the > nextUpdate of the last issued full CRL. However, there is no guarantee that > this additional CRL will ever be seen by the relying party (because there > will be two CRLs matching the thisUpdate and nextUpdate rule and if one is > deleted, this is not seen by a relying party). > > Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > delta CRL and a full CRL that cover the same scope and are issued at the > same time CANNOT have the same number. If a full CRL is issued, its CRL > number bears no relationship with the previous base CRL, if any. The only > relationship between the numbers is defined by the rule that CRLs numbers > are strictly increasing. As Santosh said : "the CRL number is unique > whether it is a base or a delta ". > > This is fairly important to be able to unambiguously (and thus uniquely) > refer to a CRL by only providing its CRL number. > > Besides the fact that a CRL issued later MUST have a higher CRL number, full > CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, > " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > number (for the same or no stream identifier). > > As Santosh said : "a check based on thisUpdate is more general and > preferred [to the use of CRL numbers]. " > > Related to the three rules mentioned by Russ : > > 1) the first rule is not understandable to me. > 2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > 3) we will debate the hold condition, once we will have sorted the main > issue. > > Russ said : "If separate number sequence is used, then you will have to > periodically fetch base CRLs ". This is true. > > Tim said that he would *not* like to be forced to download new base CRLs. > This is the core of the "dispute". > > >From the definition of what a delta CRL is, it is *not* possible to > get rid of the fetching of base CRLs. Unless we add a new sentence to > expand/change that definition, base CRL fetching will remain mandatory. > > Remember that the goal of delta CRLs is to provide the freshest information, > and to my knowledge the goal was not to get rid of the fetching of base CRLs > (which may less frequent due to the support of delta CRLs). > > If I understand correctly, Tim/David/Russ would like to *always* achieve the > following property : it is possible to reconstruct the current CRL by using > a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been > issued at the same time a base CRL was issued and which contains updates > made to the *previous* base. > > By this way the fetching of base CRLs could be avoided. However, note that > it is perfectly " legal " to stop issuing base and delta CRLs during some > period of time and to issue full CRLs instead (see the difference between > "full" and "base" at the top of this e-mail). In other words there is no > need to issue a new base CRL at the end of the validity period of the > previous base CRL. Doing this would mandate to prescribe issuing rules > for CAs that we have not prescripted. > > I will now raise a series of questions, for which I believe we have > different answers. Tim/David/Russ do not hesitate to correct > if my guess is wrong. ;-) > > Common point: > > 1) What will be the value of the nextUpdate field from the last issued delta > CRL for a given base CRL ? > > Denis: the nextUpdate field from the last issued delta CRL MUST be equal to > the value of nextUpdate from the base CRL. > > Tim/David/Russ: ??? > > 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > > Denis: No. > Tim/David/Russ : ??? > > 3) Does a CA needs to issue a new base CRL at the end of the validity of a > current base CRL ? > > Denis: No. > Tim/David/Russ : ??? > > 4) Does a CA needs to issue a delta CRL at the same time a new base is > issued ? > > Denis: Yes. The delta CRL refers to the *new* base. > Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note > that there can be no previous at all, or the "previous" may even be three > months old]. > > The last point highlights the most noticeable difference. Other differences > appears when considering the guaranty to get the freshest information : > using the traditional scheme and the thisUpdate and nextUpdate fields the > guaranty to get the freshest information is obtained, but cannot be obtained > using the other scheme. :-( > > Several people are referring to the X.509 document for arguments to support > that discussion. However, it is important to remember that we are defining > PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, > but only what we believe is relevant. > > We first need to clearly define the processing rules applicable to the > relying parties. These rules will certainly contain SHALL/MUST statements, > but may also include some MAY statements which may even be conditional to > what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. > > We also need to clearly separate the issuing rules applicable for the CAs. > These rules will certainly contain SHALL statements, but could also include > some MAY statements. (I let Tim/David or Russ provide the MAY statement). > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. > > In his e-mail from Wednesday, May 9, David said that delta-CRL processing > rules could be base on time instead of CRL numbers. This is a point of which > I strongly agree. Let us do it! > > (However, there is no need to add to PKIX, as he suggested, the support of > the baseUpdateTime extension from X.509 which would even more complicate the > problem.) > > Regards, > > Denis ------_=_NextPart_001_01C0D96E.500FB310 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Denis:</FONT> </P> <P><FONT SIZE=3D2>I do not agree with you. Any CRL that is not a = delta CRL (i.e., deltaCRLIndicator extension is absent), is a base CRL = for some scope as defined in CRLScope extension and/or the IDP = extension.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Thursday, May 10, 2001 12:30 PM</FONT> <BR><FONT SIZE=3D2>To: Carlin Covey; Sharon Boeyen</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Carlin and Sharon (at the same time),</FONT> </P> <P><FONT SIZE=3D2>> Denis,</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>> Now I'm confused again (or still). = </FONT> </P> <P><FONT SIZE=3D2>:-)</FONT> </P> <P><FONT SIZE=3D2>> I agree that there is a difference</FONT> <BR><FONT SIZE=3D2>> between a base CRL and a full CRL. = However, my understanding was that a CRL</FONT> <BR><FONT SIZE=3D2>> is a "base CRL" with respect to some = delta CRL only by virtue of having been</FONT> <BR><FONT SIZE=3D2>> so identified in that delta CRL. </FONT> </P> <P><FONT SIZE=3D2>I believe that a base CRL must include the Freshest = CRL extension (a.k.a.</FONT> <BR><FONT SIZE=3D2>Delta CRL Distribution Point) defined in section = 4.2.1.16. It indicates both</FONT> <BR><FONT SIZE=3D2>that the service exists and where to fetch the = information. It is a</FONT> <BR><FONT SIZE=3D2>non-critical extension so that a base CRL may also = be used as a full CL for</FONT> <BR><FONT SIZE=3D2>relying parties not supporting delta CRLs.</FONT> </P> <P><FONT SIZE=3D2>> According to the PKIX profile, this base CRL = must be a full CRL </FONT> <BR><FONT SIZE=3D2>> (complete for the intended scope). = </FONT> <BR><FONT SIZE=3D2>> I believe that X.509 does not require that a = base CRL be a full CRL.</FONT> </P> <P><FONT SIZE=3D2>You just say above: "According to the PKIX = profile, this base CRL must be a</FONT> <BR><FONT SIZE=3D2>full CRL (complete for the intended scope". So = do you mean that X.509 and</FONT> <BR><FONT SIZE=3D2>PKIX are taking different approaches ?</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Denis</FONT> </P> <P><FONT SIZE=3D2>> Regards,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Carlin</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> ____________________________</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> - Carlin Covey</FONT> <BR><FONT SIZE=3D2>> Cylink Corporation</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>> Sent: Thursday, May 10, 2001 1:19 AM</FONT> <BR><FONT SIZE=3D2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Re: delta CRLs</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Tim, David, Russ, Santosh, Carlin, and many = others ...</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> There is difference between a base CRL and a = full CRL : a base CRL MUST</FONT> <BR><FONT SIZE=3D2>> include a freshestCRL extension (a.k.a. a Delta = CRL distribution point),</FONT> <BR><FONT SIZE=3D2>> whereas a full CRL may not include that = extension. In other words, a base</FONT> <BR><FONT SIZE=3D2>> CRL is a also a full CRL, but a full CRL is not = necessarily a base CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> At any time a CA may issue a full CRL, whether = or not a base CRL has already</FONT> <BR><FONT SIZE=3D2>> been issued. This additional CRL SHOULD have = nextUpdate equal to the</FONT> <BR><FONT SIZE=3D2>> nextUpdate of the last issued full CRL. = However, there is no guarantee that</FONT> <BR><FONT SIZE=3D2>> this additional CRL will ever be seen by the = relying party (because there</FONT> <BR><FONT SIZE=3D2>> will be two CRLs matching the thisUpdate and = nextUpdate rule and if one is</FONT> <BR><FONT SIZE=3D2>> deleted, this is not seen by a relying = party).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Due to the fact that CRLs numbers are strictly = increasing, two CRLs whether</FONT> <BR><FONT SIZE=3D2>> they are a base CRL or delta CRL, CANNOT have = the same CRL number. So a</FONT> <BR><FONT SIZE=3D2>> delta CRL and a full CRL that cover the same = scope and are issued at the</FONT> <BR><FONT SIZE=3D2>> same time CANNOT have the same number. If a = full CRL is issued, its CRL</FONT> <BR><FONT SIZE=3D2>> number bears no relationship with the previous = base CRL, if any. The only</FONT> <BR><FONT SIZE=3D2>> relationship between the numbers is defined by = the rule that CRLs numbers</FONT> <BR><FONT SIZE=3D2>> are strictly increasing. As Santosh said : = "the CRL number is unique</FONT> <BR><FONT SIZE=3D2>> whether it is a base or a delta ".</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> This is fairly important to be able to = unambiguously (and thus uniquely)</FONT> <BR><FONT SIZE=3D2>> refer to a CRL by only providing its CRL = number.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Besides the fact that a CRL issued later MUST = have a higher CRL number, full</FONT> <BR><FONT SIZE=3D2>> CRLs and delta CRLs have independent numbering = rules. As noticed by Santosh,</FONT> <BR><FONT SIZE=3D2>> " if the delta thisUpdate > base = thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT SIZE=3D2>> number (for the same or no stream = identifier).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> As Santosh said : "a check based on = thisUpdate is more general and</FONT> <BR><FONT SIZE=3D2>> preferred [to the use of CRL numbers]. = "</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Related to the three rules mentioned by Russ = :</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 1) the first rule is not understandable to = me.</FONT> <BR><FONT SIZE=3D2>> 2) the second rule does not say anything more = than the basic rule valid</FONT> <BR><FONT SIZE=3D2>> for any CRL (i.e. a CRL = issued later MUST have a higher CRL number).</FONT> <BR><FONT SIZE=3D2>> 3) we will debate the hold condition, once we = will have sorted the main</FONT> <BR><FONT SIZE=3D2>> issue.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Russ said : "If separate number sequence = is used, then you will have to</FONT> <BR><FONT SIZE=3D2>> periodically fetch base CRLs ". This is = true.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Tim said that he would *not* like to be forced = to download new base CRLs.</FONT> <BR><FONT SIZE=3D2>> This is the core of the = "dispute".</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> >From the definition of what a delta CRL is, = it is *not* possible to</FONT> <BR><FONT SIZE=3D2>> get rid of the fetching of base CRLs. Unless we = add a new sentence to</FONT> <BR><FONT SIZE=3D2>> expand/change that definition, base CRL = fetching will remain mandatory.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Remember that the goal of delta CRLs is to = provide the freshest information,</FONT> <BR><FONT SIZE=3D2>> and to my knowledge the goal was not to get rid = of the fetching of base CRLs</FONT> <BR><FONT SIZE=3D2>> (which may less frequent due to the support of = delta CRLs).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If I understand correctly, Tim/David/Russ would = like to *always* achieve the</FONT> <BR><FONT SIZE=3D2>> following property : it is possible to = reconstruct the current CRL by using</FONT> <BR><FONT SIZE=3D2>> a base CRL from, e.g. 1990, i.e. by capturing = every delta CRL that has been</FONT> <BR><FONT SIZE=3D2>> issued at the same time a base CRL was issued = and which contains updates</FONT> <BR><FONT SIZE=3D2>> made to the *previous* base.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> By this way the fetching of base CRLs could be = avoided. However, note that</FONT> <BR><FONT SIZE=3D2>> it is perfectly " legal " to stop = issuing base and delta CRLs during some</FONT> <BR><FONT SIZE=3D2>> period of time and to issue full CRLs instead = (see the difference between</FONT> <BR><FONT SIZE=3D2>> "full" and "base" at the = top of this e-mail). In other words there is no</FONT> <BR><FONT SIZE=3D2>> need to issue a new base CRL at the end of the = validity period of the</FONT> <BR><FONT SIZE=3D2>> previous base CRL. Doing this would mandate to = prescribe issuing rules</FONT> <BR><FONT SIZE=3D2>> for CAs that we have not prescripted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> I will now raise a series of questions, for = which I believe we have</FONT> <BR><FONT SIZE=3D2>> different answers. Tim/David/Russ do not = hesitate to correct</FONT> <BR><FONT SIZE=3D2>> if my guess is wrong. ;-)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Common point:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 1) What will be the value of the nextUpdate = field from the last issued delta</FONT> <BR><FONT SIZE=3D2>> CRL for a given base CRL ?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis: the nextUpdate field from the last = issued delta CRL MUST be equal to</FONT> <BR><FONT SIZE=3D2>> the value of nextUpdate from the base = CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Tim/David/Russ: ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 2) Does a CA needs to issue a delta CRL at the = time a full CRL is issued ?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis: No.</FONT> <BR><FONT SIZE=3D2>> Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 3) Does a CA needs to issue a new base CRL at = the end of the validity of a</FONT> <BR><FONT SIZE=3D2>> current base CRL ?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis: No.</FONT> <BR><FONT SIZE=3D2>> Tim/David/Russ : ???</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> 4) Does a CA needs to issue a delta CRL at the = same time a new base is</FONT> <BR><FONT SIZE=3D2>> issued ?</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis: Yes. The delta CRL refers to the *new* = base.</FONT> <BR><FONT SIZE=3D2>> Tim/David/Russ : Yes. The delta CRL refers to = the *previous* base. [Note</FONT> <BR><FONT SIZE=3D2>> that there can be no previous at all, or the = "previous" may even be three</FONT> <BR><FONT SIZE=3D2>> months old].</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The last point highlights the most noticeable = difference. Other differences</FONT> <BR><FONT SIZE=3D2>> appears when considering the guaranty to get = the freshest information :</FONT> <BR><FONT SIZE=3D2>> using the traditional scheme and the thisUpdate = and nextUpdate fields the</FONT> <BR><FONT SIZE=3D2>> guaranty to get the freshest information is = obtained, but cannot be obtained</FONT> <BR><FONT SIZE=3D2>> using the other scheme. :-(</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Several people are referring to the X.509 = document for arguments to support</FONT> <BR><FONT SIZE=3D2>> that discussion. However, it is important to = remember that we are defining</FONT> <BR><FONT SIZE=3D2>> PKIX, not X.509, so we DO NOT need to copy and = paste everything from X.509,</FONT> <BR><FONT SIZE=3D2>> but only what we believe is relevant.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> We first need to clearly define the processing = rules applicable to the</FONT> <BR><FONT SIZE=3D2>> relying parties. These rules will certainly = contain SHALL/MUST statements,</FONT> <BR><FONT SIZE=3D2>> but may also include some MAY statements which = may even be conditional to</FONT> <BR><FONT SIZE=3D2>> what the CA is doing. (I let Tim/David or Russ = provide the MAY statement).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Here is a proposal for the MUST statement, = based on the previous text I</FONT> <BR><FONT SIZE=3D2>> produced:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> An application that is = wishing to take advantage of delta CRLs</FONT> <BR><FONT SIZE=3D2>> for a given scope, MUST first = find a base CRL for that scope,</FONT> <BR><FONT SIZE=3D2>> i.e. a full CRL that that = contains a freshestCRL extension</FONT> <BR><FONT SIZE=3D2>> (a.k.a. a Delta CRL = distribution point). It may then construct</FONT> <BR><FONT SIZE=3D2>> an updated CRL for that base, = for a specific time T, by combining</FONT> <BR><FONT SIZE=3D2>> it with a delta CRL which = contains a delta CRL indicator extension</FONT> <BR><FONT SIZE=3D2>> with the same CRL number as = the base CRL. Applications that support</FONT> <BR><FONT SIZE=3D2>> delta CRLs MUST ensure that = time T falls between thisUpdate and</FONT> <BR><FONT SIZE=3D2>> nextUpdate for both the base = CRL and the delta CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Note: An application could = also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=3D2>> a specific time T, by using a = previously locally reconstructed CRL</FONT> <BR><FONT SIZE=3D2>> based on the current base = CRL, and combining it with a delta CRL which</FONT> <BR><FONT SIZE=3D2>> contains a delta CRL = indicator extension with the same CRL number as</FONT> <BR><FONT SIZE=3D2>> the base CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> We also need to clearly separate the issuing = rules applicable for the CAs.</FONT> <BR><FONT SIZE=3D2>> These rules will certainly contain SHALL = statements, but could also include</FONT> <BR><FONT SIZE=3D2>> some MAY statements. (I let Tim/David or Russ = provide the MAY statement).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Here is a proposal for the MUST statement, = based on the previous text I</FONT> <BR><FONT SIZE=3D2>> produced:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> A CA that supports = delta-CRLs, MUST issue a base CRL, i.e. a full</FONT> <BR><FONT SIZE=3D2>> CRL that contains a = freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT SIZE=3D2>> distribution point). For any = time T until the nextUpdate time</FONT> <BR><FONT SIZE=3D2>> indicated in a base CRL, the = CA MUST provide one and only one</FONT> <BR><FONT SIZE=3D2>> delta CRL that refers to that = base CRL and for which time T</FONT> <BR><FONT SIZE=3D2>> falls between thisUpdate and = nextUpdate from the delta CRL.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> In his e-mail from Wednesday, May 9, David said = that delta-CRL processing</FONT> <BR><FONT SIZE=3D2>> rules could be base on time instead of CRL = numbers. This is a point of which</FONT> <BR><FONT SIZE=3D2>> I strongly agree. Let us do it!</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> (However, there is no need to add to PKIX, as = he suggested, the support of</FONT> <BR><FONT SIZE=3D2>> the baseUpdateTime extension from X.509 which = would even more complicate the</FONT> <BR><FONT SIZE=3D2>> problem.)</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Regards,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D96E.500FB310-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA13168 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:31:51 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA18774; Thu, 10 May 2001 18:31:51 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA17312; Thu, 10 May 2001 18:31:17 +0200 Message-ID: <3AFAC206.CE45C32C@bull.net> Date: Thu, 10 May 2001 18:29:58 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Carlin Covey <ccovey@cylink.com>, Sharon Boeyen <boeyen@entrust.com> CC: ietf-pkix@imc.org Subject: Re: delta CRLs References: <FLEELNBJKAIIGDJJKPDGOEGGCEAA.ccovey@cylink.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Carlin and Sharon (at the same time), > Denis, > Now I'm confused again (or still). :-) > I agree that there is a difference > between a base CRL and a full CRL. However, my understanding was that a CRL > is a "base CRL" with respect to some delta CRL only by virtue of having been > so identified in that delta CRL. I believe that a base CRL must include the Freshest CRL extension (a.k.a. Delta CRL Distribution Point) defined in section 4.2.1.16. It indicates both that the service exists and where to fetch the information. It is a non-critical extension so that a base CRL may also be used as a full CL for relying parties not supporting delta CRLs. > According to the PKIX profile, this base CRL must be a full CRL > (complete for the intended scope). > I believe that X.509 does not require that a base CRL be a full CRL. You just say above: "According to the PKIX profile, this base CRL must be a full CRL (complete for the intended scope". So do you mean that X.509 and PKIX are taking different approaches ? Regards, Denis > Regards, > > Carlin > > ____________________________ > > - Carlin Covey > Cylink Corporation > > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: Thursday, May 10, 2001 1:19 AM > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > Tim, David, Russ, Santosh, Carlin, and many others ... > > There is difference between a base CRL and a full CRL : a base CRL MUST > include a freshestCRL extension (a.k.a. a Delta CRL distribution point), > whereas a full CRL may not include that extension. In other words, a base > CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. > > At any time a CA may issue a full CRL, whether or not a base CRL has already > been issued. This additional CRL SHOULD have nextUpdate equal to the > nextUpdate of the last issued full CRL. However, there is no guarantee that > this additional CRL will ever be seen by the relying party (because there > will be two CRLs matching the thisUpdate and nextUpdate rule and if one is > deleted, this is not seen by a relying party). > > Due to the fact that CRLs numbers are strictly increasing, two CRLs whether > they are a base CRL or delta CRL, CANNOT have the same CRL number. So a > delta CRL and a full CRL that cover the same scope and are issued at the > same time CANNOT have the same number. If a full CRL is issued, its CRL > number bears no relationship with the previous base CRL, if any. The only > relationship between the numbers is defined by the rule that CRLs numbers > are strictly increasing. As Santosh said : "the CRL number is unique > whether it is a base or a delta ". > > This is fairly important to be able to unambiguously (and thus uniquely) > refer to a CRL by only providing its CRL number. > > Besides the fact that a CRL issued later MUST have a higher CRL number, full > CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, > " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL > number (for the same or no stream identifier). > > As Santosh said : "a check based on thisUpdate is more general and > preferred [to the use of CRL numbers]. " > > Related to the three rules mentioned by Russ : > > 1) the first rule is not understandable to me. > 2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). > 3) we will debate the hold condition, once we will have sorted the main > issue. > > Russ said : "If separate number sequence is used, then you will have to > periodically fetch base CRLs ". This is true. > > Tim said that he would *not* like to be forced to download new base CRLs. > This is the core of the "dispute". > > >From the definition of what a delta CRL is, it is *not* possible to > get rid of the fetching of base CRLs. Unless we add a new sentence to > expand/change that definition, base CRL fetching will remain mandatory. > > Remember that the goal of delta CRLs is to provide the freshest information, > and to my knowledge the goal was not to get rid of the fetching of base CRLs > (which may less frequent due to the support of delta CRLs). > > If I understand correctly, Tim/David/Russ would like to *always* achieve the > following property : it is possible to reconstruct the current CRL by using > a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been > issued at the same time a base CRL was issued and which contains updates > made to the *previous* base. > > By this way the fetching of base CRLs could be avoided. However, note that > it is perfectly " legal " to stop issuing base and delta CRLs during some > period of time and to issue full CRLs instead (see the difference between > "full" and "base" at the top of this e-mail). In other words there is no > need to issue a new base CRL at the end of the validity period of the > previous base CRL. Doing this would mandate to prescribe issuing rules > for CAs that we have not prescripted. > > I will now raise a series of questions, for which I believe we have > different answers. Tim/David/Russ do not hesitate to correct > if my guess is wrong. ;-) > > Common point: > > 1) What will be the value of the nextUpdate field from the last issued delta > CRL for a given base CRL ? > > Denis: the nextUpdate field from the last issued delta CRL MUST be equal to > the value of nextUpdate from the base CRL. > > Tim/David/Russ: ??? > > 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > > Denis: No. > Tim/David/Russ : ??? > > 3) Does a CA needs to issue a new base CRL at the end of the validity of a > current base CRL ? > > Denis: No. > Tim/David/Russ : ??? > > 4) Does a CA needs to issue a delta CRL at the same time a new base is > issued ? > > Denis: Yes. The delta CRL refers to the *new* base. > Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note > that there can be no previous at all, or the "previous" may even be three > months old]. > > The last point highlights the most noticeable difference. Other differences > appears when considering the guaranty to get the freshest information : > using the traditional scheme and the thisUpdate and nextUpdate fields the > guaranty to get the freshest information is obtained, but cannot be obtained > using the other scheme. :-( > > Several people are referring to the X.509 document for arguments to support > that discussion. However, it is important to remember that we are defining > PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, > but only what we believe is relevant. > > We first need to clearly define the processing rules applicable to the > relying parties. These rules will certainly contain SHALL/MUST statements, > but may also include some MAY statements which may even be conditional to > what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. > > We also need to clearly separate the issuing rules applicable for the CAs. > These rules will certainly contain SHALL statements, but could also include > some MAY statements. (I let Tim/David or Russ provide the MAY statement). > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. > > In his e-mail from Wednesday, May 9, David said that delta-CRL processing > rules could be base on time instead of CRL numbers. This is a point of which > I strongly agree. Let us do it! > > (However, there is no need to add to PKIX, as he suggested, the support of > the baseUpdateTime extension from X.509 which would even more complicate the > problem.) > > Regards, > > Denis Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA12720 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:28:53 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K4X9NJX3>; Thu, 10 May 2001 12:28:23 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE9A6@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Carlin Covey <ccovey@cylink.com>, Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 12:19:09 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D96C.F12AC020" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D96C.F12AC020 Content-Type: text/plain; charset="iso-8859-1" I agree with Carlin on difference between base and full. -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Thursday, May 10, 2001 12:08 PM To: Denis Pinkas Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Denis, Now I'm confused again (or still). I agree that there is a difference between a base CRL and a full CRL. However, my understanding was that a CRL is a "base CRL" with respect to some delta CRL only by virtue of having been so identified in that delta CRL. According to the PKIX profile, this base CRL must be a full CRL (complete for the intended scope). I believe that X.509 does not require that a base CRL be a full CRL. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 1:19 AM Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Tim, David, Russ, Santosh, Carlin, and many others ... There is difference between a base CRL and a full CRL : a base CRL MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point), whereas a full CRL may not include that extension. In other words, a base CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. At any time a CA may issue a full CRL, whether or not a base CRL has already been issued. This additional CRL SHOULD have nextUpdate equal to the nextUpdate of the last issued full CRL. However, there is no guarantee that this additional CRL will ever be seen by the relying party (because there will be two CRLs matching the thisUpdate and nextUpdate rule and if one is deleted, this is not seen by a relying party). Due to the fact that CRLs numbers are strictly increasing, two CRLs whether they are a base CRL or delta CRL, CANNOT have the same CRL number. So a delta CRL and a full CRL that cover the same scope and are issued at the same time CANNOT have the same number. If a full CRL is issued, its CRL number bears no relationship with the previous base CRL, if any. The only relationship between the numbers is defined by the rule that CRLs numbers are strictly increasing. As Santosh said : "the CRL number is unique whether it is a base or a delta ". This is fairly important to be able to unambiguously (and thus uniquely) refer to a CRL by only providing its CRL number. Besides the fact that a CRL issued later MUST have a higher CRL number, full CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL number (for the same or no stream identifier). As Santosh said : "a check based on thisUpdate is more general and preferred [to the use of CRL numbers]. " Related to the three rules mentioned by Russ : 1) the first rule is not understandable to me. 2) the second rule does not say anything more than the basic rule valid for any CRL (i.e. a CRL issued later MUST have a higher CRL number). 3) we will debate the hold condition, once we will have sorted the main issue. Russ said : "If separate number sequence is used, then you will have to periodically fetch base CRLs ". This is true. Tim said that he would *not* like to be forced to download new base CRLs. This is the core of the "dispute". >From the definition of what a delta CRL is, it is *not* possible to get rid of the fetching of base CRLs. Unless we add a new sentence to expand/change that definition, base CRL fetching will remain mandatory. Remember that the goal of delta CRLs is to provide the freshest information, and to my knowledge the goal was not to get rid of the fetching of base CRLs (which may less frequent due to the support of delta CRLs). If I understand correctly, Tim/David/Russ would like to *always* achieve the following property : it is possible to reconstruct the current CRL by using a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been issued at the same time a base CRL was issued and which contains updates made to the *previous* base. By this way the fetching of base CRLs could be avoided. However, note that it is perfectly " legal " to stop issuing base and delta CRLs during some period of time and to issue full CRLs instead (see the difference between "full" and "base" at the top of this e-mail). In other words there is no need to issue a new base CRL at the end of the validity period of the previous base CRL. Doing this would mandate to prescribe issuing rules for CAs that we have not prescripted. I will now raise a series of questions, for which I believe we have different answers. Tim/David/Russ do not hesitate to correct if my guess is wrong. ;-) Common point: 1) What will be the value of the nextUpdate field from the last issued delta CRL for a given base CRL ? Denis: the nextUpdate field from the last issued delta CRL MUST be equal to the value of nextUpdate from the base CRL. Tim/David/Russ: ??? 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? Denis: No. Tim/David/Russ : ??? 3) Does a CA needs to issue a new base CRL at the end of the validity of a current base CRL ? Denis: No. Tim/David/Russ : ??? 4) Does a CA needs to issue a delta CRL at the same time a new base is issued ? Denis: Yes. The delta CRL refers to the *new* base. Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note that there can be no previous at all, or the "previous" may even be three months old]. The last point highlights the most noticeable difference. Other differences appears when considering the guaranty to get the freshest information : using the traditional scheme and the thisUpdate and nextUpdate fields the guaranty to get the freshest information is obtained, but cannot be obtained using the other scheme. :-( Several people are referring to the X.509 document for arguments to support that discussion. However, it is important to remember that we are defining PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, but only what we believe is relevant. We first need to clearly define the processing rules applicable to the relying parties. These rules will certainly contain SHALL/MUST statements, but may also include some MAY statements which may even be conditional to what the CA is doing. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: An application that is wishing to take advantage of delta CRLs for a given scope, MUST first find a base CRL for that scope, i.e. a full CRL that that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). It may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. We also need to clearly separate the issuing rules applicable for the CAs. These rules will certainly contain SHALL statements, but could also include some MAY statements. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full CRL that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). For any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. In his e-mail from Wednesday, May 9, David said that delta-CRL processing rules could be base on time instead of CRL numbers. This is a point of which I strongly agree. Let us do it! (However, there is no need to add to PKIX, as he suggested, the support of the baseUpdateTime extension from X.509 which would even more complicate the problem.) Regards, Denis ------_=_NextPart_001_01C0D96C.F12AC020 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>I agree with Carlin on difference between base and full.</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Carlin Covey [<A HREF="mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Thursday, May 10, 2001 12:08 PM</FONT> <BR><FONT SIZE=2>To: Denis Pinkas</FONT> <BR><FONT SIZE=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=2>Denis,</FONT> </P> <P><FONT SIZE=2>Now I'm confused again (or still). I agree that there is a difference</FONT> <BR><FONT SIZE=2>between a base CRL and a full CRL. However, my understanding was that a CRL</FONT> <BR><FONT SIZE=2>is a "base CRL" with respect to some delta CRL only by virtue of having been</FONT> <BR><FONT SIZE=2>so identified in that delta CRL. According to the PKIX profile, this base</FONT> <BR><FONT SIZE=2>CRL must be a full CRL (complete for the intended scope). I believe that</FONT> <BR><FONT SIZE=2>X.509 does not require that a base CRL be a full CRL.</FONT> </P> <P><FONT SIZE=2>Regards,</FONT> </P> <P><FONT SIZE=2>Carlin</FONT> </P> <P><FONT SIZE=2>____________________________</FONT> </P> <P><FONT SIZE=2>- Carlin Covey</FONT> <BR><FONT SIZE=2> Cylink Corporation</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Denis Pinkas [<A HREF="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT SIZE=2>Sent: Thursday, May 10, 2001 1:19 AM</FONT> <BR><FONT SIZE=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=2>Tim, David, Russ, Santosh, Carlin, and many others ...</FONT> </P> <P><FONT SIZE=2>There is difference between a base CRL and a full CRL : a base CRL MUST</FONT> <BR><FONT SIZE=2>include a freshestCRL extension (a.k.a. a Delta CRL distribution point),</FONT> <BR><FONT SIZE=2>whereas a full CRL may not include that extension. In other words, a base</FONT> <BR><FONT SIZE=2>CRL is a also a full CRL, but a full CRL is not necessarily a base CRL.</FONT> </P> <P><FONT SIZE=2>At any time a CA may issue a full CRL, whether or not a base CRL has already</FONT> <BR><FONT SIZE=2>been issued. This additional CRL SHOULD have nextUpdate equal to the</FONT> <BR><FONT SIZE=2>nextUpdate of the last issued full CRL. However, there is no guarantee that</FONT> <BR><FONT SIZE=2>this additional CRL will ever be seen by the relying party (because there</FONT> <BR><FONT SIZE=2>will be two CRLs matching the thisUpdate and nextUpdate rule and if one is</FONT> <BR><FONT SIZE=2>deleted, this is not seen by a relying party).</FONT> </P> <P><FONT SIZE=2>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether</FONT> <BR><FONT SIZE=2>they are a base CRL or delta CRL, CANNOT have the same CRL number. So a</FONT> <BR><FONT SIZE=2>delta CRL and a full CRL that cover the same scope and are issued at the</FONT> <BR><FONT SIZE=2>same time CANNOT have the same number. If a full CRL is issued, its CRL</FONT> <BR><FONT SIZE=2>number bears no relationship with the previous base CRL, if any. The only</FONT> <BR><FONT SIZE=2>relationship between the numbers is defined by the rule that CRLs numbers</FONT> <BR><FONT SIZE=2>are strictly increasing. As Santosh said : "the CRL number is unique</FONT> <BR><FONT SIZE=2>whether it is a base or a delta ".</FONT> </P> <P><FONT SIZE=2>This is fairly important to be able to unambiguously (and thus uniquely)</FONT> <BR><FONT SIZE=2>refer to a CRL by only providing its CRL number.</FONT> </P> <P><FONT SIZE=2>Besides the fact that a CRL issued later MUST have a higher CRL number, full</FONT> <BR><FONT SIZE=2>CRLs and delta CRLs have independent numbering rules. As noticed by Santosh,</FONT> <BR><FONT SIZE=2>" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT SIZE=2>number (for the same or no stream identifier).</FONT> </P> <P><FONT SIZE=2>As Santosh said : "a check based on thisUpdate is more general and</FONT> <BR><FONT SIZE=2>preferred [to the use of CRL numbers]. "</FONT> </P> <P><FONT SIZE=2>Related to the three rules mentioned by Russ :</FONT> </P> <P><FONT SIZE=2>1) the first rule is not understandable to me.</FONT> <BR><FONT SIZE=2>2) the second rule does not say anything more than the basic rule valid</FONT> <BR><FONT SIZE=2> for any CRL (i.e. a CRL issued later MUST have a higher CRL number).</FONT> <BR><FONT SIZE=2>3) we will debate the hold condition, once we will have sorted the main</FONT> <BR><FONT SIZE=2> issue.</FONT> </P> <P><FONT SIZE=2>Russ said : "If separate number sequence is used, then you will have to</FONT> <BR><FONT SIZE=2>periodically fetch base CRLs ". This is true.</FONT> </P> <P><FONT SIZE=2>Tim said that he would *not* like to be forced to download new base CRLs.</FONT> <BR><FONT SIZE=2>This is the core of the "dispute".</FONT> </P> <P><FONT SIZE=2>From the definition of what a delta CRL is, it is *not* possible to</FONT> <BR><FONT SIZE=2>get rid of the fetching of base CRLs. Unless we add a new sentence to</FONT> <BR><FONT SIZE=2>expand/change that definition, base CRL fetching will remain mandatory.</FONT> </P> <P><FONT SIZE=2>Remember that the goal of delta CRLs is to provide the freshest information,</FONT> <BR><FONT SIZE=2>and to my knowledge the goal was not to get rid of the fetching of base CRLs</FONT> <BR><FONT SIZE=2>(which may less frequent due to the support of delta CRLs).</FONT> </P> <P><FONT SIZE=2>If I understand correctly, Tim/David/Russ would like to *always* achieve the</FONT> <BR><FONT SIZE=2>following property : it is possible to reconstruct the current CRL by using</FONT> <BR><FONT SIZE=2>a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been</FONT> <BR><FONT SIZE=2>issued at the same time a base CRL was issued and which contains updates</FONT> <BR><FONT SIZE=2>made to the *previous* base.</FONT> </P> <P><FONT SIZE=2>By this way the fetching of base CRLs could be avoided. However, note that</FONT> <BR><FONT SIZE=2>it is perfectly " legal " to stop issuing base and delta CRLs during some</FONT> <BR><FONT SIZE=2>period of time and to issue full CRLs instead (see the difference between</FONT> <BR><FONT SIZE=2>"full" and "base" at the top of this e-mail). In other words there is no</FONT> <BR><FONT SIZE=2>need to issue a new base CRL at the end of the validity period of the</FONT> <BR><FONT SIZE=2>previous base CRL. Doing this would mandate to prescribe issuing rules</FONT> <BR><FONT SIZE=2>for CAs that we have not prescripted.</FONT> </P> <P><FONT SIZE=2>I will now raise a series of questions, for which I believe we have</FONT> <BR><FONT SIZE=2>different answers. Tim/David/Russ do not hesitate to correct</FONT> <BR><FONT SIZE=2>if my guess is wrong. ;-)</FONT> </P> <P><FONT SIZE=2>Common point:</FONT> </P> <P><FONT SIZE=2>1) What will be the value of the nextUpdate field from the last issued delta</FONT> <BR><FONT SIZE=2>CRL for a given base CRL ?</FONT> </P> <P><FONT SIZE=2>Denis: the nextUpdate field from the last issued delta CRL MUST be equal to</FONT> <BR><FONT SIZE=2>the value of nextUpdate from the base CRL.</FONT> </P> <P><FONT SIZE=2>Tim/David/Russ: ???</FONT> </P> <P><FONT SIZE=2>2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ?</FONT> </P> <P><FONT SIZE=2>Denis: No.</FONT> <BR><FONT SIZE=2>Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=2>3) Does a CA needs to issue a new base CRL at the end of the validity of a</FONT> <BR><FONT SIZE=2>current base CRL ?</FONT> </P> <P><FONT SIZE=2>Denis: No.</FONT> <BR><FONT SIZE=2>Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=2>4) Does a CA needs to issue a delta CRL at the same time a new base is</FONT> <BR><FONT SIZE=2>issued ?</FONT> </P> <P><FONT SIZE=2>Denis: Yes. The delta CRL refers to the *new* base.</FONT> <BR><FONT SIZE=2>Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note</FONT> <BR><FONT SIZE=2>that there can be no previous at all, or the "previous" may even be three</FONT> <BR><FONT SIZE=2>months old].</FONT> </P> <P><FONT SIZE=2>The last point highlights the most noticeable difference. Other differences</FONT> <BR><FONT SIZE=2>appears when considering the guaranty to get the freshest information :</FONT> <BR><FONT SIZE=2>using the traditional scheme and the thisUpdate and nextUpdate fields the</FONT> <BR><FONT SIZE=2>guaranty to get the freshest information is obtained, but cannot be obtained</FONT> <BR><FONT SIZE=2>using the other scheme. :-(</FONT> </P> <P><FONT SIZE=2>Several people are referring to the X.509 document for arguments to support</FONT> <BR><FONT SIZE=2>that discussion. However, it is important to remember that we are defining</FONT> <BR><FONT SIZE=2>PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509,</FONT> <BR><FONT SIZE=2>but only what we believe is relevant.</FONT> </P> <P><FONT SIZE=2>We first need to clearly define the processing rules applicable to the</FONT> <BR><FONT SIZE=2>relying parties. These rules will certainly contain SHALL/MUST statements,</FONT> <BR><FONT SIZE=2>but may also include some MAY statements which may even be conditional to</FONT> <BR><FONT SIZE=2>what the CA is doing. (I let Tim/David or Russ provide the MAY statement).</FONT> </P> <P><FONT SIZE=2>Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT SIZE=2>produced:</FONT> </P> <P><FONT SIZE=2> An application that is wishing to take advantage of delta CRLs</FONT> <BR><FONT SIZE=2> for a given scope, MUST first find a base CRL for that scope,</FONT> <BR><FONT SIZE=2> i.e. a full CRL that that contains a freshestCRL extension</FONT> <BR><FONT SIZE=2> (a.k.a. a Delta CRL distribution point). It may then construct</FONT> <BR><FONT SIZE=2> an updated CRL for that base, for a specific time T, by combining</FONT> <BR><FONT SIZE=2> it with a delta CRL which contains a delta CRL indicator extension</FONT> <BR><FONT SIZE=2> with the same CRL number as the base CRL. Applications that support</FONT> <BR><FONT SIZE=2> delta CRLs MUST ensure that time T falls between thisUpdate and</FONT> <BR><FONT SIZE=2> nextUpdate for both the base CRL and the delta CRL.</FONT> </P> <P><FONT SIZE=2> Note: An application could also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=2> a specific time T, by using a previously locally reconstructed CRL</FONT> <BR><FONT SIZE=2> based on the current base CRL, and combining it with a delta CRL which</FONT> <BR><FONT SIZE=2> contains a delta CRL indicator extension with the same CRL number as</FONT> <BR><FONT SIZE=2> the base CRL.</FONT> </P> <P><FONT SIZE=2>We also need to clearly separate the issuing rules applicable for the CAs.</FONT> <BR><FONT SIZE=2>These rules will certainly contain SHALL statements, but could also include</FONT> <BR><FONT SIZE=2>some MAY statements. (I let Tim/David or Russ provide the MAY statement).</FONT> </P> <P><FONT SIZE=2>Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT SIZE=2>produced:</FONT> </P> <P><FONT SIZE=2> A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full</FONT> <BR><FONT SIZE=2> CRL that contains a freshestCRL extension (a.k.a. a Delta CRL</FONT> <BR><FONT SIZE=2> distribution point). For any time T until the nextUpdate time</FONT> <BR><FONT SIZE=2> indicated in a base CRL, the CA MUST provide one and only one</FONT> <BR><FONT SIZE=2> delta CRL that refers to that base CRL and for which time T</FONT> <BR><FONT SIZE=2> falls between thisUpdate and nextUpdate from the delta CRL.</FONT> </P> <P><FONT SIZE=2>In his e-mail from Wednesday, May 9, David said that delta-CRL processing</FONT> <BR><FONT SIZE=2>rules could be base on time instead of CRL numbers. This is a point of which</FONT> <BR><FONT SIZE=2>I strongly agree. Let us do it!</FONT> </P> <P><FONT SIZE=2>(However, there is no need to add to PKIX, as he suggested, the support of</FONT> <BR><FONT SIZE=2>the baseUpdateTime extension from X.509 which would even more complicate the</FONT> <BR><FONT SIZE=2>problem.)</FONT> </P> <P><FONT SIZE=2>Regards,</FONT> </P> <P><FONT SIZE=2>Denis</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D96C.F12AC020-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA11179 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:08:46 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id KVA79RPM; Thu, 10 May 2001 09:02:41 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Denis Pinkas" <Denis.Pinkas@bull.net> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Thu, 10 May 2001 09:07:43 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGOEGGCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <3AFA4F09.5AB02392@bull.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Denis, Now I'm confused again (or still). I agree that there is a difference between a base CRL and a full CRL. However, my understanding was that a CRL is a "base CRL" with respect to some delta CRL only by virtue of having been so identified in that delta CRL. According to the PKIX profile, this base CRL must be a full CRL (complete for the intended scope). I believe that X.509 does not require that a base CRL be a full CRL. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 1:19 AM Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Tim, David, Russ, Santosh, Carlin, and many others ... There is difference between a base CRL and a full CRL : a base CRL MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point), whereas a full CRL may not include that extension. In other words, a base CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. At any time a CA may issue a full CRL, whether or not a base CRL has already been issued. This additional CRL SHOULD have nextUpdate equal to the nextUpdate of the last issued full CRL. However, there is no guarantee that this additional CRL will ever be seen by the relying party (because there will be two CRLs matching the thisUpdate and nextUpdate rule and if one is deleted, this is not seen by a relying party). Due to the fact that CRLs numbers are strictly increasing, two CRLs whether they are a base CRL or delta CRL, CANNOT have the same CRL number. So a delta CRL and a full CRL that cover the same scope and are issued at the same time CANNOT have the same number. If a full CRL is issued, its CRL number bears no relationship with the previous base CRL, if any. The only relationship between the numbers is defined by the rule that CRLs numbers are strictly increasing. As Santosh said : "the CRL number is unique whether it is a base or a delta ". This is fairly important to be able to unambiguously (and thus uniquely) refer to a CRL by only providing its CRL number. Besides the fact that a CRL issued later MUST have a higher CRL number, full CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL number (for the same or no stream identifier). As Santosh said : "a check based on thisUpdate is more general and preferred [to the use of CRL numbers]. " Related to the three rules mentioned by Russ : 1) the first rule is not understandable to me. 2) the second rule does not say anything more than the basic rule valid for any CRL (i.e. a CRL issued later MUST have a higher CRL number). 3) we will debate the hold condition, once we will have sorted the main issue. Russ said : "If separate number sequence is used, then you will have to periodically fetch base CRLs ". This is true. Tim said that he would *not* like to be forced to download new base CRLs. This is the core of the "dispute". >From the definition of what a delta CRL is, it is *not* possible to get rid of the fetching of base CRLs. Unless we add a new sentence to expand/change that definition, base CRL fetching will remain mandatory. Remember that the goal of delta CRLs is to provide the freshest information, and to my knowledge the goal was not to get rid of the fetching of base CRLs (which may less frequent due to the support of delta CRLs). If I understand correctly, Tim/David/Russ would like to *always* achieve the following property : it is possible to reconstruct the current CRL by using a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been issued at the same time a base CRL was issued and which contains updates made to the *previous* base. By this way the fetching of base CRLs could be avoided. However, note that it is perfectly " legal " to stop issuing base and delta CRLs during some period of time and to issue full CRLs instead (see the difference between "full" and "base" at the top of this e-mail). In other words there is no need to issue a new base CRL at the end of the validity period of the previous base CRL. Doing this would mandate to prescribe issuing rules for CAs that we have not prescripted. I will now raise a series of questions, for which I believe we have different answers. Tim/David/Russ do not hesitate to correct if my guess is wrong. ;-) Common point: 1) What will be the value of the nextUpdate field from the last issued delta CRL for a given base CRL ? Denis: the nextUpdate field from the last issued delta CRL MUST be equal to the value of nextUpdate from the base CRL. Tim/David/Russ: ??? 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? Denis: No. Tim/David/Russ : ??? 3) Does a CA needs to issue a new base CRL at the end of the validity of a current base CRL ? Denis: No. Tim/David/Russ : ??? 4) Does a CA needs to issue a delta CRL at the same time a new base is issued ? Denis: Yes. The delta CRL refers to the *new* base. Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note that there can be no previous at all, or the "previous" may even be three months old]. The last point highlights the most noticeable difference. Other differences appears when considering the guaranty to get the freshest information : using the traditional scheme and the thisUpdate and nextUpdate fields the guaranty to get the freshest information is obtained, but cannot be obtained using the other scheme. :-( Several people are referring to the X.509 document for arguments to support that discussion. However, it is important to remember that we are defining PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, but only what we believe is relevant. We first need to clearly define the processing rules applicable to the relying parties. These rules will certainly contain SHALL/MUST statements, but may also include some MAY statements which may even be conditional to what the CA is doing. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: An application that is wishing to take advantage of delta CRLs for a given scope, MUST first find a base CRL for that scope, i.e. a full CRL that that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). It may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. We also need to clearly separate the issuing rules applicable for the CAs. These rules will certainly contain SHALL statements, but could also include some MAY statements. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full CRL that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). For any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. In his e-mail from Wednesday, May 9, David said that delta-CRL processing rules could be base on time instead of CRL numbers. This is a point of which I strongly agree. Let us do it! (However, there is no need to add to PKIX, as he suggested, the support of the baseUpdateTime extension from X.509 which would even more complicate the problem.) Regards, Denis Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA10128 for <ietf-pkix@imc.org>; Thu, 10 May 2001 08:59:20 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432YV27>; Thu, 10 May 2001 11:58:51 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4060@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: Santosh Chokhani <chokhani@cygnacom.com>, Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 11:58:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D96A.1992B660" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D96A.1992B660 Content-Type: text/plain; charset="iso-8859-1" As for 509, Santosh is correct. Freshest CRL is not required. -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Thursday, May 10, 2001 10:29 AM To: Denis Pinkas Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Denis: Since you did not ask me the questions, I will NOT answer them. In general, my reading of the standard is that a base CRL need not have freshest CRL extension in it. -----Original Message----- From: Denis Pinkas [ mailto:Denis.Pinkas@bull.net <mailto:Denis.Pinkas@bull.net> ] Sent: Thursday, May 10, 2001 4:19 AM Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Tim, David, Russ, Santosh, Carlin, and many others ... There is difference between a base CRL and a full CRL : a base CRL MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point), whereas a full CRL may not include that extension. In other words, a base CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. At any time a CA may issue a full CRL, whether or not a base CRL has already been issued. This additional CRL SHOULD have nextUpdate equal to the nextUpdate of the last issued full CRL. However, there is no guarantee that this additional CRL will ever be seen by the relying party (because there will be two CRLs matching the thisUpdate and nextUpdate rule and if one is deleted, this is not seen by a relying party). Due to the fact that CRLs numbers are strictly increasing, two CRLs whether they are a base CRL or delta CRL, CANNOT have the same CRL number. So a delta CRL and a full CRL that cover the same scope and are issued at the same time CANNOT have the same number. If a full CRL is issued, its CRL number bears no relationship with the previous base CRL, if any. The only relationship between the numbers is defined by the rule that CRLs numbers are strictly increasing. As Santosh said : "the CRL number is unique whether it is a base or a delta ". This is fairly important to be able to unambiguously (and thus uniquely) refer to a CRL by only providing its CRL number. Besides the fact that a CRL issued later MUST have a higher CRL number, full CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL number (for the same or no stream identifier). As Santosh said : "a check based on thisUpdate is more general and preferred [to the use of CRL numbers]. " Related to the three rules mentioned by Russ : 1) the first rule is not understandable to me. 2) the second rule does not say anything more than the basic rule valid for any CRL (i.e. a CRL issued later MUST have a higher CRL number). 3) we will debate the hold condition, once we will have sorted the main issue. Russ said : "If separate number sequence is used, then you will have to periodically fetch base CRLs ". This is true. Tim said that he would *not* like to be forced to download new base CRLs. This is the core of the "dispute". >From the definition of what a delta CRL is, it is *not* possible to get rid of the fetching of base CRLs. Unless we add a new sentence to expand/change that definition, base CRL fetching will remain mandatory. Remember that the goal of delta CRLs is to provide the freshest information, and to my knowledge the goal was not to get rid of the fetching of base CRLs (which may less frequent due to the support of delta CRLs). If I understand correctly, Tim/David/Russ would like to *always* achieve the following property : it is possible to reconstruct the current CRL by using a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been issued at the same time a base CRL was issued and which contains updates made to the *previous* base. By this way the fetching of base CRLs could be avoided. However, note that it is perfectly " legal " to stop issuing base and delta CRLs during some period of time and to issue full CRLs instead (see the difference between "full" and "base" at the top of this e-mail). In other words there is no need to issue a new base CRL at the end of the validity period of the previous base CRL. Doing this would mandate to prescribe issuing rules for CAs that we have not prescripted. I will now raise a series of questions, for which I believe we have different answers. Tim/David/Russ do not hesitate to correct if my guess is wrong. ;-) Common point: 1) What will be the value of the nextUpdate field from the last issued delta CRL for a given base CRL ? Denis: the nextUpdate field from the last issued delta CRL MUST be equal to the value of nextUpdate from the base CRL. Tim/David/Russ: ??? 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? Denis: No. Tim/David/Russ : ??? 3) Does a CA needs to issue a new base CRL at the end of the validity of a current base CRL ? Denis: No. Tim/David/Russ : ??? 4) Does a CA needs to issue a delta CRL at the same time a new base is issued ? Denis: Yes. The delta CRL refers to the *new* base. Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note that there can be no previous at all, or the "previous" may even be three months old]. The last point highlights the most noticeable difference. Other differences appears when considering the guaranty to get the freshest information : using the traditional scheme and the thisUpdate and nextUpdate fields the guaranty to get the freshest information is obtained, but cannot be obtained using the other scheme. :-( Several people are referring to the X.509 document for arguments to support that discussion. However, it is important to remember that we are defining PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, but only what we believe is relevant. We first need to clearly define the processing rules applicable to the relying parties. These rules will certainly contain SHALL/MUST statements, but may also include some MAY statements which may even be conditional to what the CA is doing. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: An application that is wishing to take advantage of delta CRLs for a given scope, MUST first find a base CRL for that scope, i.e. a full CRL that that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). It may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. We also need to clearly separate the issuing rules applicable for the CAs. These rules will certainly contain SHALL statements, but could also include some MAY statements. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full CRL that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). For any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. In his e-mail from Wednesday, May 9, David said that delta-CRL processing rules could be base on time instead of CRL numbers. This is a point of which I strongly agree. Let us do it! (However, there is no need to add to PKIX, as he suggested, the support of the baseUpdateTime extension from X.509 which would even more complicate the problem.) Regards, Denis ------_=_NextPart_001_01C0D96A.1992B660 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: delta CRLs</TITLE> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=289175815-10052001><FONT face=Arial color=#0000ff size=2>As for 509, Santosh is correct. Freshest CRL is not required.</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Thursday, May 10, 2001 10:29 AM<BR><B>To:</B> Denis Pinkas<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV> <P><FONT size=2>Denis:</FONT> </P> <P><FONT size=2>Since you did not ask me the questions, I will NOT answer them.</FONT> </P> <P><FONT size=2>In general, my reading of the standard is that a base CRL need not have freshest CRL extension in it.</FONT> </P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Denis Pinkas [<A href="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT size=2>Sent: Thursday, May 10, 2001 4:19 AM</FONT> <BR><FONT size=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>Subject: Re: delta CRLs</FONT> </P><BR> <P><FONT size=2>Tim, David, Russ, Santosh, Carlin, and many others ...</FONT> </P> <P><FONT size=2>There is difference between a base CRL and a full CRL : a base CRL MUST</FONT> <BR><FONT size=2>include a freshestCRL extension (a.k.a. a Delta CRL distribution point),</FONT> <BR><FONT size=2>whereas a full CRL may not include that extension. In other words, a base</FONT> <BR><FONT size=2>CRL is a also a full CRL, but a full CRL is not necessarily a base CRL.</FONT> </P> <P><FONT size=2>At any time a CA may issue a full CRL, whether or not a base CRL has already</FONT> <BR><FONT size=2>been issued. This additional CRL SHOULD have nextUpdate equal to the</FONT> <BR><FONT size=2>nextUpdate of the last issued full CRL. However, there is no guarantee that</FONT> <BR><FONT size=2>this additional CRL will ever be seen by the relying party (because there</FONT> <BR><FONT size=2>will be two CRLs matching the thisUpdate and nextUpdate rule and if one is</FONT> <BR><FONT size=2>deleted, this is not seen by a relying party).</FONT> </P> <P><FONT size=2>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether</FONT> <BR><FONT size=2>they are a base CRL or delta CRL, CANNOT have the same CRL number. So a</FONT> <BR><FONT size=2>delta CRL and a full CRL that cover the same scope and are issued at the</FONT> <BR><FONT size=2>same time CANNOT have the same number. If a full CRL is issued, its CRL</FONT> <BR><FONT size=2>number bears no relationship with the previous base CRL, if any. The only</FONT> <BR><FONT size=2>relationship between the numbers is defined by the rule that CRLs numbers</FONT> <BR><FONT size=2>are strictly increasing. As Santosh said : "the CRL number is unique</FONT> <BR><FONT size=2>whether it is a base or a delta ". </FONT></P> <P><FONT size=2>This is fairly important to be able to unambiguously (and thus uniquely)</FONT> <BR><FONT size=2>refer to a CRL by only providing its CRL number.</FONT> </P> <P><FONT size=2>Besides the fact that a CRL issued later MUST have a higher CRL number, full</FONT> <BR><FONT size=2>CRLs and delta CRLs have independent numbering rules. As noticed by Santosh,</FONT> <BR><FONT size=2>" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT size=2>number (for the same or no stream identifier).</FONT> </P> <P><FONT size=2>As Santosh said : "a check based on thisUpdate is more general and</FONT> <BR><FONT size=2>preferred [to the use of CRL numbers]. "</FONT> </P> <P><FONT size=2>Related to the three rules mentioned by Russ :</FONT> </P> <P><FONT size=2>1) the first rule is not understandable to me.</FONT> <BR><FONT size=2>2) the second rule does not say anything more than the basic rule valid </FONT><BR><FONT size=2> for any CRL (i.e. a CRL issued later MUST have a higher CRL number).</FONT> <BR><FONT size=2>3) we will debate the hold condition, once we will have sorted the main</FONT> <BR><FONT size=2> issue.</FONT> </P> <P><FONT size=2>Russ said : "If separate number sequence is used, then you will have to</FONT> <BR><FONT size=2>periodically fetch base CRLs ". This is true. </FONT></P> <P><FONT size=2>Tim said that he would *not* like to be forced to download new base CRLs.</FONT> <BR><FONT size=2>This is the core of the "dispute".</FONT> </P> <P><FONT size=2>From the definition of what a delta CRL is, it is *not* possible to</FONT> <BR><FONT size=2>get rid of the fetching of base CRLs. Unless we add a new sentence to</FONT> <BR><FONT size=2>expand/change that definition, base CRL fetching will remain mandatory.</FONT> </P> <P><FONT size=2>Remember that the goal of delta CRLs is to provide the freshest information,</FONT> <BR><FONT size=2>and to my knowledge the goal was not to get rid of the fetching of base CRLs</FONT> <BR><FONT size=2>(which may less frequent due to the support of delta CRLs).</FONT> </P> <P><FONT size=2>If I understand correctly, Tim/David/Russ would like to *always* achieve the</FONT> <BR><FONT size=2>following property : it is possible to reconstruct the current CRL by using</FONT> <BR><FONT size=2>a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been</FONT> <BR><FONT size=2>issued at the same time a base CRL was issued and which contains updates</FONT> <BR><FONT size=2>made to the *previous* base. </FONT></P> <P><FONT size=2>By this way the fetching of base CRLs could be avoided. However, note that</FONT> <BR><FONT size=2>it is perfectly " legal " to stop issuing base and delta CRLs during some</FONT> <BR><FONT size=2>period of time and to issue full CRLs instead (see the difference between</FONT> <BR><FONT size=2>"full" and "base" at the top of this e-mail). In other words there is no</FONT> <BR><FONT size=2>need to issue a new base CRL at the end of the validity period of the</FONT> <BR><FONT size=2>previous base CRL. Doing this would mandate to prescribe issuing rules </FONT><BR><FONT size=2>for CAs that we have not prescripted.</FONT> </P> <P><FONT size=2>I will now raise a series of questions, for which I believe we have</FONT> <BR><FONT size=2>different answers. Tim/David/Russ do not hesitate to correct </FONT><BR><FONT size=2>if my guess is wrong. ;-)</FONT> </P> <P><FONT size=2>Common point:</FONT> </P> <P><FONT size=2>1) What will be the value of the nextUpdate field from the last issued delta</FONT> <BR><FONT size=2>CRL for a given base CRL ? </FONT></P> <P><FONT size=2>Denis: the nextUpdate field from the last issued delta CRL MUST be equal to</FONT> <BR><FONT size=2>the value of nextUpdate from the base CRL.</FONT> </P> <P><FONT size=2>Tim/David/Russ: ???</FONT> </P> <P><FONT size=2>2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ?</FONT> </P> <P><FONT size=2>Denis: No.</FONT> <BR><FONT size=2>Tim/David/Russ : ???</FONT> </P> <P><FONT size=2>3) Does a CA needs to issue a new base CRL at the end of the validity of a</FONT> <BR><FONT size=2>current base CRL ?</FONT> </P> <P><FONT size=2>Denis: No.</FONT> <BR><FONT size=2>Tim/David/Russ : ???</FONT> </P> <P><FONT size=2>4) Does a CA needs to issue a delta CRL at the same time a new base is</FONT> <BR><FONT size=2>issued ?</FONT> </P> <P><FONT size=2>Denis: Yes. The delta CRL refers to the *new* base.</FONT> <BR><FONT size=2>Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note</FONT> <BR><FONT size=2>that there can be no previous at all, or the "previous" may even be three</FONT> <BR><FONT size=2>months old]. </FONT></P> <P><FONT size=2>The last point highlights the most noticeable difference. Other differences</FONT> <BR><FONT size=2>appears when considering the guaranty to get the freshest information :</FONT> <BR><FONT size=2>using the traditional scheme and the thisUpdate and nextUpdate fields the</FONT> <BR><FONT size=2>guaranty to get the freshest information is obtained, but cannot be obtained</FONT> <BR><FONT size=2>using the other scheme. :-(</FONT> </P> <P><FONT size=2>Several people are referring to the X.509 document for arguments to support</FONT> <BR><FONT size=2>that discussion. However, it is important to remember that we are defining</FONT> <BR><FONT size=2>PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509,</FONT> <BR><FONT size=2>but only what we believe is relevant.</FONT> </P> <P><FONT size=2>We first need to clearly define the processing rules applicable to the</FONT> <BR><FONT size=2>relying parties. These rules will certainly contain SHALL/MUST statements,</FONT> <BR><FONT size=2>but may also include some MAY statements which may even be conditional to</FONT> <BR><FONT size=2>what the CA is doing. (I let Tim/David or Russ provide the MAY statement).</FONT> </P> <P><FONT size=2>Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT size=2>produced:</FONT> </P> <P><FONT size=2> An application that is wishing to take advantage of delta CRLs </FONT><BR><FONT size=2> for a given scope, MUST first find a base CRL for that scope, </FONT><BR><FONT size=2> i.e. a full CRL that that contains a freshestCRL extension </FONT><BR><FONT size=2> (a.k.a. a Delta CRL distribution point). It may then construct </FONT><BR><FONT size=2> an updated CRL for that base, for a specific time T, by combining </FONT><BR><FONT size=2> it with a delta CRL which contains a delta CRL indicator extension </FONT><BR><FONT size=2> with the same CRL number as the base CRL. Applications that support </FONT><BR><FONT size=2> delta CRLs MUST ensure that time T falls between thisUpdate and </FONT><BR><FONT size=2> nextUpdate for both the base CRL and the delta CRL.</FONT> </P> <P><FONT size=2> Note: An application could also reconstruct an updated CRL, for </FONT><BR><FONT size=2> a specific time T, by using a previously locally reconstructed CRL </FONT><BR><FONT size=2> based on the current base CRL, and combining it with a delta CRL which </FONT><BR><FONT size=2> contains a delta CRL indicator extension with the same CRL number as </FONT><BR><FONT size=2> the base CRL.</FONT> </P> <P><FONT size=2>We also need to clearly separate the issuing rules applicable for the CAs.</FONT> <BR><FONT size=2>These rules will certainly contain SHALL statements, but could also include</FONT> <BR><FONT size=2>some MAY statements. (I let Tim/David or Russ provide the MAY statement).</FONT> </P> <P><FONT size=2>Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT size=2>produced:</FONT> </P> <P><FONT size=2> A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full </FONT><BR><FONT size=2> CRL that contains a freshestCRL extension (a.k.a. a Delta CRL </FONT><BR><FONT size=2> distribution point). For any time T until the nextUpdate time </FONT><BR><FONT size=2> indicated in a base CRL, the CA MUST provide one and only one </FONT><BR><FONT size=2> delta CRL that refers to that base CRL and for which time T </FONT><BR><FONT size=2> falls between thisUpdate and nextUpdate from the delta CRL.</FONT> </P> <P><FONT size=2>In his e-mail from Wednesday, May 9, David said that delta-CRL processing</FONT> <BR><FONT size=2>rules could be base on time instead of CRL numbers. This is a point of which</FONT> <BR><FONT size=2>I strongly agree. Let us do it!</FONT> </P> <P><FONT size=2>(However, there is no need to add to PKIX, as he suggested, the support of</FONT> <BR><FONT size=2>the baseUpdateTime extension from X.509 which would even more complicate the</FONT> <BR><FONT size=2>problem.)</FONT> </P> <P><FONT size=2>Regards,</FONT> </P> <P><FONT size=2>Denis</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0D96A.1992B660-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA09383 for <ietf-pkix@imc.org>; Thu, 10 May 2001 08:56:27 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA28340; Thu, 10 May 2001 17:56:27 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA16822; Thu, 10 May 2001 17:55:52 +0200 Message-ID: <3AFAB9C3.5DDE31E2@bull.net> Date: Thu, 10 May 2001 17:54:43 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Dr S N Henson <drh@celocom.com> CC: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Re: Certificate Hold (was RE: delta CRLs) References: <8D7EC1912E25D411A32100D0B76953978DE8CF@scygmxs01.cygnacom.com> <3AFA5738.3A3B8B55@bull.net> <3AFA9AEE.6EC02E85@celocom.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id IAA09387 > Wrt certficate hold I'm not against its use being deprecated in CRLs. > > AFAICS ambiguity arises in the following scenario: > > 1. A certificate is placed on hold but later removed and the certificate > is declared valid again. > 2. Some transactions were made using the certificate while it was on > hold. > 3. A verifier needs to determine the validity of the transactions after > the hold period. > > There are two separate interpretations depending on the individual > situation. > > 1. Since the certificate is now valid the transactions are now valid. > 2. Because the transactions were made during the hold period they should > be declared invalid. > > Its case 2 that causes problems. The verifier really needs to know > whether the certificate was on hold at the time the transaction took > place. This information may not always be available, if all it has is a > current CRL. > > Because of this problem I'd say that some clarification is needed as to > the use of certificate hold. Remember that OCSP has three states: ° Yes ° No, ° Don't know. The same applies here: there is also a "don't know" condition. Take a look at my response sent today on that thread. Regards, Denis > IMHO we should say that hold MUST NOT be used in this way. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: shenson@drh-consultancy.demon.co.uk > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: drh@celocom.com PGP key: via homepage. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA01614 for <ietf-pkix@imc.org>; Thu, 10 May 2001 07:38:28 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K4X9NHPM>; Thu, 10 May 2001 10:37:58 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE98C@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 10:28:44 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D95D.8497A310" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D95D.8497A310 Content-Type: text/plain; charset="iso-8859-1" Denis: Since you did not ask me the questions, I will NOT answer them. In general, my reading of the standard is that a base CRL need not have freshest CRL extension in it. -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 10, 2001 4:19 AM Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Tim, David, Russ, Santosh, Carlin, and many others ... There is difference between a base CRL and a full CRL : a base CRL MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point), whereas a full CRL may not include that extension. In other words, a base CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. At any time a CA may issue a full CRL, whether or not a base CRL has already been issued. This additional CRL SHOULD have nextUpdate equal to the nextUpdate of the last issued full CRL. However, there is no guarantee that this additional CRL will ever be seen by the relying party (because there will be two CRLs matching the thisUpdate and nextUpdate rule and if one is deleted, this is not seen by a relying party). Due to the fact that CRLs numbers are strictly increasing, two CRLs whether they are a base CRL or delta CRL, CANNOT have the same CRL number. So a delta CRL and a full CRL that cover the same scope and are issued at the same time CANNOT have the same number. If a full CRL is issued, its CRL number bears no relationship with the previous base CRL, if any. The only relationship between the numbers is defined by the rule that CRLs numbers are strictly increasing. As Santosh said : "the CRL number is unique whether it is a base or a delta ". This is fairly important to be able to unambiguously (and thus uniquely) refer to a CRL by only providing its CRL number. Besides the fact that a CRL issued later MUST have a higher CRL number, full CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL number (for the same or no stream identifier). As Santosh said : "a check based on thisUpdate is more general and preferred [to the use of CRL numbers]. " Related to the three rules mentioned by Russ : 1) the first rule is not understandable to me. 2) the second rule does not say anything more than the basic rule valid for any CRL (i.e. a CRL issued later MUST have a higher CRL number). 3) we will debate the hold condition, once we will have sorted the main issue. Russ said : "If separate number sequence is used, then you will have to periodically fetch base CRLs ". This is true. Tim said that he would *not* like to be forced to download new base CRLs. This is the core of the "dispute". >From the definition of what a delta CRL is, it is *not* possible to get rid of the fetching of base CRLs. Unless we add a new sentence to expand/change that definition, base CRL fetching will remain mandatory. Remember that the goal of delta CRLs is to provide the freshest information, and to my knowledge the goal was not to get rid of the fetching of base CRLs (which may less frequent due to the support of delta CRLs). If I understand correctly, Tim/David/Russ would like to *always* achieve the following property : it is possible to reconstruct the current CRL by using a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been issued at the same time a base CRL was issued and which contains updates made to the *previous* base. By this way the fetching of base CRLs could be avoided. However, note that it is perfectly " legal " to stop issuing base and delta CRLs during some period of time and to issue full CRLs instead (see the difference between "full" and "base" at the top of this e-mail). In other words there is no need to issue a new base CRL at the end of the validity period of the previous base CRL. Doing this would mandate to prescribe issuing rules for CAs that we have not prescripted. I will now raise a series of questions, for which I believe we have different answers. Tim/David/Russ do not hesitate to correct if my guess is wrong. ;-) Common point: 1) What will be the value of the nextUpdate field from the last issued delta CRL for a given base CRL ? Denis: the nextUpdate field from the last issued delta CRL MUST be equal to the value of nextUpdate from the base CRL. Tim/David/Russ: ??? 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? Denis: No. Tim/David/Russ : ??? 3) Does a CA needs to issue a new base CRL at the end of the validity of a current base CRL ? Denis: No. Tim/David/Russ : ??? 4) Does a CA needs to issue a delta CRL at the same time a new base is issued ? Denis: Yes. The delta CRL refers to the *new* base. Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note that there can be no previous at all, or the "previous" may even be three months old]. The last point highlights the most noticeable difference. Other differences appears when considering the guaranty to get the freshest information : using the traditional scheme and the thisUpdate and nextUpdate fields the guaranty to get the freshest information is obtained, but cannot be obtained using the other scheme. :-( Several people are referring to the X.509 document for arguments to support that discussion. However, it is important to remember that we are defining PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, but only what we believe is relevant. We first need to clearly define the processing rules applicable to the relying parties. These rules will certainly contain SHALL/MUST statements, but may also include some MAY statements which may even be conditional to what the CA is doing. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: An application that is wishing to take advantage of delta CRLs for a given scope, MUST first find a base CRL for that scope, i.e. a full CRL that that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). It may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. We also need to clearly separate the issuing rules applicable for the CAs. These rules will certainly contain SHALL statements, but could also include some MAY statements. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full CRL that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). For any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. In his e-mail from Wednesday, May 9, David said that delta-CRL processing rules could be base on time instead of CRL numbers. This is a point of which I strongly agree. Let us do it! (However, there is no need to add to PKIX, as he suggested, the support of the baseUpdateTime extension from X.509 which would even more complicate the problem.) Regards, Denis ------_=_NextPart_001_01C0D95D.8497A310 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Denis:</FONT> </P> <P><FONT SIZE=2>Since you did not ask me the questions, I will NOT answer them.</FONT> </P> <P><FONT SIZE=2>In general, my reading of the standard is that a base CRL need not have freshest CRL extension in it.</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Denis Pinkas [<A HREF="mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]</FONT> <BR><FONT SIZE=2>Sent: Thursday, May 10, 2001 4:19 AM</FONT> <BR><FONT SIZE=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=2>Tim, David, Russ, Santosh, Carlin, and many others ...</FONT> </P> <P><FONT SIZE=2>There is difference between a base CRL and a full CRL : a base CRL MUST</FONT> <BR><FONT SIZE=2>include a freshestCRL extension (a.k.a. a Delta CRL distribution point),</FONT> <BR><FONT SIZE=2>whereas a full CRL may not include that extension. In other words, a base</FONT> <BR><FONT SIZE=2>CRL is a also a full CRL, but a full CRL is not necessarily a base CRL.</FONT> </P> <P><FONT SIZE=2>At any time a CA may issue a full CRL, whether or not a base CRL has already</FONT> <BR><FONT SIZE=2>been issued. This additional CRL SHOULD have nextUpdate equal to the</FONT> <BR><FONT SIZE=2>nextUpdate of the last issued full CRL. However, there is no guarantee that</FONT> <BR><FONT SIZE=2>this additional CRL will ever be seen by the relying party (because there</FONT> <BR><FONT SIZE=2>will be two CRLs matching the thisUpdate and nextUpdate rule and if one is</FONT> <BR><FONT SIZE=2>deleted, this is not seen by a relying party).</FONT> </P> <P><FONT SIZE=2>Due to the fact that CRLs numbers are strictly increasing, two CRLs whether</FONT> <BR><FONT SIZE=2>they are a base CRL or delta CRL, CANNOT have the same CRL number. So a</FONT> <BR><FONT SIZE=2>delta CRL and a full CRL that cover the same scope and are issued at the</FONT> <BR><FONT SIZE=2>same time CANNOT have the same number. If a full CRL is issued, its CRL</FONT> <BR><FONT SIZE=2>number bears no relationship with the previous base CRL, if any. The only</FONT> <BR><FONT SIZE=2>relationship between the numbers is defined by the rule that CRLs numbers</FONT> <BR><FONT SIZE=2>are strictly increasing. As Santosh said : "the CRL number is unique</FONT> <BR><FONT SIZE=2>whether it is a base or a delta ". </FONT> </P> <P><FONT SIZE=2>This is fairly important to be able to unambiguously (and thus uniquely)</FONT> <BR><FONT SIZE=2>refer to a CRL by only providing its CRL number.</FONT> </P> <P><FONT SIZE=2>Besides the fact that a CRL issued later MUST have a higher CRL number, full</FONT> <BR><FONT SIZE=2>CRLs and delta CRLs have independent numbering rules. As noticed by Santosh,</FONT> <BR><FONT SIZE=2>" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL</FONT> <BR><FONT SIZE=2>number (for the same or no stream identifier).</FONT> </P> <P><FONT SIZE=2>As Santosh said : "a check based on thisUpdate is more general and</FONT> <BR><FONT SIZE=2>preferred [to the use of CRL numbers]. "</FONT> </P> <P><FONT SIZE=2>Related to the three rules mentioned by Russ :</FONT> </P> <P><FONT SIZE=2>1) the first rule is not understandable to me.</FONT> <BR><FONT SIZE=2>2) the second rule does not say anything more than the basic rule valid </FONT> <BR><FONT SIZE=2> for any CRL (i.e. a CRL issued later MUST have a higher CRL number).</FONT> <BR><FONT SIZE=2>3) we will debate the hold condition, once we will have sorted the main</FONT> <BR><FONT SIZE=2> issue.</FONT> </P> <P><FONT SIZE=2>Russ said : "If separate number sequence is used, then you will have to</FONT> <BR><FONT SIZE=2>periodically fetch base CRLs ". This is true. </FONT> </P> <P><FONT SIZE=2>Tim said that he would *not* like to be forced to download new base CRLs.</FONT> <BR><FONT SIZE=2>This is the core of the "dispute".</FONT> </P> <P><FONT SIZE=2>From the definition of what a delta CRL is, it is *not* possible to</FONT> <BR><FONT SIZE=2>get rid of the fetching of base CRLs. Unless we add a new sentence to</FONT> <BR><FONT SIZE=2>expand/change that definition, base CRL fetching will remain mandatory.</FONT> </P> <P><FONT SIZE=2>Remember that the goal of delta CRLs is to provide the freshest information,</FONT> <BR><FONT SIZE=2>and to my knowledge the goal was not to get rid of the fetching of base CRLs</FONT> <BR><FONT SIZE=2>(which may less frequent due to the support of delta CRLs).</FONT> </P> <P><FONT SIZE=2>If I understand correctly, Tim/David/Russ would like to *always* achieve the</FONT> <BR><FONT SIZE=2>following property : it is possible to reconstruct the current CRL by using</FONT> <BR><FONT SIZE=2>a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been</FONT> <BR><FONT SIZE=2>issued at the same time a base CRL was issued and which contains updates</FONT> <BR><FONT SIZE=2>made to the *previous* base. </FONT> </P> <P><FONT SIZE=2>By this way the fetching of base CRLs could be avoided. However, note that</FONT> <BR><FONT SIZE=2>it is perfectly " legal " to stop issuing base and delta CRLs during some</FONT> <BR><FONT SIZE=2>period of time and to issue full CRLs instead (see the difference between</FONT> <BR><FONT SIZE=2>"full" and "base" at the top of this e-mail). In other words there is no</FONT> <BR><FONT SIZE=2>need to issue a new base CRL at the end of the validity period of the</FONT> <BR><FONT SIZE=2>previous base CRL. Doing this would mandate to prescribe issuing rules </FONT> <BR><FONT SIZE=2>for CAs that we have not prescripted.</FONT> </P> <P><FONT SIZE=2>I will now raise a series of questions, for which I believe we have</FONT> <BR><FONT SIZE=2>different answers. Tim/David/Russ do not hesitate to correct </FONT> <BR><FONT SIZE=2>if my guess is wrong. ;-)</FONT> </P> <P><FONT SIZE=2>Common point:</FONT> </P> <P><FONT SIZE=2>1) What will be the value of the nextUpdate field from the last issued delta</FONT> <BR><FONT SIZE=2>CRL for a given base CRL ? </FONT> </P> <P><FONT SIZE=2>Denis: the nextUpdate field from the last issued delta CRL MUST be equal to</FONT> <BR><FONT SIZE=2>the value of nextUpdate from the base CRL.</FONT> </P> <P><FONT SIZE=2>Tim/David/Russ: ???</FONT> </P> <P><FONT SIZE=2>2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ?</FONT> </P> <P><FONT SIZE=2>Denis: No.</FONT> <BR><FONT SIZE=2>Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=2>3) Does a CA needs to issue a new base CRL at the end of the validity of a</FONT> <BR><FONT SIZE=2>current base CRL ?</FONT> </P> <P><FONT SIZE=2>Denis: No.</FONT> <BR><FONT SIZE=2>Tim/David/Russ : ???</FONT> </P> <P><FONT SIZE=2>4) Does a CA needs to issue a delta CRL at the same time a new base is</FONT> <BR><FONT SIZE=2>issued ?</FONT> </P> <P><FONT SIZE=2>Denis: Yes. The delta CRL refers to the *new* base.</FONT> <BR><FONT SIZE=2>Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note</FONT> <BR><FONT SIZE=2>that there can be no previous at all, or the "previous" may even be three</FONT> <BR><FONT SIZE=2>months old]. </FONT> </P> <P><FONT SIZE=2>The last point highlights the most noticeable difference. Other differences</FONT> <BR><FONT SIZE=2>appears when considering the guaranty to get the freshest information :</FONT> <BR><FONT SIZE=2>using the traditional scheme and the thisUpdate and nextUpdate fields the</FONT> <BR><FONT SIZE=2>guaranty to get the freshest information is obtained, but cannot be obtained</FONT> <BR><FONT SIZE=2>using the other scheme. :-(</FONT> </P> <P><FONT SIZE=2>Several people are referring to the X.509 document for arguments to support</FONT> <BR><FONT SIZE=2>that discussion. However, it is important to remember that we are defining</FONT> <BR><FONT SIZE=2>PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509,</FONT> <BR><FONT SIZE=2>but only what we believe is relevant.</FONT> </P> <P><FONT SIZE=2>We first need to clearly define the processing rules applicable to the</FONT> <BR><FONT SIZE=2>relying parties. These rules will certainly contain SHALL/MUST statements,</FONT> <BR><FONT SIZE=2>but may also include some MAY statements which may even be conditional to</FONT> <BR><FONT SIZE=2>what the CA is doing. (I let Tim/David or Russ provide the MAY statement).</FONT> </P> <P><FONT SIZE=2>Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT SIZE=2>produced:</FONT> </P> <P><FONT SIZE=2> An application that is wishing to take advantage of delta CRLs </FONT> <BR><FONT SIZE=2> for a given scope, MUST first find a base CRL for that scope, </FONT> <BR><FONT SIZE=2> i.e. a full CRL that that contains a freshestCRL extension </FONT> <BR><FONT SIZE=2> (a.k.a. a Delta CRL distribution point). It may then construct </FONT> <BR><FONT SIZE=2> an updated CRL for that base, for a specific time T, by combining </FONT> <BR><FONT SIZE=2> it with a delta CRL which contains a delta CRL indicator extension </FONT> <BR><FONT SIZE=2> with the same CRL number as the base CRL. Applications that support </FONT> <BR><FONT SIZE=2> delta CRLs MUST ensure that time T falls between thisUpdate and </FONT> <BR><FONT SIZE=2> nextUpdate for both the base CRL and the delta CRL.</FONT> </P> <P><FONT SIZE=2> Note: An application could also reconstruct an updated CRL, for </FONT> <BR><FONT SIZE=2> a specific time T, by using a previously locally reconstructed CRL </FONT> <BR><FONT SIZE=2> based on the current base CRL, and combining it with a delta CRL which </FONT> <BR><FONT SIZE=2> contains a delta CRL indicator extension with the same CRL number as </FONT> <BR><FONT SIZE=2> the base CRL.</FONT> </P> <P><FONT SIZE=2>We also need to clearly separate the issuing rules applicable for the CAs.</FONT> <BR><FONT SIZE=2>These rules will certainly contain SHALL statements, but could also include</FONT> <BR><FONT SIZE=2>some MAY statements. (I let Tim/David or Russ provide the MAY statement).</FONT> </P> <P><FONT SIZE=2>Here is a proposal for the MUST statement, based on the previous text I</FONT> <BR><FONT SIZE=2>produced:</FONT> </P> <P><FONT SIZE=2> A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full </FONT> <BR><FONT SIZE=2> CRL that contains a freshestCRL extension (a.k.a. a Delta CRL </FONT> <BR><FONT SIZE=2> distribution point). For any time T until the nextUpdate time </FONT> <BR><FONT SIZE=2> indicated in a base CRL, the CA MUST provide one and only one </FONT> <BR><FONT SIZE=2> delta CRL that refers to that base CRL and for which time T </FONT> <BR><FONT SIZE=2> falls between thisUpdate and nextUpdate from the delta CRL.</FONT> </P> <P><FONT SIZE=2>In his e-mail from Wednesday, May 9, David said that delta-CRL processing</FONT> <BR><FONT SIZE=2>rules could be base on time instead of CRL numbers. This is a point of which</FONT> <BR><FONT SIZE=2>I strongly agree. Let us do it!</FONT> </P> <P><FONT SIZE=2>(However, there is no need to add to PKIX, as he suggested, the support of</FONT> <BR><FONT SIZE=2>the baseUpdateTime extension from X.509 which would even more complicate the</FONT> <BR><FONT SIZE=2>problem.)</FONT> </P> <P><FONT SIZE=2>Regards,</FONT> </P> <P><FONT SIZE=2>Denis</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D95D.8497A310-- Received: from finch-post-10.mail.demon.net (finch-post-10.mail.demon.net [194.217.242.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA00446 for <ietf-pkix@imc.org>; Thu, 10 May 2001 07:23:54 -0700 (PDT) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=celocom.com) by finch-post-10.mail.demon.net with esmtp (Exim 2.12 #1) id 14xrMA-000NPj-0A for ietf-pkix@imc.org; Thu, 10 May 2001 14:23:55 +0000 Message-ID: <3AFA9AEE.6EC02E85@celocom.com> Date: Thu, 10 May 2001 14:43:10 +0100 From: Dr S N Henson <drh@celocom.com> Organization: S N Henson X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Re: Certificate Hold (was RE: delta CRLs) References: <8D7EC1912E25D411A32100D0B76953978DE8CF@scygmxs01.cygnacom.com> <3AFA5738.3A3B8B55@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Wrt certficate hold I'm not against its use being deprecated in CRLs. AFAICS ambiguity arises in the following scenario: 1. A certificate is placed on hold but later removed and the certificate is declared valid again. 2. Some transactions were made using the certificate while it was on hold. 3. A verifier needs to determine the validity of the transactions after the hold period. There are two separate interpretations depending on the individual situation. 1. Since the certificate is now valid the transactions are now valid. 2. Because the transactions were made during the hold period they should be declared invalid. Its case 2 that causes problems. The verifier really needs to know whether the certificate was on hold at the time the transaction took place. This information may not always be available, if all it has is a current CRL. Because of this problem I'd say that some clarification is needed as to the use of certificate hold. IMHO we should say that hold MUST NOT be used in this way. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA00101 for <ietf-pkix@imc.org>; Thu, 10 May 2001 07:21:25 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id KAA28081 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:20:56 -0400 (EDT) Message-Id: <200105101420.KAA28072@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Thu, 10 May 2001 10:15:25 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta CRLs References: <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> <3AFA4F09.5AB02392@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Denis, If I understand this text correctly, it would prohibit a CA from issuing an unscheduled delta CRL (one whose thisUpdate is less than the nextUpdate of the prior delta). Two possible workarounds: 1) A CA that issues a delta-CRL at time T less than nextUpdate of a previous delta-CRL referring to the same base MUST NOT populate the nextUpdate field of the unscheduled delta-CRL. or 2) A CA that issues a delta-CRL at time T less than nextUpdate of a previous delta-CRL referring to the same base MUST populate the nextUpdate field of the unscheduled delta-CRL with the value of nextUpdate from that previous delta-CRL. Either of these restrictions would allow multiple deltas to exist at a time T, but would forbid interleaved series of deltas, which I believe is the intent of your proposal. Dave Denis Pinkas wrote: > > Here is a proposal for the MUST statement, based on the previous text I > produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA25742 for <ietf-pkix@imc.org>; Thu, 10 May 2001 06:24:05 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 10 May 2001 13:23:46 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA26211 for <ietf-pkix@imc.org>; Thu, 10 May 2001 09:24:05 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NWQZH>; Thu, 10 May 2001 09:24:04 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.48]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NWQZ1; Thu, 10 May 2001 09:23:51 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010510090030.018a6e58@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 10 May 2001 09:05:56 -0400 Subject: Re: delta CRLs In-Reply-To: <3AFA4F09.5AB02392@bull.net> References: <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: >There is difference between a base CRL and a full CRL You are quite right. I, for one, will try to be more careful about the use of them. >Due to the fact that CRLs numbers are strictly increasing, two CRLs whether >they are a base CRL or delta CRL, CANNOT have the same CRL number. I disagree. A full CRL (that may be a base CRL for subsequent delta CRLs) and a delta CRL issued at the same time as that full CRL may actually represent the same revocation information. In this case, they are the same CRL, and they should have the same number. There have been several tables posted that illustrate this numbering scheme, and I do not see any text in X.509-200 that indicates this scheme is > So a >delta CRL and a full CRL that cover the same scope and are issued at the >same time CANNOT have the same number. If a full CRL is issued, its CRL >number bears no relationship with the previous base CRL, if any. The only >relationship between the numbers is defined by the rule that CRLs numbers >are strictly increasing. As Santosh said : "the CRL number is unique >whether it is a base or a delta ". > >This is fairly important to be able to unambiguously (and thus uniquely) >refer to a CRL by only providing its CRL number. > >Besides the fact that a CRL issued later MUST have a higher CRL number, full >CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, >" if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL >number (for the same or no stream identifier). > >As Santosh said : "a check based on thisUpdate is more general and >preferred [to the use of CRL numbers]. " > >Related to the three rules mentioned by Russ : > >1) the first rule is not understandable to me. >2) the second rule does not say anything more than the basic rule valid > for any CRL (i.e. a CRL issued later MUST have a higher CRL number). >3) we will debate the hold condition, once we will have sorted the main > issue. > >Russ said : "If separate number sequence is used, then you will have to >periodically fetch base CRLs ". This is true. > >Tim said that he would *not* like to be forced to download new base CRLs. >This is the core of the "dispute". > > From the definition of what a delta CRL is, it is *not* possible to >get rid of the fetching of base CRLs. Unless we add a new sentence to >expand/change that definition, base CRL fetching will remain mandatory. > >Remember that the goal of delta CRLs is to provide the freshest information, >and to my knowledge the goal was not to get rid of the fetching of base CRLs >(which may less frequent due to the support of delta CRLs). > >If I understand correctly, Tim/David/Russ would like to *always* achieve the >following property : it is possible to reconstruct the current CRL by using >a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been >issued at the same time a base CRL was issued and which contains updates >made to the *previous* base. > >By this way the fetching of base CRLs could be avoided. However, note that >it is perfectly " legal " to stop issuing base and delta CRLs during some >period of time and to issue full CRLs instead (see the difference between >"full" and "base" at the top of this e-mail). In other words there is no >need to issue a new base CRL at the end of the validity period of the >previous base CRL. Doing this would mandate to prescribe issuing rules >for CAs that we have not prescripted. > >I will now raise a series of questions, for which I believe we have >different answers. Tim/David/Russ do not hesitate to correct >if my guess is wrong. ;-) > >Common point: > >1) What will be the value of the nextUpdate field from the last issued delta >CRL for a given base CRL ? > >Denis: the nextUpdate field from the last issued delta CRL MUST be equal to >the value of nextUpdate from the base CRL. > >Tim/David/Russ: ??? > >2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? > >Denis: No. >Tim/David/Russ : ??? > >3) Does a CA needs to issue a new base CRL at the end of the validity of a >current base CRL ? > >Denis: No. >Tim/David/Russ : ??? > >4) Does a CA needs to issue a delta CRL at the same time a new base is >issued ? > >Denis: Yes. The delta CRL refers to the *new* base. >Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note >that there can be no previous at all, or the "previous" may even be three >months old]. > >The last point highlights the most noticeable difference. Other differences >appears when considering the guaranty to get the freshest information : >using the traditional scheme and the thisUpdate and nextUpdate fields the >guaranty to get the freshest information is obtained, but cannot be obtained >using the other scheme. :-( > >Several people are referring to the X.509 document for arguments to support >that discussion. However, it is important to remember that we are defining >PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, >but only what we believe is relevant. > >We first need to clearly define the processing rules applicable to the >relying parties. These rules will certainly contain SHALL/MUST statements, >but may also include some MAY statements which may even be conditional to >what the CA is doing. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > An application that is wishing to take advantage of delta CRLs > for a given scope, MUST first find a base CRL for that scope, > i.e. a full CRL that that contains a freshestCRL extension > (a.k.a. a Delta CRL distribution point). It may then construct > an updated CRL for that base, for a specific time T, by combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on the current base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. > >We also need to clearly separate the issuing rules applicable for the CAs. >These rules will certainly contain SHALL statements, but could also include >some MAY statements. (I let Tim/David or Russ provide the MAY statement). > >Here is a proposal for the MUST statement, based on the previous text I >produced: > > A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full > CRL that contains a freshestCRL extension (a.k.a. a Delta CRL > distribution point). For any time T until the nextUpdate time > indicated in a base CRL, the CA MUST provide one and only one > delta CRL that refers to that base CRL and for which time T > falls between thisUpdate and nextUpdate from the delta CRL. > >In his e-mail from Wednesday, May 9, David said that delta-CRL processing >rules could be base on time instead of CRL numbers. This is a point of which >I strongly agree. Let us do it! > >(However, there is no need to add to PKIX, as he suggested, the support of >the baseUpdateTime extension from X.509 which would even more complicate the >problem.) > >Regards, > >Denis Received: from mail.ksign.com ([211.237.33.200]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA21570 for <ietf-pkix@imc.org>; Thu, 10 May 2001 05:17:14 -0700 (PDT) Received: from yskim (yskim.ksign.com [211.174.252.122]) by mail.ksign.com (8.11.1/8.11.1) with SMTP id f4ACHUq16352 for <ietf-pkix@imc.org>; Thu, 10 May 2001 21:17:30 +0900 (KST) Message-ID: <00ab01c0d94b$1c440bd0$7afcaed3@yskim> From: "Yosik Kim" <yskim@ksign.com> To: <ietf-pkix@imc.org> Subject: print BMP string in certificate(x509) Date: Thu, 10 May 2001 21:16:57 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00A8_01C0D996.8BA23880" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_00A8_01C0D996.8BA23880 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 SGkNCkhvdyBjYW4gaSBwcmludCBCTVAoQmFzaWMgTXVsdGlsaWd1YWwgUGxhbmUpc3RyaW5nIGlu IGNlcnRpZmljYXRlKFg1MDkpLg0KSSBjYW4ndCBjb252ZXJ0IHRvIHByaW50YWJsZSBzdHJpbmcg dG8gQk1QIHN0cmluZy4NCg0KZXhhbXBsZSkNCg0KT3BlblNTTD4geDUwOSAtaW5mb3JtIERFUiAt aW4gcHBzMDc2X2Vudi5jZXIgLXN1YmplY3QNCnN1YmplY3Q9IC9DPUtSL089R292ZXJubWVudCBv ZiBLb3JlYS9PVT1ceEM4cFx4QjJceEVDXHhDQ1x4QUQvT1U9XHhBRGxceEI5XHhFNFx4DQpBRG0v T1U9XHhDNnhceEM3XHg5MFx4QURsXHhCOVx4RTRceEFDXHhGQy9DTj1wcHMwNzYNCg0KQk1QIHN0 cmluZyBpcyBub3QgcHJpbnQoT3BlblNTTCkuIFNvIEkgbWFkZSBmdW5jdGlvbi4gQnV0IEl0IGRv ZXNuJ3Qgd29yay4NCg0KVGhhbmtzIGluIGFkdmFuY2UuDQoNCkRhcnJlbi4NCg0K ------=_NextPart_000_00A8_01C0D996.8BA23880 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PWtzX2NfNTYwMS0xOTg3Ij4NCjxNRVRBIGNvbnRlbnQ9Ik1T SFRNTCA1LjUwLjQ1MjIuMTgwMCIgbmFtZT1HRU5FUkFUT1I+DQo8U1RZTEU+PC9TVFlMRT4NCjwv SEVBRD4NCjxCT0RZIGJnQ29sb3I9I2ZmZmZmZj4NCjxESVY+PEZPTlQgc2l6ZT0yPkhpPEJSPkhv dyBjYW4gaSBwcmludCBCTVAoQmFzaWMgTXVsdGlsaWd1YWwgUGxhbmUpc3RyaW5nIGluIA0KY2Vy dGlmaWNhdGUoWDUwOSkuPEJSPkkgY2FuJ3QgY29udmVydCB0byBwcmludGFibGUgc3RyaW5nIHRv IEJNUCANCnN0cmluZy48L0ZPTlQ+PC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj48Rk9O VCBzaXplPTI+ZXhhbXBsZSk8L0ZPTlQ+PC9ESVY+DQo8RElWPiZuYnNwOzwvRElWPg0KPERJVj48 Rk9OVCBzaXplPTI+T3BlblNTTCZndDsgeDUwOSAtaW5mb3JtIERFUiAtaW4gcHBzMDc2X2Vudi5j ZXIgDQotc3ViamVjdDxCUj5zdWJqZWN0PSAvQz1LUi9PPUdvdmVybm1lbnQgb2YgDQpLb3JlYS9P VT1ceEM4cFx4QjJceEVDXHhDQ1x4QUQvT1U9XHhBRGxceEI5XHhFNFx4PEJSPkFEbS9PVT1ceEM2 eFx4QzdceDkwXHhBRGxceEI5XHhFNFx4QUNceEZDL0NOPXBwczA3NjwvRk9OVD48L0RJVj4NCjxE SVY+Jm5ic3A7PC9ESVY+DQo8RElWPjxGT05UIHNpemU9Mj5CTVAgc3RyaW5nIGlzIG5vdCBwcmlu dChPcGVuU1NMKS4gU28gSSBtYWRlIGZ1bmN0aW9uLiBCdXQgSXQgDQpkb2Vzbid0IHdvcmsuPC9G T05UPjwvRElWPg0KPERJVj4mbmJzcDs8L0RJVj4NCjxESVY+PEZPTlQgc2l6ZT0yPlRoYW5rcyBp biBhZHZhbmNlLjwvRk9OVD48L0RJVj4NCjxESVY+Jm5ic3A7PC9ESVY+DQo8RElWPjxGT05UIHNp emU9Mj5EYXJyZW4uPEJSPjwvRk9OVD48L0RJVj48L0JPRFk+PC9IVE1MPg0K ------=_NextPart_000_00A8_01C0D996.8BA23880-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA09059 for <ietf-pkix@imc.org>; Thu, 10 May 2001 02:34:57 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA23760; Thu, 10 May 2001 11:34:55 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA12924; Thu, 10 May 2001 11:34:20 +0200 Message-ID: <3AFA60A0.7441CBA2@bull.net> Date: Thu, 10 May 2001 11:34:24 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Sharon Boeyen <sharon.boeyen@entrust.com> CC: ietf-pkix@imc.org Subject: Re: delta-CRLs References: <DD62792EA182FF4E99C2FBC07E3053BD01DA4030@sottmxs09.entrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sharon, I nearly missed you e-mail. Sorry about this. > Sorry to help 'drag out' this discussion, but a couple of points: > > 1) Denis, your comment about CRL numbers needing to be unique, regardless > of the scope of the CRL is incorrect. Check the text in 509 clause 8.5.2.1 > (CRL number extension) which says "This CRL extension field conveys a > montonically increasing sequence number for each CRL issued by a given CRL > issuer through a given authority directory attribute or CRL distribution > point. ..." As it has already been responded, the delta CRL and the base CRL have the same scope and thus must have unique numbers. Denis > For that reason, another extension was added (see 8.5.2.7 of 509) called > cRLStreamIdentifier. This is used to identify the context within which the > CRL number is unique. > > Second, I want to make sure everyone understands that the quote from 97 > 509 12.6.3.3 by David is text that was replaced in the 4th edition because > it was overly restrictive. > > As for the length of messages, I know I find myself constantly quoting > 509. Others do the same and others quote 2459. I do believe the editors > have worked closely together to ensure that what we end up with in PKIX is > a profile of 509 (with changes being made to both documents as required). > However, I can't help but wonder if we could cut down on the length of > some of these messages if everyone who cares about the topic would first > go and read both documents before submitting messages that purport to > state what the standards say. This discussion is taking a lot of time on > the part of many people and perhaps we could cut down on some of that by > going back and reading what the standards say. > > (It's friday afternoon, what can I say :-) > > Sharon Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA08271 for <ietf-pkix@imc.org>; Thu, 10 May 2001 02:31:29 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA20066; Thu, 10 May 2001 11:31:24 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA12902; Thu, 10 May 2001 11:30:44 +0200 Message-ID: <3AFA5FC8.79B32942@bull.net> Date: Thu, 10 May 2001 11:30:48 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Integris. A Bull Company X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Ambarish Malpani <ambarish@valicert.com> CC: "'Housley, Russ '" <rhousley@rsasecurity.com>, "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Re: Certificate Hold (was RE: delta CRLs) References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8D0B@exchange.valicert.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ambarish, > Russ, while I don't object to us deprecating the use of certificate > suspension, I don't think we should prohibit its usage. I would object to deprecate the use of certificate suspension using CRLs. > Certificate suspension is a useful mechanism to prevent the usage of > a certificate while you figure out whether it should actually be > revoked or not. > I don't agree with us saying that PKIX supports suspension only via > OCSP - that just sounds wrong to me. I support the two other points. Regards, Denis > Regards, > Ambarish > > -----Original Message----- > From: Housley, Russ > To: Tom Gindin > Cc: ietf-pkix@imc.org > Sent: 5/7/01 10:13 AM > Subject: RE: Certificate Hold (was RE: delta CRLs) > > Tom: > > I have not been able to make myself clear. Perhaps because you keep > looking to simple authentication applications. My hope is that the PKIX > > profile will readily meet the needs of these relatively straightforward > applications and also support the more demanding needs of applications > where non-repudiation is needed. > > All: > > My view of the question is that three people have voiced a desire to see > > the suspension feature removed, one is asking questions without voicing > a > position, and no one has asked to keep it. People who have an opinion > but > have not posted it yet please do so. > > Russ Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA05296 for <ietf-pkix@imc.org>; Thu, 10 May 2001 01:54:50 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA12320; Thu, 10 May 2001 10:54:47 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id KAA13360; Thu, 10 May 2001 10:54:13 +0200 Message-ID: <3AFA5738.3A3B8B55@bull.net> Date: Thu, 10 May 2001 10:54:16 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Santosh Chokhani <chokhani@cygnacom.com> CC: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: Re: Certificate Hold (was RE: delta CRLs) References: <8D7EC1912E25D411A32100D0B76953978DE8CF@scygmxs01.cygnacom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Santosh, > Some times people put a certificate on hold because some one is out of > pocket for a while. True and this is a good reason to support the hold condition whether CRL or OCSP is being used. This makes no difference. The support of the hold condition MUST not be deprecated when supported by CRLs. > In that case, the signatures made during the hold > period should be considered invalid. The anwser is not as simple as above. During the on-hold period, two cases have to be addressed: either the verifier cannot wait or it can wait. 1) If it cannot wait, then a safe decision has to be taken: the signature is invalid. This is the case when the signature is used for real time use: authentication and /or access control purposes. 2) If it can wait, then it may postpone the decision at the end of the "on hold" period. If the certificate number is added to the CRL and marked definitively revoked, then the signature is invalid. If the certificate number is removed from the CRL, then the signature is valid. This case applies for non repudiation purposes. Denis > -----Original Message----- > From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] > Sent: Tuesday, May 08, 2001 11:47 AM > To: 'Ambarish Malpani'; 'Housley, Russ '; 'Tom Gindin ' > Cc: 'ietf-pkix@imc.org ' > Subject: RE: Certificate Hold (was RE: delta CRLs) > > Ambarish Malpani wrote: > > Certificate suspension is a useful mechanism to prevent the usage of > > a certificate while you figure out whether it should actually be > > revoked or not. > > Forgive me if this has been discussed in the past, but I am curious. If > this > is the (only) purpose of hold, doesn't that simplify the NR issue? If the > cert can be established to be good at a later time, shouldn't the hold be > ignored? If the results of our investigation is that there was actually no > > problem after all, why should signatures created during that period be > invalid? > > Hal Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA00928 for <ietf-pkix@imc.org>; Thu, 10 May 2001 01:19:53 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA12620 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:19:51 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id KAA15138 for <ietf-pkix@imc.org>; Thu, 10 May 2001 10:19:17 +0200 Message-ID: <3AFA4F09.5AB02392@bull.net> Date: Thu, 10 May 2001 10:19:21 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 CC: ietf-pkix@imc.org Subject: Re: delta CRLs References: <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim, David, Russ, Santosh, Carlin, and many others ... There is difference between a base CRL and a full CRL : a base CRL MUST include a freshestCRL extension (a.k.a. a Delta CRL distribution point), whereas a full CRL may not include that extension. In other words, a base CRL is a also a full CRL, but a full CRL is not necessarily a base CRL. At any time a CA may issue a full CRL, whether or not a base CRL has already been issued. This additional CRL SHOULD have nextUpdate equal to the nextUpdate of the last issued full CRL. However, there is no guarantee that this additional CRL will ever be seen by the relying party (because there will be two CRLs matching the thisUpdate and nextUpdate rule and if one is deleted, this is not seen by a relying party). Due to the fact that CRLs numbers are strictly increasing, two CRLs whether they are a base CRL or delta CRL, CANNOT have the same CRL number. So a delta CRL and a full CRL that cover the same scope and are issued at the same time CANNOT have the same number. If a full CRL is issued, its CRL number bears no relationship with the previous base CRL, if any. The only relationship between the numbers is defined by the rule that CRLs numbers are strictly increasing. As Santosh said : "the CRL number is unique whether it is a base or a delta ". This is fairly important to be able to unambiguously (and thus uniquely) refer to a CRL by only providing its CRL number. Besides the fact that a CRL issued later MUST have a higher CRL number, full CRLs and delta CRLs have independent numbering rules. As noticed by Santosh, " if the delta thisUpdate > base thisUpdate, delta CRL number > base CRL number (for the same or no stream identifier). As Santosh said : "a check based on thisUpdate is more general and preferred [to the use of CRL numbers]. " Related to the three rules mentioned by Russ : 1) the first rule is not understandable to me. 2) the second rule does not say anything more than the basic rule valid for any CRL (i.e. a CRL issued later MUST have a higher CRL number). 3) we will debate the hold condition, once we will have sorted the main issue. Russ said : "If separate number sequence is used, then you will have to periodically fetch base CRLs ". This is true. Tim said that he would *not* like to be forced to download new base CRLs. This is the core of the "dispute". >From the definition of what a delta CRL is, it is *not* possible to get rid of the fetching of base CRLs. Unless we add a new sentence to expand/change that definition, base CRL fetching will remain mandatory. Remember that the goal of delta CRLs is to provide the freshest information, and to my knowledge the goal was not to get rid of the fetching of base CRLs (which may less frequent due to the support of delta CRLs). If I understand correctly, Tim/David/Russ would like to *always* achieve the following property : it is possible to reconstruct the current CRL by using a base CRL from, e.g. 1990, i.e. by capturing every delta CRL that has been issued at the same time a base CRL was issued and which contains updates made to the *previous* base. By this way the fetching of base CRLs could be avoided. However, note that it is perfectly " legal " to stop issuing base and delta CRLs during some period of time and to issue full CRLs instead (see the difference between "full" and "base" at the top of this e-mail). In other words there is no need to issue a new base CRL at the end of the validity period of the previous base CRL. Doing this would mandate to prescribe issuing rules for CAs that we have not prescripted. I will now raise a series of questions, for which I believe we have different answers. Tim/David/Russ do not hesitate to correct if my guess is wrong. ;-) Common point: 1) What will be the value of the nextUpdate field from the last issued delta CRL for a given base CRL ? Denis: the nextUpdate field from the last issued delta CRL MUST be equal to the value of nextUpdate from the base CRL. Tim/David/Russ: ??? 2) Does a CA needs to issue a delta CRL at the time a full CRL is issued ? Denis: No. Tim/David/Russ : ??? 3) Does a CA needs to issue a new base CRL at the end of the validity of a current base CRL ? Denis: No. Tim/David/Russ : ??? 4) Does a CA needs to issue a delta CRL at the same time a new base is issued ? Denis: Yes. The delta CRL refers to the *new* base. Tim/David/Russ : Yes. The delta CRL refers to the *previous* base. [Note that there can be no previous at all, or the "previous" may even be three months old]. The last point highlights the most noticeable difference. Other differences appears when considering the guaranty to get the freshest information : using the traditional scheme and the thisUpdate and nextUpdate fields the guaranty to get the freshest information is obtained, but cannot be obtained using the other scheme. :-( Several people are referring to the X.509 document for arguments to support that discussion. However, it is important to remember that we are defining PKIX, not X.509, so we DO NOT need to copy and paste everything from X.509, but only what we believe is relevant. We first need to clearly define the processing rules applicable to the relying parties. These rules will certainly contain SHALL/MUST statements, but may also include some MAY statements which may even be conditional to what the CA is doing. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: An application that is wishing to take advantage of delta CRLs for a given scope, MUST first find a base CRL for that scope, i.e. a full CRL that that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). It may then construct an updated CRL for that base, for a specific time T, by combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on the current base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. We also need to clearly separate the issuing rules applicable for the CAs. These rules will certainly contain SHALL statements, but could also include some MAY statements. (I let Tim/David or Russ provide the MAY statement). Here is a proposal for the MUST statement, based on the previous text I produced: A CA that supports delta-CRLs, MUST issue a base CRL, i.e. a full CRL that contains a freshestCRL extension (a.k.a. a Delta CRL distribution point). For any time T until the nextUpdate time indicated in a base CRL, the CA MUST provide one and only one delta CRL that refers to that base CRL and for which time T falls between thisUpdate and nextUpdate from the delta CRL. In his e-mail from Wednesday, May 9, David said that delta-CRL processing rules could be base on time instead of CRL numbers. This is a point of which I strongly agree. Let us do it! (However, there is no need to add to PKIX, as he suggested, the support of the baseUpdateTime extension from X.509 which would even more complicate the problem.) Regards, Denis Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id BAA00634 for <ietf-pkix@imc.org>; Thu, 10 May 2001 01:12:40 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA21042; Thu, 10 May 2001 10:12:39 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id KAA15130; Thu, 10 May 2001 10:12:05 +0200 Message-ID: <3AFA4D58.6B13653D@bull.net> Date: Thu, 10 May 2001 10:12:08 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Carlin Covey <ccovey@cylink.com> CC: ietf-pkix@imc.org Subject: Re: delta CRLs References: <DOEOKAMDOBOFDGOPBAHDOEMMCDAA.ccovey@cylink.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Carlin, > Having heard several persons speak for assigning the same CRL number > to simultaneously-issued delta-CRLs and full CRLs, > and no one speak against, I find myself convinced that they should > be assigned the same CRL number. Thanks for the convincing arguments. Have you missed my e-mails ? I don't think you can say that "no one speak against". I did. Regards, Denis Received: from internet.across ([213.212.5.232]) by above.proper.com (8.9.3/8.9.3) with SMTP id AAA23576 for <ietf-pkix@imc.org>; Thu, 10 May 2001 00:14:24 -0700 (PDT) Received: FROM acrossw01.acrosswireless.com BY internet.across ; Thu May 10 09:19:27 2001 +0200 Received: by acrossw01.acrosswireless.com with Internet Mail Service (5.5.2650.21) id <KTJ6P5NV>; Thu, 10 May 2001 09:12:50 +0200 Message-ID: <E5C2786F90B4D4119A200008C716F45D8E5BCC@acrossw01.acrosswireless.com> From: Olle Larsson <olle.larsson@smarttrust.com> To: "'Carlin Covey'" <ccovey@cylink.com>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 10 May 2001 09:12:50 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D920.9F78F860" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D920.9F78F860 Content-Type: text/plain; charset="iso-8859-1" Just want to point out that it DOES matter if the delta and the full CRL have the same number or not, when issued at the same time and reflecting the same set of revocation information. Consider a client that tries to construct the local 'virtual' base CRL that Peter Sylvester mentioned. That virtual base CRL will then have a crlNumber = n = that of the dCRL used to update the local repository. A while later, another dCRL is fetched. If the referred base CRL number m > n, we are in trouble. In other words, a full CRL must always have a CRL number >= the CRL number of the delta CRL that is issued at the same time and reflecting the same set of revocation information. <academical> The thisUpdate field is of no use, as computers are fast these days and you cannot know for a fact that another full CRL m hasn't been issued in the very same second interval as CRL n, possibly containing more revocation information that will be missed in the virtual base CRL. </academical> Considering this, I would second Santosh's revised wording as well. /Olle -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 9:23 PM To: ietf-pkix@imc.org Subject: RE: delta CRLs Having heard several persons speak for assigning the same CRL number to simultaneously-issued delta-CRLs and full CRLs, and no one speak against, I find myself convinced that they should be assigned the same CRL number. Thanks for the convincing arguments. P.S. I still like Santosh's revised wording: ---------------------- Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -------------------- Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 10:35 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, I don't see that it matters whether the delta-CRL or the full CRL is assigned the earlier number. But I'm not hard over about assigning them different numbers. I'm still willing to be convinced that it is bad that they have different numbers, or good that they have the same number. Earlier today Stephen Henson presented one argument for numbering them the same. Perhaps that is a compelling reason. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 10:13 AM To: Carlin Covey; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Are you suggesting that when they are issued at the same time, they should still have a different CRL number? Which one should have the number n and which one n+1? -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 1:16 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well. - Carlin -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 9:28 AM To: Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -----Original Message----- From: Carlin Covey [ mailto:ccovey@cylink.com <mailto:ccovey@cylink.com> ] Sent: Wednesday, May 09, 2001 11:28 AM To: drh@celocom.com; David A. Cooper; ambarish@valicert.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [ mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: > http://hissa.nist.gov/dads/HTML/monotoncincr.html <http://hissa.nist.gov/dads/HTML/monotoncincr.html> > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[< mailto:Peter.Sylvester@EdelWeb.fr <mailto:Peter.Sylvester@EdelWeb.fr> > mailto:Peter.Sylvester@EdelWeb.fr <mailto:Peter.Sylvester@EdelWeb.fr> ] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. ------_=_NextPart_001_01C0D920.9F78F860 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: delta CRLs</TITLE> <META content="MSHTML 5.50.4611.1300" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001>Just want to point out that it DOES matter if the delta and the full CRL have the same number or not, when issued at the same time and reflecting the same set of revocation information.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001>Consider a client that tries to construct the local 'virtual' base CRL that Peter Sylvester mentioned. That virtual base CRL will then have a crlNumber = n = that of the dCRL used to update the local repository.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001>A while later, another dCRL is fetched. If the referred base CRL number m > n, we are in trouble. </SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001></SPAN></FONT> </DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001>In other words, a full CRL must always have a CRL number >= the CRL number of the delta CRL that is issued at the same time and reflecting the same set of revocation information.</SPAN></FONT></DIV> <DIV> </DIV> <DIV><academical> The thisUpdate field is of no use, as computers are fast these days and you cannot know for a fact that another full CRL m hasn't</SPAN></FONT><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001> been issued in the very same second interval as CRL n, possibly containing more revocation information that will be missed in the virtual base CRL. </SPAN></FONT><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001><SPAN class=064004006-10052001></academical></SPAN></SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001><SPAN class=064004006-10052001></SPAN></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001>Considering this, I would second Santosh's revised wording as well.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001></SPAN></FONT> </DIV> <DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=064004006-10052001>/Olle</SPAN></FONT></DIV></SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Carlin Covey [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 9:23 PM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001>Having heard several persons speak for assigning the same CRL number to simultaneously-issued delta-CRLs and full CRLs, and no one speak against, I find myself convinced that they should be assigned the same CRL number. Thanks for the convincing arguments.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001>P.S. I still like Santosh's revised wording:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001>----------------------</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001></SPAN></FONT> </DIV> <DIV><SPAN class=309141619-09052001><FONT face=Arial color=#0000ff size=2> Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping)</FONT> <P><FONT color=#0000ff><FONT face=Arial size=2> <SPAN class=309141619-09052001> </SPAN>n = m if and only if thisUpdate of n = thisUpdate of m </FONT></FONT></P> <P><FONT face=Arial color=#0000ff size=2> <SPAN class=309141619-09052001> </SPAN>n > m if and only if thisUpdate of n > thisUpdate of m </FONT></P> <P><FONT face=Arial color=#0000ff size=2> <SPAN class=309141619-09052001> </SPAN>n < m if and only if thisUpdate of n < thisUpdate of m </FONT></P> <P><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001>--------------------</SPAN></FONT></P><FONT face=Arial color=#0000ff size=2><SPAN class=309141619-09052001> <P><FONT size=2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><BR>- Carlin Covey<BR> Cylink Corporation </FONT></P></SPAN></FONT></SPAN></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Carlin Covey [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 10:35 AM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></DIV></FONT> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=121152317-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=121152317-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=121152317-09052001>I don't see that it matters whether the delta-CRL or the full CRL is assigned the earlier number. But I'm not hard over about assigning them different numbers. I'm still willing to be convinced that it is bad that they have different numbers, or good that they have the same number. Earlier today Stephen Henson presented one argument for numbering them the same. Perhaps that is a compelling reason.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=121152317-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=121152317-09052001> <P><FONT size=2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><BR>- Carlin Covey<BR> Cylink Corporation </FONT></P></SPAN></FONT></DIV> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 10:13 AM<BR><B>To:</B> Carlin Covey; Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></DIV></FONT> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=742462017-09052001>Are you suggesting that when they are issued at the same time, they should still have a different CRL number?</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=742462017-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=742462017-09052001>Which one should have the number n and which one n+1?</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=742462017-09052001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Carlin Covey [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 1:16 PM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=523265216-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=523265216-09052001>If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=523265216-09052001>- Carlin</SPAN></FONT></DIV> <DIV><SPAN class=523265216-09052001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=523265216-09052001><FONT face=Arial color=#0000ff></FONT></SPAN></FONT></FONT> </DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=523265216-09052001> </SPAN>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 9:28 AM<BR><B>To:</B> Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></DIV></FONT> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"></FONT> <P><FONT size=2>I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping)</FONT></P> <P><FONT size=2> n = m if and only if thisUpdate of n = thisUpdate of m</FONT> </P> <P><FONT size=2> n > m if and only if thisUpdate of n > thisUpdate of m</FONT> </P> <P><FONT size=2> n < m if and only if thisUpdate of n < thisUpdate of m</FONT> </P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Carlin Covey [<A href="mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT size=2>Sent: Wednesday, May 09, 2001 11:28 AM</FONT> <BR><FONT size=2>To: drh@celocom.com; David A. Cooper; ambarish@valicert.com;</FONT> <BR><FONT size=2>chokhani@cygnacom.com</FONT> <BR><FONT size=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>Subject: RE: delta CRLs</FONT> </P><BR> <P><FONT size=2>David, Stephen, Ambarish, and Santosh,</FONT> </P> <P><FONT size=2>Some of us are in the business for the looooong haul. ;>)</FONT> </P> <P><FONT size=2>Actually, I wasn't concerned about the CRL number wrapping, but that</FONT> <BR><FONT size=2>possibility was advanced a few days ago as an argument against the use of</FONT> <BR><FONT size=2>the "strictly increasing" wording. Another email commented that PKIX did</FONT> <BR><FONT size=2>not permit the number to wrap, although X.509 might. The only evidence I</FONT> <BR><FONT size=2>could find for X.509 permitting the number to wrap was "(0 .. MAX)". As</FONT> <BR><FONT size=2>various people have pointed out, one could be drumming one's fingers for</FONT> <BR><FONT size=2>quite a while........</FONT> </P> <P><FONT size=2>My real point was that the "monotonically increasing" wording permits the</FONT> <BR><FONT size=2>CRL number to stay the same, while "strictly increasing" forces the numbers</FONT> <BR><FONT size=2>to be unique (issues of wrapping aside in both cases). Stephen Henson just</FONT> <BR><FONT size=2>pointed out a reason why one might want the CRL number to stay the same when</FONT> <BR><FONT size=2>issuing a delta CRL at the same time as a full CRL. I am not arguing either</FONT> <BR><FONT size=2>for or against that case, but it seems desirable to force the CRL numbers to</FONT> <BR><FONT size=2>be unique in most cases. (Unless, the CRLs are distinguished based upon</FONT> <BR><FONT size=2>thisUpdate, as Santosh has suggested.)</FONT> </P> <P><FONT size=2>Regards,</FONT> </P> <P><FONT size=2>Carlin</FONT> </P> <P><FONT size=2>____________________________</FONT> </P> <P><FONT size=2>- Carlin Covey</FONT> <BR><FONT size=2> Cylink Corporation</FONT> </P><BR><BR> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: David A. Cooper [<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT size=2>Sent: Wednesday, May 09, 2001 6:03 AM</FONT> <BR><FONT size=2>To: 'ietf-pkix@imc.org '</FONT> <BR><FONT size=2>Subject: RE: delta CRLs</FONT> </P><BR> <P><FONT size=2> From a practical point of view, I don't think that we should need to worry</FONT> <BR><FONT size=2>about CRL numbers wrapping. According to my calculations, if one assigns</FONT> <BR><FONT size=2>cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could</FONT> <BR><FONT size=2>issue a new CRL every second for 68 years before the cRLNumber would require</FONT> <BR><FONT size=2>more than 4 bytes (32 bits) to encode. On the other hand, if you're willing</FONT> <BR><FONT size=2>to issue a new CRL only once a minute, it would take 4083 years before the</FONT> <BR><FONT size=2>cRLNumber would require more than 4 bytes to encode.</FONT> </P> <P><FONT size=2>BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use</FONT> <BR><FONT size=2>of negative numbers. While there may, in theory be a limit to the size of an</FONT> <BR><FONT size=2>integer that may be encoded, for all practical purposes, one can encode any</FONT> <BR><FONT size=2>integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER",</FONT> <BR><FONT size=2>a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus,</FONT> <BR><FONT size=2>MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any</FONT> <BR><FONT size=2>number we would ever need.</FONT> </P> <P><FONT size=2>Dave</FONT> </P> <P><FONT size=2>At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>I always thought MAX for ASN.1 INTEGERs was something I would never</FONT> <BR><FONT size=2>>need to worry about.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Looks like I was wrong :-)</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>By the way, what is MAX? I know that we can represent numbers with</FONT> <BR><FONT size=2>>over 2048 bits...</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>A</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>-----Original Message-----</FONT> <BR><FONT size=2>>From: Carlin Covey</FONT> <BR><FONT size=2>>To: Housley, Russ; Santosh Chokhani</FONT> <BR><FONT size=2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>>Sent: 5/8/01 5:53 PM</FONT> <BR><FONT size=2>>Subject: RE: delta CRLs</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Russ,</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>A week or two ago we arrived at a consensus to remove the requirement</FONT> <BR><FONT size=2>>that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the</FONT> <BR><FONT size=2>>CA chooses to issue them simultaneously, why would they need to be numbered</FONT> <BR><FONT size=2>>the same? If this requirement were lifted, it seems like requiring the CRL</FONT> <BR><FONT size=2>>number to be "strictly increasing" in a sequence would be preferable to</FONT> <BR><FONT size=2>>"monotonically increasing". "Monotonically increasing" allows the</FONT> <BR><FONT size=2>possibility</FONT> <BR><FONT size=2>>that the CRL number never changes, which seems undesirable. I realize</FONT> <BR><FONT size=2>>that in either case the CRL number might wrap around at some point in the</FONT> <BR><FONT size=2>future.</FONT> <BR><FONT size=2>>That is inevitable, given that that CRL number is defined as INTEGER</FONT> <BR><FONT size=2>(0..MAX).</FONT> <BR><FONT size=2>>What else can a CA do when CRL number reaches MAX, stop issuing CRLs?</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>"monotonically increasing" - Definition: A function from a partially</FONT> <BR><FONT size=2>order[ed]</FONT> <BR><FONT size=2>>domain to a partially ordered range such that x >= y implies f(x) >= f(y).</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>- From the NIST web site:</FONT> <BR><FONT size=2>><A target=_blank href="http://hissa.nist.gov/dads/HTML/monotoncincr.html">http://hissa.nist.gov/dads/HTML/monotoncincr.html</A></FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Regards,</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Carlin</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>____________________________</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>- Carlin Covey</FONT> <BR><FONT size=2>> Cylink Corporation</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>-----Original Message-----</FONT> <BR><FONT size=2>>From: Housley, Russ [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT size=2>>Sent: Monday, May 07, 2001 6:21 AM</FONT> <BR><FONT size=2>>To: Santosh Chokhani</FONT> <BR><FONT size=2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>>Subject: RE: delta CRLs</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Santosh:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>X.509 may allow the CRL number to wrap around, but I do not believe that</FONT> <BR><FONT size=2>>PKIX does.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> 5.2.3 CRL Number</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> The CRL number is a non-critical CRL extension which conveys a</FONT> <BR><FONT size=2>> monotonically increasing sequence number for each CRL issued by a CA.</FONT> <BR><FONT size=2>> This extension allows users to easily determine when a particular CRL</FONT> <BR><FONT size=2>> supersedes another CRL. CAs conforming to this profile MUST include</FONT> <BR><FONT size=2>> this extension in all CRLs.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Russ</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> >Actually, the text allows for the wrap of the numbers. Please see Annex</FONT> <BR><FONT size=2>B</FONT> <BR><FONT size=2>> >of X.509. Thus, it is not strictly increasing</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >-----Original Message-----</FONT> <BR><FONT size=2>> >From: Peter Sylvester</FONT> <BR><FONT size=2>> >[<<A href="mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb.fr</A>><A href="mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb.fr</A>]</FONT> <BR><FONT size=2>> >Sent: Saturday, May 05, 2001 2:08 PM</FONT> <BR><FONT size=2>> >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com;</FONT> <BR><FONT size=2>> >chokhani@cygnacom.com</FONT> <BR><FONT size=2>> >Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> >Subject: RE: delta CRLs</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > > Trevor:</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > The 2000 version of X.509 is very clear on this. For a given CRL</FONT> <BR><FONT size=2>stream</FONT> <BR><FONT size=2>> > > identifier, the CRL number is unique whether it is base or delta. That</FONT> <BR><FONT size=2>is</FONT> <BR><FONT size=2>> > > why delta number has to be greater than the base.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >" 8.5.2.1 CRL number extension</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > This CRL extension field conveys a monotonically increasing sequence</FONT> <BR><FONT size=2>> > number .."</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >The text might be clearer IMHO if 'strictly increasing' would be used</FONT> <BR><FONT size=2>> >instead.</FONT> </P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0D920.9F78F860-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA05691 for <ietf-pkix@imc.org>; Wed, 9 May 2001 20:08:31 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KS8ZMS7C>; Wed, 9 May 2001 23:08:04 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE96B@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Dr S N Henson <drh@celocom.com>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Wed, 9 May 2001 22:58:49 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D8FD.23508960" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D8FD.23508960 Content-Type: text/plain; charset="iso-8859-1" Dr. Henson: The rules for handling hold and release from hold are different when a delta is applied to a base issued after the delta (I let you figure out the rules). But, if you have to know if the base was issued after the delta or not, why apply the delta at all; just use the new base. Thus if thisUpdate of base > = thisUpdate of delta, just use the base and do not process the delta. -----Original Message----- From: Dr S N Henson [mailto:drh@celocom.com] Sent: Wednesday, May 09, 2001 6:37 PM To: ietf-pkix@imc.org Subject: Re: delta CRLs Peter Sylvester wrote: > > > Is is necessary that the crlNumber of base URLs are strictly > increasing? I am not convinced. The numbers are only used to > create references to a chain of crls that can be used to create > final 'virtual' base crl with an appropriate ThisUpdate. > Well since you can combine any full CRL whose number is greater than or equal to the base CRL number in the delta it has to be increasing. If the full CRL has a number greater than the base CRL in the delta it can still be combined but the delta CRL may contain some revocation data already present in the base. If the CRL number isn't strictly increasing then there's no way for the CRL number of deltas to reference which full CRL the constructed CRL represents. This only applies if the only way to reference constructed and base CRLs is the CRL number. If baseUpdateTime is used instead then it isn't necessary except for the fact that some clients may not use baseUpdateTime. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. ------_=_NextPart_001_01C0D8FD.23508960 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Dr. Henson:</FONT> </P> <P><FONT SIZE=3D2>The rules for handling hold and release from hold are = different when a delta is applied to a base issued after the delta (I = let you figure out the rules). But, if you have to know if the = base was issued after the delta or not, why apply the delta at all; = just use the new base.</FONT></P> <P><FONT SIZE=3D2>Thus if thisUpdate of base > =3D thisUpdate of = delta, just use the base and do not process the delta.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Dr S N Henson [<A = HREF=3D"mailto:drh@celocom.com">mailto:drh@celocom.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 6:37 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <BR> <BR> <P><FONT SIZE=3D2>Peter Sylvester wrote:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Is is necessary that the crlNumber of base URLs = are strictly</FONT> <BR><FONT SIZE=3D2>> increasing? I am not convinced. The numbers are = only used to</FONT> <BR><FONT SIZE=3D2>> create references to a chain of crls that can = be used to create</FONT> <BR><FONT SIZE=3D2>> final 'virtual' base crl with an appropriate = ThisUpdate.</FONT> <BR><FONT SIZE=3D2>> </FONT> </P> <P><FONT SIZE=3D2>Well since you can combine any full CRL whose number = is greater than or</FONT> <BR><FONT SIZE=3D2>equal to the base CRL number in the delta it has to = be increasing.</FONT> </P> <P><FONT SIZE=3D2>If the full CRL has a number greater than the base = CRL in the delta it</FONT> <BR><FONT SIZE=3D2>can still be combined but the delta CRL may contain = some revocation data</FONT> <BR><FONT SIZE=3D2>already present in the base.</FONT> </P> <P><FONT SIZE=3D2>If the CRL number isn't strictly increasing then = there's no way for the</FONT> <BR><FONT SIZE=3D2>CRL number of deltas to reference which full CRL the = constructed CRL</FONT> <BR><FONT SIZE=3D2>represents.</FONT> </P> <P><FONT SIZE=3D2>This only applies if the only way to reference = constructed and base CRLs</FONT> <BR><FONT SIZE=3D2>is the CRL number. If baseUpdateTime is used instead = then it isn't</FONT> <BR><FONT SIZE=3D2>necessary except for the fact that some clients may = not use</FONT> <BR><FONT SIZE=3D2>baseUpdateTime.</FONT> </P> <P><FONT SIZE=3D2>Steve.</FONT> <BR><FONT SIZE=3D2>-- </FONT> <BR><FONT SIZE=3D2>Dr Stephen N. Henson. <A = HREF=3D"http://www.drh-consultancy.demon.co.uk/" = TARGET=3D"_blank">http://www.drh-consultancy.demon.co.uk/</A></FONT> <BR><FONT SIZE=3D2>Personal Email: shenson@drh-consultancy.demon.co.uk = </FONT> <BR><FONT SIZE=3D2>Senior crypto engineer, Celo Communications: <A = HREF=3D"http://www.celocom.com/" = TARGET=3D"_blank">http://www.celocom.com/</A></FONT> <BR><FONT SIZE=3D2>Core developer of the OpenSSL project: = <A HREF=3D"http://www.openssl.org/" = TARGET=3D"_blank">http://www.openssl.org/</A></FONT> <BR><FONT SIZE=3D2>Business Email: drh@celocom.com PGP key: via = homepage.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D8FD.23508960-- Received: from finch-post-11.mail.demon.net (finch-post-11.mail.demon.net [194.217.242.39]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA23959 for <ietf-pkix@imc.org>; Wed, 9 May 2001 15:31:27 -0700 (PDT) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=celocom.com) by finch-post-11.mail.demon.net with esmtp (Exim 2.12 #1) id 14xcUT-0006jJ-0B for ietf-pkix@imc.org; Wed, 9 May 2001 22:31:29 +0000 Message-ID: <3AF9C67B.43EAF991@celocom.com> Date: Wed, 09 May 2001 23:36:43 +0100 From: Dr S N Henson <drh@celocom.com> Organization: S N Henson X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta CRLs References: <200105091830.UAA00345@emeriau.edelweb.fr> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Peter Sylvester wrote: > > > Is is necessary that the crlNumber of base URLs are strictly > increasing? I am not convinced. The numbers are only used to > create references to a chain of crls that can be used to create > final 'virtual' base crl with an appropriate ThisUpdate. > Well since you can combine any full CRL whose number is greater than or equal to the base CRL number in the delta it has to be increasing. If the full CRL has a number greater than the base CRL in the delta it can still be combined but the delta CRL may contain some revocation data already present in the base. If the CRL number isn't strictly increasing then there's no way for the CRL number of deltas to reference which full CRL the constructed CRL represents. This only applies if the only way to reference constructed and base CRLs is the CRL number. If baseUpdateTime is used instead then it isn't necessary except for the fact that some clients may not use baseUpdateTime. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. Received: from anchor-post-34.mail.demon.net (anchor-post-34.mail.demon.net [194.217.242.92]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA18613 for <ietf-pkix@imc.org>; Wed, 9 May 2001 14:17:36 -0700 (PDT) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=celocom.com) by anchor-post-34.mail.demon.net with esmtp (Exim 2.12 #1) id 14xbL0-0000cI-0Y for ietf-pkix@imc.org; Wed, 9 May 2001 22:17:38 +0100 Message-ID: <3AF9B52B.C7515C6D@celocom.com> Date: Wed, 09 May 2001 22:22:51 +0100 From: Dr S N Henson <drh@celocom.com> Organization: S N Henson X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta CRLs References: <EOEGJNFMMIBDKGFONJJDGENDCAAA.mike@traceroutesecurity.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Michael Myers wrote: > > Just out of curiousity, has anyone actually experienced real-world (vs. > lab-bench) collisions with this numbering issue? I suspect not, but after > reading through all of this thread I'm curious to know. > Well speaking personally I haven't noticed collisions. However I've seen *very* few V2 CRLs that may have something to do with them being rejected by certain software. I've yet to see a single example of a delta CRL. Considering some of the confusion I suppose that's just as well :-) Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA15708 for <ietf-pkix@imc.org>; Wed, 9 May 2001 13:38:19 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f49KcJg21098; Wed, 9 May 2001 13:38:19 -0700 (PDT) From: "Michael Myers" <mike@traceroutesecurity.com> To: "Carlin Covey" <ccovey@cylink.com>, <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Wed, 9 May 2001 13:37:54 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDGENDCAAA.mike@traceroutesecurity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <DOEOKAMDOBOFDGOPBAHDOEMMCDAA.ccovey@cylink.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Just out of curiousity, has anyone actually experienced real-world (vs. lab-bench) collisions with this numbering issue? I suspect not, but after reading through all of this thread I'm curious to know. Mike Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA10109 for <ietf-pkix@imc.org>; Wed, 9 May 2001 12:23:31 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5Y73; Wed, 9 May 2001 12:17:50 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Wed, 9 May 2001 12:22:40 -0700 Message-ID: <DOEOKAMDOBOFDGOPBAHDOEMMCDAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0084_01C0D882.BDC9C900" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <FLEELNBJKAIIGDJJKPDGEEFOCEAA.ccovey@cylink.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0084_01C0D882.BDC9C900 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: delta CRLsHaving heard several persons speak for assigning the same CRL number to simultaneously-issued delta-CRLs and full CRLs, and no one speak against, I find myself convinced that they should be assigned the same CRL number. Thanks for the convincing arguments. P.S. I still like Santosh's revised wording: ---------------------- Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -------------------- Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 10:35 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, I don't see that it matters whether the delta-CRL or the full CRL is assigned the earlier number. But I'm not hard over about assigning them different numbers. I'm still willing to be convinced that it is bad that they have different numbers, or good that they have the same number. Earlier today Stephen Henson presented one argument for numbering them the same. Perhaps that is a compelling reason. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 10:13 AM To: Carlin Covey; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Are you suggesting that when they are issued at the same time, they should still have a different CRL number? Which one should have the number n and which one n+1? -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 1:16 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well. - Carlin -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 9:28 AM To: Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 11:28 AM To: drh@celocom.com; David A. Cooper; ambarish@valicert.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: >http://hissa.nist.gov/dads/HTML/monotoncincr.html > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. ------=_NextPart_000_0084_01C0D882.BDC9C900 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: delta CRLs</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D309141619-09052001>Having=20 heard several persons speak for assigning the same CRL number to=20 simultaneously-issued delta-CRLs and full CRLs, and no one speak = against, I find=20 myself convinced that they should be assigned the same CRL number. = Thanks=20 for the convincing arguments.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D309141619-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D309141619-09052001>P.S. I still like Santosh's revised=20 wording:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D309141619-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D309141619-09052001>----------------------</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D309141619-09052001></SPAN></FONT> </DIV> <DIV><SPAN class=3D309141619-09052001><FONT color=3D#0000ff face=3DArial = size=3D2> Thus, if two CRLs = (in the same=20 stream identifier or when stream identifier is absent), have numbers n = and m,=20 the following shall be true (assuming no wrapping)</FONT> <P><FONT color=3D#0000ff><FONT face=3DArial size=3D2> <SPAN=20 class=3D309141619-09052001> </SPAN>n = =3D m if=20 and only if thisUpdate of n =3D thisUpdate of m </FONT></FONT></P> <P><FONT color=3D#0000ff face=3DArial size=3D2> <SPAN=20 class=3D309141619-09052001> </SP= AN>n >=20 m if and only if thisUpdate of n > thisUpdate of m </FONT></P> <P><FONT color=3D#0000ff face=3DArial size=3D2> <SPAN=20 class=3D309141619-09052001> </SPAN>n = < m if=20 and only if thisUpdate of n < thisUpdate of m </FONT></P> <P><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D309141619-09052001>--------------------</SPAN></FONT></P><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN class=3D309141619-09052001> <P><FONT=20 size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation=20 </FONT></P></SPAN></FONT></SPAN></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Carlin Covey=20 [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 = 10:35=20 AM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></DIV></FONT> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D121152317-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D121152317-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D121152317-09052001>I=20 don't see that it matters whether the delta-CRL or the full CRL is = assigned=20 the earlier number. But I'm not hard over about assigning = them=20 different numbers. I'm still willing to be convinced that it is = bad that=20 they have different numbers, or good that they have the same = number. =20 Earlier today Stephen Henson presented one argument for numbering them = the=20 same. Perhaps that is a compelling reason.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D121152317-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D121152317-09052001> <P><FONT=20 = size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation=20 </FONT></P></SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani = [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, = 2001 10:13=20 AM<BR><B>To:</B> Carlin Covey; Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></DIV></FONT> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001>Are you suggesting that when they are = issued at the=20 same time, they should still have a different CRL=20 number?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001>Which one should have the number n and = which one=20 n+1?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001></SPAN></FONT> </DIV> <DIV class=3DOutlookMessageHeader><FONT face=3D"Times New Roman"=20 size=3D2>-----Original Message-----<BR><B>From:</B> Carlin Covey=20 [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 = 1:16=20 PM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D523265216-09052001>If=20 simultaneously-issued delta-CRLs and full CRLs are to be numbered = the same,=20 I think your wording is a significant improvement over the current=20 wording. However, I'm still undecided whether they should be = numbered=20 the same. It seems like simultaneously-issued delta-CRLs and = full CRLs=20 (and constructed CRLs) could be matched via the thisUpdate field = without the=20 necessity of violating the strictly increasing provision for CRL=20 numbers. A unique reference for each CRL would be useful for=20 evidentiary purposes, and for historical = validation. Rendering a=20 CRL identifier unique already requires the issuer ID, the set of=20 reason codes, the set of certificate types, and either the CRL = number=20 or the thisUpdate value. I wonder if it is necessary to add = the full=20 vs. delta status as well.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D523265216-09052001>-=20 Carlin</SPAN></FONT></DIV> <DIV><SPAN class=3D523265216-09052001></SPAN><FONT = face=3DTahoma><FONT=20 size=3D2><SPAN class=3D523265216-09052001><FONT color=3D#0000ff=20 face=3DArial> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20 class=3D523265216-09052001> </SPAN>-----Original=20 Message-----<BR><B>From:</B> Santosh Chokhani=20 [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, = 2001 9:28=20 AM<BR><B>To:</B> Carlin Covey; drh@celocom.com; David A. Cooper;=20 ambarish@valicert.com; Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></DIV></FONT> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"></FONT> <P><FONT size=3D2>I am simply suggesting that the numbers be = strictly=20 increasing, but if a base and delta are generated at the same = time, they=20 will have the same sequence number. Thus, if two CRLs (in = the same=20 stream identifier or when stream identifier is absent), have = numbers n and=20 m, the following shall be true (assuming no wrapping)</FONT></P> <P><FONT size=3D2> n =3D m if and only if thisUpdate of n =3D = thisUpdate of=20 m</FONT> </P> <P><FONT size=3D2> n > m if and only if thisUpdate of n = >=20 thisUpdate of m</FONT> </P> <P><FONT size=3D2> n < m if and only if thisUpdate of n = <=20 thisUpdate of m</FONT> </P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Carlin Covey [<A=20 = href=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT>=20 <BR><FONT size=3D2>Sent: Wednesday, May 09, 2001 11:28 AM</FONT> = <BR><FONT=20 size=3D2>To: drh@celocom.com; David A. Cooper; = ambarish@valicert.com;</FONT>=20 <BR><FONT size=3D2>chokhani@cygnacom.com</FONT> <BR><FONT = size=3D2>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>Subject: RE: delta = CRLs</FONT>=20 </P><BR> <P><FONT size=3D2>David, Stephen, Ambarish, and Santosh,</FONT> = </P> <P><FONT size=3D2>Some of us are in the business for the looooong=20 haul. ;>)</FONT> </P> <P><FONT size=3D2>Actually, I wasn't concerned about the CRL = number=20 wrapping, but that</FONT> <BR><FONT size=3D2>possibility was = advanced a few=20 days ago as an argument against the use of</FONT> <BR><FONT = size=3D2>the=20 "strictly increasing" wording. Another email commented that = PKIX=20 did</FONT> <BR><FONT size=3D2>not permit the number to wrap, = although X.509=20 might. The only evidence I</FONT> <BR><FONT size=3D2>could = find for=20 X.509 permitting the number to wrap was "(0 .. MAX)". = As</FONT>=20 <BR><FONT size=3D2>various people have pointed out, one could be = drumming=20 one's fingers for</FONT> <BR><FONT size=3D2>quite a = while........</FONT>=20 </P> <P><FONT size=3D2>My real point was that the "monotonically = increasing"=20 wording permits the</FONT> <BR><FONT size=3D2>CRL number to stay = the same,=20 while "strictly increasing" forces the numbers</FONT> <BR><FONT = size=3D2>to=20 be unique (issues of wrapping aside in both cases). Stephen = Henson=20 just</FONT> <BR><FONT size=3D2>pointed out a reason why one might = want the=20 CRL number to stay the same when</FONT> <BR><FONT size=3D2>issuing = a delta=20 CRL at the same time as a full CRL. I am not arguing = either</FONT>=20 <BR><FONT size=3D2>for or against that case, but it seems = desirable to force=20 the CRL numbers to</FONT> <BR><FONT size=3D2>be unique in most = cases. =20 (Unless, the CRLs are distinguished based upon</FONT> <BR><FONT=20 size=3D2>thisUpdate, as Santosh has suggested.)</FONT> </P> <P><FONT size=3D2>Regards,</FONT> </P> <P><FONT size=3D2>Carlin</FONT> </P> <P><FONT size=3D2>____________________________</FONT> </P> <P><FONT size=3D2>- Carlin Covey</FONT> <BR><FONT = size=3D2> =20 Cylink Corporation</FONT> </P><BR><BR> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 David A. Cooper [<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</= FONT>=20 <BR><FONT size=3D2>Sent: Wednesday, May 09, 2001 6:03 AM</FONT> = <BR><FONT=20 size=3D2>To: 'ietf-pkix@imc.org '</FONT> <BR><FONT = size=3D2>Subject: RE: delta=20 CRLs</FONT> </P><BR> <P><FONT size=3D2> From a practical point of view, I don't = think that=20 we should need to worry</FONT> <BR><FONT size=3D2>about CRL = numbers=20 wrapping. According to my calculations, if one = assigns</FONT>=20 <BR><FONT size=3D2>cRLNumber 1 to the first CRL and then numbers = CRLs=20 consecutively, one could</FONT> <BR><FONT size=3D2>issue a new CRL = every=20 second for 68 years before the cRLNumber would require</FONT> = <BR><FONT=20 size=3D2>more than 4 bytes (32 bits) to encode. On the other = hand, if=20 you're willing</FONT> <BR><FONT size=3D2>to issue a new CRL only = once a=20 minute, it would take 4083 years before the</FONT> <BR><FONT=20 size=3D2>cRLNumber would require more than 4 bytes to = encode.</FONT> </P> <P><FONT size=3D2>BTW, I thought that the purpose of the "(0 .. = MAX)" was=20 just to prevent use</FONT> <BR><FONT size=3D2>of negative numbers. = While=20 there may, in theory be a limit to the size of an</FONT> <BR><FONT = size=3D2>integer that may be encoded, for all practical purposes, = one can=20 encode any</FONT> <BR><FONT size=3D2>integet. According to "A = Layman's Guide=20 to a Subset of ASN.1, BER, and DER",</FONT> <BR><FONT size=3D2>a = DER encoded=20 value can have a length of up to 2 ** 1008 - 1 bytes. Thus,</FONT> = <BR><FONT size=3D2>MAX =3D 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, = which is far=20 larger than any</FONT> <BR><FONT size=3D2>number we would ever = need.</FONT>=20 </P> <P><FONT size=3D2>Dave</FONT> </P> <P><FONT size=3D2>At 08:57 PM 5/8/01 -0700, Ambarish Malpani = wrote:</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>I always = thought MAX for=20 ASN.1 INTEGERs was something I would never</FONT> <BR><FONT=20 size=3D2>>need to worry about.</FONT> <BR><FONT = size=3D2>></FONT>=20 <BR><FONT size=3D2>>Looks like I was wrong :-)</FONT> <BR><FONT = size=3D2>></FONT> <BR><FONT size=3D2>>By the way, what is = MAX? I know=20 that we can represent numbers with</FONT> <BR><FONT = size=3D2>>over 2048=20 bits...</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>A</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>-----Original=20 Message-----</FONT> <BR><FONT size=3D2>>From: Carlin = Covey</FONT>=20 <BR><FONT size=3D2>>To: Housley, Russ; Santosh Chokhani</FONT> = <BR><FONT=20 size=3D2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT = size=3D2>>Sent: 5/8/01=20 5:53 PM</FONT> <BR><FONT size=3D2>>Subject: RE: delta = CRLs</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>Russ,</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>A week or two ago we = arrived at a=20 consensus to remove the requirement</FONT> <BR><FONT = size=3D2>>that a CA=20 issue a full CRL whenever the CA issues a Delta-CRL. If = the</FONT>=20 <BR><FONT size=3D2>>CA chooses to issue them simultaneously, = why would=20 they need to be numbered</FONT> <BR><FONT size=3D2>>the = same? If=20 this requirement were lifted, it seems like requiring the = CRL</FONT>=20 <BR><FONT size=3D2>>number to be "strictly increasing" in a = sequence=20 would be preferable to</FONT> <BR><FONT = size=3D2>>"monotonically=20 increasing". "Monotonically increasing" allows the</FONT> = <BR><FONT=20 size=3D2>possibility</FONT> <BR><FONT size=3D2>>that the CRL = number never=20 changes, which seems undesirable. I realize</FONT> <BR><FONT = size=3D2>>that in either case the CRL number might wrap around = at some=20 point in the</FONT> <BR><FONT size=3D2>future.</FONT> <BR><FONT=20 size=3D2>>That is inevitable, given that that CRL number is = defined as=20 INTEGER</FONT> <BR><FONT size=3D2>(0..MAX).</FONT> <BR><FONT = size=3D2>>What=20 else can a CA do when CRL number reaches MAX, stop issuing = CRLs?</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>"monotonically=20 increasing" - Definition: A function from a partially</FONT> = <BR><FONT=20 size=3D2>order[ed]</FONT> <BR><FONT size=3D2>>domain to a = partially ordered=20 range such that x >=3D y implies f(x) >=3D f(y).</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>- From the NIST web = site:</FONT>=20 <BR><FONT size=3D2>><A=20 href=3D"http://hissa.nist.gov/dads/HTML/monotoncincr.html"=20 = target=3D_blank>http://hissa.nist.gov/dads/HTML/monotoncincr.html</A></FO= NT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>Regards,</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>Carlin</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT=20 size=3D2>>____________________________</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>- Carlin = Covey</FONT>=20 <BR><FONT size=3D2>> Cylink = Corporation</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>-----Original=20 Message-----</FONT> <BR><FONT size=3D2>>From: Housley, Russ [<A = = href=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com<= /A>]</FONT>=20 <BR><FONT size=3D2>>Sent: Monday, May 07, 2001 6:21 AM</FONT> = <BR><FONT=20 size=3D2>>To: Santosh Chokhani</FONT> <BR><FONT = size=3D2>>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>>Subject: RE: delta = CRLs</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>></FONT>=20 <BR><FONT size=3D2>>Santosh:</FONT> <BR><FONT = size=3D2>></FONT>=20 <BR><FONT size=3D2>>X.509 may allow the CRL number to wrap = around, but I=20 do not believe that</FONT> <BR><FONT size=3D2>>PKIX = does.</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>> =20 5.2.3 CRL Number</FONT> <BR><FONT size=3D2>></FONT> = <BR><FONT=20 size=3D2>> The CRL number is a = non-critical CRL=20 extension which conveys a</FONT> <BR><FONT=20 size=3D2>> monotonically increasing = sequence=20 number for each CRL issued by a CA.</FONT> <BR><FONT=20 size=3D2>> This extension allows users = to easily=20 determine when a particular CRL</FONT> <BR><FONT=20 size=3D2>> supersedes another = CRL. CAs=20 conforming to this profile MUST include</FONT> <BR><FONT=20 size=3D2>> this extension in all = CRLs.</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>> =20 id-ce-cRLNumber OBJECT IDENTIFIER ::=3D { id-ce 20 }</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>Russ</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>At=20 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote:</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>> >Actually, the = text allows for=20 the wrap of the numbers. Please see Annex</FONT> <BR><FONT=20 size=3D2>B</FONT> <BR><FONT size=3D2>> >of X.509. = Thus, it is not=20 strictly increasing</FONT> <BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >-----Original Message-----</FONT> <BR><FONT = size=3D2>>=20 >From: Peter Sylvester</FONT> <BR><FONT size=3D2>> = >[<<A=20 = href=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb= .fr</A>><A=20 = href=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb= .fr</A>]</FONT>=20 <BR><FONT size=3D2>> >Sent: Saturday, May 05, 2001 2:08 = PM</FONT>=20 <BR><FONT size=3D2>> >To: trevorf@windows.microsoft.com;=20 rhousley@rsasecurity.com;</FONT> <BR><FONT size=3D2>>=20 >chokhani@cygnacom.com</FONT> <BR><FONT size=3D2>> >Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>> >Subject: RE: = delta=20 CRLs</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>> >=20 > Trevor:</FONT> <BR><FONT size=3D2>> > ></FONT> = <BR><FONT=20 size=3D2>> > > The 2000 version of X.509 is very clear on = this. For a given CRL</FONT> <BR><FONT = size=3D2>stream</FONT>=20 <BR><FONT size=3D2>> > > identifier, the CRL number is = unique=20 whether it is base or delta. That</FONT> <BR><FONT = size=3D2>is</FONT>=20 <BR><FONT size=3D2>> > > why delta number has to be = greater than=20 the base.</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>>=20 >" 8.5.2.1 CRL number extension</FONT> <BR><FONT size=3D2>>=20 ></FONT> <BR><FONT size=3D2>> > This CRL = extension=20 field conveys a monotonically increasing sequence</FONT> <BR><FONT = size=3D2>> > number .."</FONT> <BR><FONT size=3D2>> = ></FONT>=20 <BR><FONT size=3D2>> >The text might be clearer IMHO if = 'strictly=20 increasing' would be used</FONT> <BR><FONT size=3D2>> = >instead.</FONT>=20 </P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0084_01C0D882.BDC9C900-- Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA08039 for <ietf-pkix@imc.org>; Wed, 9 May 2001 11:47:56 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id UAA09985; Wed, 9 May 2001 20:47:39 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Wed, 9 May 2001 20:47:39 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id UAA15418; Wed, 9 May 2001 20:47:37 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id UAA00350; Wed, 9 May 2001 20:47:37 +0200 (MET DST) Date: Wed, 9 May 2001 20:47:37 +0200 (MET DST) Message-Id: <200105091847.UAA00350@emeriau.edelweb.fr> To: chokhani@cygnacom.com, ccovey@cylink.com Subject: RE: delta CRLs Cc: ietf-pkix@imc.org The numbers can be different, but: If numbers are identical, this means that any of these crls (base or delta) can be used when the number is referenced in a following deltaCRL in order to construct a full crl. The constructed full crl, if it would be published would have the same number as the delta crl. > > I don't see that it matters whether the delta-CRL or the full CRL is > assigned the earlier number. But I'm not hard over about assigning them > different numbers. I'm still willing to be convinced that it is bad that > they have different numbers, or good that they have the same number. > Earlier today Stephen Henson presented one argument for numbering them the > same. Perhaps that is a compelling reason. > > Regards, > > Carlin > Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA06744 for <ietf-pkix@imc.org>; Wed, 9 May 2001 11:30:30 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id UAA09914 for <ietf-pkix@imc.org>; Wed, 9 May 2001 20:30:31 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Wed, 9 May 2001 20:30:31 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id UAA15370 for <ietf-pkix@imc.org>; Wed, 9 May 2001 20:30:30 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id UAA00345 for ietf-pkix@imc.org; Wed, 9 May 2001 20:30:30 +0200 (MET DST) Date: Wed, 9 May 2001 20:30:30 +0200 (MET DST) Message-Id: <200105091830.UAA00345@emeriau.edelweb.fr> To: ietf-pkix@imc.org Subject: RE: delta CRLs Some thoughts I think the examples on page 146 in annex c of the latest X509 draft seem to indicate that delta crls and full crls can have the same number, and this is even necessary as drh pointed out. Either one can have a full crl with number n or one can construct it by using the dCRL with the same number + the full crl indicated by the BaseCRLNumber in the dcrl. The verifying party that tries to build the full CRL using a delta has to create or get the baseCRL. It seems possible to me that in case that the vp has a dCRL that has the value of BaseCRLNumber, the process can be used recursively, this is the second model mentioned in annex C. Is is necessary that the crlNumber of base URLs are strictly increasing? I am not convinced. The numbers are only used to create references to a chain of crls that can be used to create final 'virtual' base crl with an appropriate ThisUpdate. If you take two base CRLs with the same crlNumber, where the second is constructed in such a way that no data are removed then a dCRl that refers to this number can use any of the two base CRLs in order to construct a fresher base crl. And actually it seems to me that even monotonically increasing is not really necessary since one has an order defined by thisUpdate. Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA05419 for <ietf-pkix@imc.org>; Wed, 9 May 2001 10:58:34 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA11746 for <ietf-pkix@imc.org>; Wed, 9 May 2001 13:58:35 -0400 (EDT) Message-Id: <4.2.2.20010509133651.00b15d00@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 09 May 2001 13:58:00 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs In-Reply-To: <FLEELNBJKAIIGDJJKPDGKEFNCEAA.ccovey@cylink.com> References: <8D7EC1912E25D411A32100D0B76953978DE930@scygmxs01.cygnacom.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Carlin, If a full CRL and a delta-CRL are issued for the same scope at the same time, then the constructed CRL that results from combining the delta-CRL with an appropriate base MUST be the same as the issued full CRL. The CRL number of the constructed CRL is the CRL number of the delta-CRL. Since the issued full CRL and the constructed CRL are the same CRL, they should have the same CRL number. To assign the full CRL and the delta-CRL different CRL numbers would be to suggest that they are not the same, and that the one with the higher CRL number contains fresher information. BTW, to chime in on two other issues: 1) I agree that if two CRLs, CRL1 and CRL2, are issued for the same scope, and thisUpdate of CRL1 is greater than thisUpdate of CRL2, then the cRLNumber of CRL1 must be greater than the cRLNumber of CRL2. I'm sure this was always the intention of the standard, but perhaps it was not stated with sufficient mathematical precision. 2) I agree with Santosh that much of the confusion we are having could be cleared up if delta-CRLs used the thisUpate field as a reference instead of cRLNumber. X.509 has defined a non-critical baseUpdateTime extension for use in delta-CRLs that specifies the value of thisUpdate in the base CRL that is referenced using the deltaCRLIndicator. I think it would be a good idea to include this extension in PKIX and recommend its inclusion in delta-CRLs. One could then base the delta-CRL processing rules on time instead of CRL numbers (at least for those cases in which the extension was present in the delta-CRL). Dave At 10:15 AM 5/9/01 -0700, Carlin Covey wrote: >Santosh, > >If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well. > >- Carlin Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA04544 for <ietf-pkix@imc.org>; Wed, 9 May 2001 10:35:52 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5YK7; Wed, 9 May 2001 10:30:12 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Santosh Chokhani" <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Wed, 9 May 2001 10:35:02 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGEEFOCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0077_01C0D873.B4133450" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <8D7EC1912E25D411A32100D0B76953978DE939@scygmxs01.cygnacom.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0077_01C0D873.B4133450 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: delta CRLsSantosh, I don't see that it matters whether the delta-CRL or the full CRL is assigned the earlier number. But I'm not hard over about assigning them different numbers. I'm still willing to be convinced that it is bad that they have different numbers, or good that they have the same number. Earlier today Stephen Henson presented one argument for numbering them the same. Perhaps that is a compelling reason. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 10:13 AM To: Carlin Covey; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Are you suggesting that when they are issued at the same time, they should still have a different CRL number? Which one should have the number n and which one n+1? -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 1:16 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well. - Carlin -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 9:28 AM To: Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 11:28 AM To: drh@celocom.com; David A. Cooper; ambarish@valicert.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: >http://hissa.nist.gov/dads/HTML/monotoncincr.html > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. ------=_NextPart_000_0077_01C0D873.B4133450 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: delta CRLs</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D121152317-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D121152317-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D121152317-09052001>I=20 don't see that it matters whether the delta-CRL or the full CRL is = assigned the=20 earlier number. But I'm not hard over about assigning them = different=20 numbers. I'm still willing to be convinced that it is bad that = they have=20 different numbers, or good that they have the same number. Earlier = today=20 Stephen Henson presented one argument for numbering them the same. = Perhaps=20 that is a compelling reason.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D121152317-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D121152317-09052001> <P><FONT=20 size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation = </FONT></P></SPAN></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani=20 [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 = 10:13=20 AM<BR><B>To:</B> Carlin Covey; Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></DIV></FONT> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D742462017-09052001>Are=20 you suggesting that when they are issued at the same time, they should = still=20 have a different CRL number?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001>Which one should have the number n and = which one=20 n+1?</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D742462017-09052001></SPAN></FONT> </DIV> <DIV class=3DOutlookMessageHeader><FONT face=3D"Times New Roman"=20 size=3D2>-----Original Message-----<BR><B>From:</B> Carlin Covey=20 [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 = 1:16=20 PM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D523265216-09052001>If=20 simultaneously-issued delta-CRLs and full CRLs are to be numbered the = same, I=20 think your wording is a significant improvement over the current=20 wording. However, I'm still undecided whether they should be = numbered=20 the same. It seems like simultaneously-issued delta-CRLs and = full CRLs=20 (and constructed CRLs) could be matched via the thisUpdate field = without the=20 necessity of violating the strictly increasing provision for CRL=20 numbers. A unique reference for each CRL would be useful for = evidentiary=20 purposes, and for historical validation. Rendering a CRL = identifier=20 unique already requires the issuer ID, the set of reason codes, = the set=20 of certificate types, and either the CRL number or the thisUpdate = value. =20 I wonder if it is necessary to add the full vs. delta status as=20 well.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D523265216-09052001>-=20 Carlin</SPAN></FONT></DIV> <DIV><SPAN class=3D523265216-09052001></SPAN><FONT face=3DTahoma><FONT = size=3D2><SPAN class=3D523265216-09052001><FONT color=3D#0000ff=20 face=3DArial> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20 class=3D523265216-09052001> </SPAN>-----Original=20 Message-----<BR><B>From:</B> Santosh Chokhani=20 [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 = 9:28=20 AM<BR><B>To:</B> Carlin Covey; drh@celocom.com; David A. Cooper;=20 ambarish@valicert.com; Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta = CRLs<BR><BR></DIV></FONT> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"></FONT> <P><FONT size=3D2>I am simply suggesting that the numbers be = strictly=20 increasing, but if a base and delta are generated at the same time, = they=20 will have the same sequence number. Thus, if two CRLs (in the = same=20 stream identifier or when stream identifier is absent), have numbers = n and=20 m, the following shall be true (assuming no wrapping)</FONT></P> <P><FONT size=3D2> n =3D m if and only if thisUpdate of n =3D = thisUpdate of=20 m</FONT> </P> <P><FONT size=3D2> n > m if and only if thisUpdate of n > = thisUpdate of m</FONT> </P> <P><FONT size=3D2> n < m if and only if thisUpdate of n < = thisUpdate of m</FONT> </P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Carlin Covey [<A=20 = href=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT>=20 <BR><FONT size=3D2>Sent: Wednesday, May 09, 2001 11:28 AM</FONT> = <BR><FONT=20 size=3D2>To: drh@celocom.com; David A. Cooper; = ambarish@valicert.com;</FONT>=20 <BR><FONT size=3D2>chokhani@cygnacom.com</FONT> <BR><FONT = size=3D2>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>Subject: RE: delta = CRLs</FONT>=20 </P><BR> <P><FONT size=3D2>David, Stephen, Ambarish, and Santosh,</FONT> </P> <P><FONT size=3D2>Some of us are in the business for the looooong = haul. =20 ;>)</FONT> </P> <P><FONT size=3D2>Actually, I wasn't concerned about the CRL number = wrapping,=20 but that</FONT> <BR><FONT size=3D2>possibility was advanced a few = days ago as=20 an argument against the use of</FONT> <BR><FONT size=3D2>the = "strictly=20 increasing" wording. Another email commented that PKIX = did</FONT>=20 <BR><FONT size=3D2>not permit the number to wrap, although X.509 = might. =20 The only evidence I</FONT> <BR><FONT size=3D2>could find for X.509 = permitting=20 the number to wrap was "(0 .. MAX)". As</FONT> <BR><FONT=20 size=3D2>various people have pointed out, one could be drumming = one's fingers=20 for</FONT> <BR><FONT size=3D2>quite a while........</FONT> </P> <P><FONT size=3D2>My real point was that the "monotonically = increasing"=20 wording permits the</FONT> <BR><FONT size=3D2>CRL number to stay the = same,=20 while "strictly increasing" forces the numbers</FONT> <BR><FONT = size=3D2>to be=20 unique (issues of wrapping aside in both cases). Stephen = Henson=20 just</FONT> <BR><FONT size=3D2>pointed out a reason why one might = want the CRL=20 number to stay the same when</FONT> <BR><FONT size=3D2>issuing a = delta CRL at=20 the same time as a full CRL. I am not arguing either</FONT> = <BR><FONT=20 size=3D2>for or against that case, but it seems desirable to force = the CRL=20 numbers to</FONT> <BR><FONT size=3D2>be unique in most cases. = (Unless,=20 the CRLs are distinguished based upon</FONT> <BR><FONT = size=3D2>thisUpdate, as=20 Santosh has suggested.)</FONT> </P> <P><FONT size=3D2>Regards,</FONT> </P> <P><FONT size=3D2>Carlin</FONT> </P> <P><FONT size=3D2>____________________________</FONT> </P> <P><FONT size=3D2>- Carlin Covey</FONT> <BR><FONT = size=3D2> =20 Cylink Corporation</FONT> </P><BR><BR> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 David A. Cooper [<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</= FONT>=20 <BR><FONT size=3D2>Sent: Wednesday, May 09, 2001 6:03 AM</FONT> = <BR><FONT=20 size=3D2>To: 'ietf-pkix@imc.org '</FONT> <BR><FONT size=3D2>Subject: = RE: delta=20 CRLs</FONT> </P><BR> <P><FONT size=3D2> From a practical point of view, I don't = think that we=20 should need to worry</FONT> <BR><FONT size=3D2>about CRL numbers=20 wrapping. According to my calculations, if one assigns</FONT>=20 <BR><FONT size=3D2>cRLNumber 1 to the first CRL and then numbers = CRLs=20 consecutively, one could</FONT> <BR><FONT size=3D2>issue a new CRL = every=20 second for 68 years before the cRLNumber would require</FONT> = <BR><FONT=20 size=3D2>more than 4 bytes (32 bits) to encode. On the other = hand, if=20 you're willing</FONT> <BR><FONT size=3D2>to issue a new CRL only = once a=20 minute, it would take 4083 years before the</FONT> <BR><FONT=20 size=3D2>cRLNumber would require more than 4 bytes to encode.</FONT> = </P> <P><FONT size=3D2>BTW, I thought that the purpose of the "(0 .. = MAX)" was just=20 to prevent use</FONT> <BR><FONT size=3D2>of negative numbers. While = there may,=20 in theory be a limit to the size of an</FONT> <BR><FONT = size=3D2>integer that=20 may be encoded, for all practical purposes, one can encode = any</FONT>=20 <BR><FONT size=3D2>integet. According to "A Layman's Guide to a = Subset of=20 ASN.1, BER, and DER",</FONT> <BR><FONT size=3D2>a DER encoded value = can have a=20 length of up to 2 ** 1008 - 1 bytes. Thus,</FONT> <BR><FONT = size=3D2>MAX =3D 2=20 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than = any</FONT>=20 <BR><FONT size=3D2>number we would ever need.</FONT> </P> <P><FONT size=3D2>Dave</FONT> </P> <P><FONT size=3D2>At 08:57 PM 5/8/01 -0700, Ambarish Malpani = wrote:</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>I always = thought MAX for=20 ASN.1 INTEGERs was something I would never</FONT> <BR><FONT = size=3D2>>need=20 to worry about.</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>>Looks like I was wrong :-)</FONT> <BR><FONT = size=3D2>></FONT>=20 <BR><FONT size=3D2>>By the way, what is MAX? I know that we can = represent=20 numbers with</FONT> <BR><FONT size=3D2>>over 2048 bits...</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>A</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>-----Original = Message-----</FONT>=20 <BR><FONT size=3D2>>From: Carlin Covey</FONT> <BR><FONT = size=3D2>>To:=20 Housley, Russ; Santosh Chokhani</FONT> <BR><FONT size=3D2>>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>>Sent: 5/8/01 5:53 = PM</FONT>=20 <BR><FONT size=3D2>>Subject: RE: delta CRLs</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>Russ,</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>A week or two ago we = arrived at a=20 consensus to remove the requirement</FONT> <BR><FONT = size=3D2>>that a CA=20 issue a full CRL whenever the CA issues a Delta-CRL. If = the</FONT>=20 <BR><FONT size=3D2>>CA chooses to issue them simultaneously, why = would they=20 need to be numbered</FONT> <BR><FONT size=3D2>>the same? If = this=20 requirement were lifted, it seems like requiring the CRL</FONT> = <BR><FONT=20 size=3D2>>number to be "strictly increasing" in a sequence would = be=20 preferable to</FONT> <BR><FONT size=3D2>>"monotonically = increasing". =20 "Monotonically increasing" allows the</FONT> <BR><FONT=20 size=3D2>possibility</FONT> <BR><FONT size=3D2>>that the CRL = number never=20 changes, which seems undesirable. I realize</FONT> <BR><FONT=20 size=3D2>>that in either case the CRL number might wrap around at = some=20 point in the</FONT> <BR><FONT size=3D2>future.</FONT> <BR><FONT=20 size=3D2>>That is inevitable, given that that CRL number is = defined as=20 INTEGER</FONT> <BR><FONT size=3D2>(0..MAX).</FONT> <BR><FONT = size=3D2>>What=20 else can a CA do when CRL number reaches MAX, stop issuing = CRLs?</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>"monotonically = increasing"=20 - Definition: A function from a partially</FONT> <BR><FONT=20 size=3D2>order[ed]</FONT> <BR><FONT size=3D2>>domain to a = partially ordered=20 range such that x >=3D y implies f(x) >=3D f(y).</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>- From the NIST web = site:</FONT>=20 <BR><FONT size=3D2>><A=20 href=3D"http://hissa.nist.gov/dads/HTML/monotoncincr.html"=20 = target=3D_blank>http://hissa.nist.gov/dads/HTML/monotoncincr.html</A></FO= NT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>Regards,</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>Carlin</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT = size=3D2>>____________________________</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>- Carlin = Covey</FONT> <BR><FONT size=3D2>> Cylink=20 Corporation</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>>-----Original Message-----</FONT> <BR><FONT = size=3D2>>From:=20 Housley, Russ [<A=20 = href=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com<= /A>]</FONT>=20 <BR><FONT size=3D2>>Sent: Monday, May 07, 2001 6:21 AM</FONT> = <BR><FONT=20 size=3D2>>To: Santosh Chokhani</FONT> <BR><FONT size=3D2>>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>>Subject: RE: delta = CRLs</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>></FONT> = <BR><FONT=20 size=3D2>>Santosh:</FONT> <BR><FONT size=3D2>></FONT> = <BR><FONT=20 size=3D2>>X.509 may allow the CRL number to wrap around, but I do = not=20 believe that</FONT> <BR><FONT size=3D2>>PKIX does.</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>> = 5.2.3 =20 CRL Number</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>> The CRL number is a = non-critical CRL=20 extension which conveys a</FONT> <BR><FONT=20 size=3D2>> monotonically increasing = sequence number=20 for each CRL issued by a CA.</FONT> <BR><FONT=20 size=3D2>> This extension allows users to = easily=20 determine when a particular CRL</FONT> <BR><FONT=20 size=3D2>> supersedes another CRL. = CAs=20 conforming to this profile MUST include</FONT> <BR><FONT=20 size=3D2>> this extension in all = CRLs.</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>> =20 id-ce-cRLNumber OBJECT IDENTIFIER ::=3D { id-ce 20 }</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>Russ</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>At=20 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote:</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>> >Actually, the text = allows for=20 the wrap of the numbers. Please see Annex</FONT> <BR><FONT=20 size=3D2>B</FONT> <BR><FONT size=3D2>> >of X.509. Thus, = it is not=20 strictly increasing</FONT> <BR><FONT size=3D2>> ></FONT> = <BR><FONT=20 size=3D2>> >-----Original Message-----</FONT> <BR><FONT = size=3D2>>=20 >From: Peter Sylvester</FONT> <BR><FONT size=3D2>> >[<<A = = href=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb= .fr</A>><A=20 = href=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb= .fr</A>]</FONT>=20 <BR><FONT size=3D2>> >Sent: Saturday, May 05, 2001 2:08 = PM</FONT>=20 <BR><FONT size=3D2>> >To: trevorf@windows.microsoft.com;=20 rhousley@rsasecurity.com;</FONT> <BR><FONT size=3D2>>=20 >chokhani@cygnacom.com</FONT> <BR><FONT size=3D2>> >Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>> >Subject: RE: = delta=20 CRLs</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>> >=20 > Trevor:</FONT> <BR><FONT size=3D2>> > ></FONT> = <BR><FONT=20 size=3D2>> > > The 2000 version of X.509 is very clear on = this. =20 For a given CRL</FONT> <BR><FONT size=3D2>stream</FONT> <BR><FONT = size=3D2>>=20 > > identifier, the CRL number is unique whether it is base or = delta.=20 That</FONT> <BR><FONT size=3D2>is</FONT> <BR><FONT size=3D2>> = > > why=20 delta number has to be greater than the base.</FONT> <BR><FONT = size=3D2>>=20 ></FONT> <BR><FONT size=3D2>> >" 8.5.2.1 CRL number = extension</FONT>=20 <BR><FONT size=3D2>> ></FONT> <BR><FONT size=3D2>> = > =20 This CRL extension field conveys a monotonically increasing = sequence</FONT>=20 <BR><FONT size=3D2>> > number .."</FONT> <BR><FONT = size=3D2>>=20 ></FONT> <BR><FONT size=3D2>> >The text might be clearer = IMHO if=20 'strictly increasing' would be used</FONT> <BR><FONT size=3D2>>=20 >instead.</FONT> </P></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0077_01C0D873.B4133450-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA03801 for <ietf-pkix@imc.org>; Wed, 9 May 2001 10:22:56 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KS8ZMMAX>; Wed, 9 May 2001 13:22:27 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE939@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Carlin Covey <ccovey@cylink.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Wed, 9 May 2001 13:13:13 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D8AB.54A54B60" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D8AB.54A54B60 Content-Type: text/plain; charset="iso-8859-1" Are you suggesting that when they are issued at the same time, they should still have a different CRL number? Which one should have the number n and which one n+1? -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 1:16 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well. - Carlin -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 9:28 AM To: Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -----Original Message----- From: Carlin Covey [ mailto:ccovey@cylink.com <mailto:ccovey@cylink.com> ] Sent: Wednesday, May 09, 2001 11:28 AM To: drh@celocom.com; David A. Cooper; ambarish@valicert.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [ mailto:david.cooper@nist.gov <mailto:david.cooper@nist.gov> ] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: > http://hissa.nist.gov/dads/HTML/monotoncincr.html <http://hissa.nist.gov/dads/HTML/monotoncincr.html> > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [ mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[< mailto:Peter.Sylvester@EdelWeb.fr <mailto:Peter.Sylvester@EdelWeb.fr> > mailto:Peter.Sylvester@EdelWeb.fr <mailto:Peter.Sylvester@EdelWeb.fr> ] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. ------_=_NextPart_001_01C0D8AB.54A54B60 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: delta CRLs</TITLE> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=742462017-09052001>Are you suggesting that when they are issued at the same time, they should still have a different CRL number?</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=742462017-09052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=742462017-09052001>Which one should have the number n and which one n+1?</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=742462017-09052001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Carlin Covey [mailto:ccovey@cylink.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 1:16 PM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=523265216-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=523265216-09052001>If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=523265216-09052001>- Carlin</SPAN></FONT></DIV> <DIV><SPAN class=523265216-09052001></SPAN><FONT face=Tahoma><FONT size=2><SPAN class=523265216-09052001><FONT color=#0000ff face=Arial> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=523265216-09052001> </SPAN>-----Original Message-----<BR><B>From:</B> Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> Wednesday, May 09, 2001 9:28 AM<BR><B>To:</B> Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></DIV></FONT> <BLOCKQUOTE style="MARGIN-RIGHT: 0px"></FONT> <P><FONT size=2>I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping)</FONT></P> <P><FONT size=2> n = m if and only if thisUpdate of n = thisUpdate of m</FONT> </P> <P><FONT size=2> n > m if and only if thisUpdate of n > thisUpdate of m</FONT> </P> <P><FONT size=2> n < m if and only if thisUpdate of n < thisUpdate of m</FONT> </P> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: Carlin Covey [<A href="mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT size=2>Sent: Wednesday, May 09, 2001 11:28 AM</FONT> <BR><FONT size=2>To: drh@celocom.com; David A. Cooper; ambarish@valicert.com;</FONT> <BR><FONT size=2>chokhani@cygnacom.com</FONT> <BR><FONT size=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>Subject: RE: delta CRLs</FONT> </P><BR> <P><FONT size=2>David, Stephen, Ambarish, and Santosh,</FONT> </P> <P><FONT size=2>Some of us are in the business for the looooong haul. ;>)</FONT> </P> <P><FONT size=2>Actually, I wasn't concerned about the CRL number wrapping, but that</FONT> <BR><FONT size=2>possibility was advanced a few days ago as an argument against the use of</FONT> <BR><FONT size=2>the "strictly increasing" wording. Another email commented that PKIX did</FONT> <BR><FONT size=2>not permit the number to wrap, although X.509 might. The only evidence I</FONT> <BR><FONT size=2>could find for X.509 permitting the number to wrap was "(0 .. MAX)". As</FONT> <BR><FONT size=2>various people have pointed out, one could be drumming one's fingers for</FONT> <BR><FONT size=2>quite a while........</FONT> </P> <P><FONT size=2>My real point was that the "monotonically increasing" wording permits the</FONT> <BR><FONT size=2>CRL number to stay the same, while "strictly increasing" forces the numbers</FONT> <BR><FONT size=2>to be unique (issues of wrapping aside in both cases). Stephen Henson just</FONT> <BR><FONT size=2>pointed out a reason why one might want the CRL number to stay the same when</FONT> <BR><FONT size=2>issuing a delta CRL at the same time as a full CRL. I am not arguing either</FONT> <BR><FONT size=2>for or against that case, but it seems desirable to force the CRL numbers to</FONT> <BR><FONT size=2>be unique in most cases. (Unless, the CRLs are distinguished based upon</FONT> <BR><FONT size=2>thisUpdate, as Santosh has suggested.)</FONT> </P> <P><FONT size=2>Regards,</FONT> </P> <P><FONT size=2>Carlin</FONT> </P> <P><FONT size=2>____________________________</FONT> </P> <P><FONT size=2>- Carlin Covey</FONT> <BR><FONT size=2> Cylink Corporation</FONT> </P><BR><BR> <P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From: David A. Cooper [<A href="mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</FONT> <BR><FONT size=2>Sent: Wednesday, May 09, 2001 6:03 AM</FONT> <BR><FONT size=2>To: 'ietf-pkix@imc.org '</FONT> <BR><FONT size=2>Subject: RE: delta CRLs</FONT> </P><BR> <P><FONT size=2> From a practical point of view, I don't think that we should need to worry</FONT> <BR><FONT size=2>about CRL numbers wrapping. According to my calculations, if one assigns</FONT> <BR><FONT size=2>cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could</FONT> <BR><FONT size=2>issue a new CRL every second for 68 years before the cRLNumber would require</FONT> <BR><FONT size=2>more than 4 bytes (32 bits) to encode. On the other hand, if you're willing</FONT> <BR><FONT size=2>to issue a new CRL only once a minute, it would take 4083 years before the</FONT> <BR><FONT size=2>cRLNumber would require more than 4 bytes to encode.</FONT> </P> <P><FONT size=2>BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use</FONT> <BR><FONT size=2>of negative numbers. While there may, in theory be a limit to the size of an</FONT> <BR><FONT size=2>integer that may be encoded, for all practical purposes, one can encode any</FONT> <BR><FONT size=2>integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER",</FONT> <BR><FONT size=2>a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus,</FONT> <BR><FONT size=2>MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any</FONT> <BR><FONT size=2>number we would ever need.</FONT> </P> <P><FONT size=2>Dave</FONT> </P> <P><FONT size=2>At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>I always thought MAX for ASN.1 INTEGERs was something I would never</FONT> <BR><FONT size=2>>need to worry about.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Looks like I was wrong :-)</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>By the way, what is MAX? I know that we can represent numbers with</FONT> <BR><FONT size=2>>over 2048 bits...</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>A</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>-----Original Message-----</FONT> <BR><FONT size=2>>From: Carlin Covey</FONT> <BR><FONT size=2>>To: Housley, Russ; Santosh Chokhani</FONT> <BR><FONT size=2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>>Sent: 5/8/01 5:53 PM</FONT> <BR><FONT size=2>>Subject: RE: delta CRLs</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Russ,</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>A week or two ago we arrived at a consensus to remove the requirement</FONT> <BR><FONT size=2>>that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the</FONT> <BR><FONT size=2>>CA chooses to issue them simultaneously, why would they need to be numbered</FONT> <BR><FONT size=2>>the same? If this requirement were lifted, it seems like requiring the CRL</FONT> <BR><FONT size=2>>number to be "strictly increasing" in a sequence would be preferable to</FONT> <BR><FONT size=2>>"monotonically increasing". "Monotonically increasing" allows the</FONT> <BR><FONT size=2>possibility</FONT> <BR><FONT size=2>>that the CRL number never changes, which seems undesirable. I realize</FONT> <BR><FONT size=2>>that in either case the CRL number might wrap around at some point in the</FONT> <BR><FONT size=2>future.</FONT> <BR><FONT size=2>>That is inevitable, given that that CRL number is defined as INTEGER</FONT> <BR><FONT size=2>(0..MAX).</FONT> <BR><FONT size=2>>What else can a CA do when CRL number reaches MAX, stop issuing CRLs?</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>"monotonically increasing" - Definition: A function from a partially</FONT> <BR><FONT size=2>order[ed]</FONT> <BR><FONT size=2>>domain to a partially ordered range such that x >= y implies f(x) >= f(y).</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>- From the NIST web site:</FONT> <BR><FONT size=2>><A href="http://hissa.nist.gov/dads/HTML/monotoncincr.html" target=_blank>http://hissa.nist.gov/dads/HTML/monotoncincr.html</A></FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Regards,</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Carlin</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>____________________________</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>- Carlin Covey</FONT> <BR><FONT size=2>> Cylink Corporation</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>-----Original Message-----</FONT> <BR><FONT size=2>>From: Housley, Russ [<A href="mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com</A>]</FONT> <BR><FONT size=2>>Sent: Monday, May 07, 2001 6:21 AM</FONT> <BR><FONT size=2>>To: Santosh Chokhani</FONT> <BR><FONT size=2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>>Subject: RE: delta CRLs</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Santosh:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>X.509 may allow the CRL number to wrap around, but I do not believe that</FONT> <BR><FONT size=2>>PKIX does.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> 5.2.3 CRL Number</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> The CRL number is a non-critical CRL extension which conveys a</FONT> <BR><FONT size=2>> monotonically increasing sequence number for each CRL issued by a CA.</FONT> <BR><FONT size=2>> This extension allows users to easily determine when a particular CRL</FONT> <BR><FONT size=2>> supersedes another CRL. CAs conforming to this profile MUST include</FONT> <BR><FONT size=2>> this extension in all CRLs.</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 }</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>Russ</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>>At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote:</FONT> <BR><FONT size=2>></FONT> <BR><FONT size=2>> >Actually, the text allows for the wrap of the numbers. Please see Annex</FONT> <BR><FONT size=2>B</FONT> <BR><FONT size=2>> >of X.509. Thus, it is not strictly increasing</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >-----Original Message-----</FONT> <BR><FONT size=2>> >From: Peter Sylvester</FONT> <BR><FONT size=2>> >[<<A href="mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb.fr</A>><A href="mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb.fr</A>]</FONT> <BR><FONT size=2>> >Sent: Saturday, May 05, 2001 2:08 PM</FONT> <BR><FONT size=2>> >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com;</FONT> <BR><FONT size=2>> >chokhani@cygnacom.com</FONT> <BR><FONT size=2>> >Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> >Subject: RE: delta CRLs</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > > Trevor:</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > The 2000 version of X.509 is very clear on this. For a given CRL</FONT> <BR><FONT size=2>stream</FONT> <BR><FONT size=2>> > > identifier, the CRL number is unique whether it is base or delta. That</FONT> <BR><FONT size=2>is</FONT> <BR><FONT size=2>> > > why delta number has to be greater than the base.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >" 8.5.2.1 CRL number extension</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > This CRL extension field conveys a monotonically increasing sequence</FONT> <BR><FONT size=2>> > number .."</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> >The text might be clearer IMHO if 'strictly increasing' would be used</FONT> <BR><FONT size=2>> >instead.</FONT> </P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0D8AB.54A54B60-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA03156 for <ietf-pkix@imc.org>; Wed, 9 May 2001 10:16:36 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5YG6; Wed, 9 May 2001 10:10:58 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Santosh Chokhani" <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Wed, 9 May 2001 10:15:51 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGKEFNCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0054_01C0D871.0608D4C0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <8D7EC1912E25D411A32100D0B76953978DE930@scygmxs01.cygnacom.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_0054_01C0D871.0608D4C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit RE: delta CRLsSantosh, If simultaneously-issued delta-CRLs and full CRLs are to be numbered the same, I think your wording is a significant improvement over the current wording. However, I'm still undecided whether they should be numbered the same. It seems like simultaneously-issued delta-CRLs and full CRLs (and constructed CRLs) could be matched via the thisUpdate field without the necessity of violating the strictly increasing provision for CRL numbers. A unique reference for each CRL would be useful for evidentiary purposes, and for historical validation. Rendering a CRL identifier unique already requires the issuer ID, the set of reason codes, the set of certificate types, and either the CRL number or the thisUpdate value. I wonder if it is necessary to add the full vs. delta status as well. - Carlin -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Wednesday, May 09, 2001 9:28 AM To: Carlin Covey; drh@celocom.com; David A. Cooper; ambarish@valicert.com; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 11:28 AM To: drh@celocom.com; David A. Cooper; ambarish@valicert.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: >http://hissa.nist.gov/dads/HTML/monotoncincr.html > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. ------=_NextPart_000_0054_01C0D871.0608D4C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>RE: delta CRLs</TITLE> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001>Santosh,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D523265216-09052001>If=20 simultaneously-issued delta-CRLs and full CRLs are to be numbered the = same, I=20 think your wording is a significant improvement over the current = wording. =20 However, I'm still undecided whether they should be numbered the = same. It=20 seems like simultaneously-issued delta-CRLs and full CRLs (and = constructed CRLs)=20 could be matched via the thisUpdate field without the necessity of = violating the=20 strictly increasing provision for CRL numbers. A unique reference = for each=20 CRL would be useful for evidentiary purposes, and for historical=20 validation. Rendering a CRL identifier unique already = requires the=20 issuer ID, the set of reason codes, the set of certificate types, = and=20 either the CRL number or the thisUpdate value. I wonder if it is = necessary=20 to add the full vs. delta status as well.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D523265216-09052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D523265216-09052001>-=20 Carlin</SPAN></FONT></DIV> <DIV><SPAN class=3D523265216-09052001></SPAN><FONT face=3DTahoma><FONT = size=3D2><SPAN=20 class=3D523265216-09052001><FONT color=3D#0000ff=20 face=3DArial> </FONT></SPAN></FONT></FONT></DIV> <DIV><FONT face=3DTahoma><FONT size=3D2><SPAN=20 class=3D523265216-09052001> </SPAN>-----Original = Message-----<BR><B>From:</B>=20 Santosh Chokhani [mailto:chokhani@cygnacom.com]<BR><B>Sent:</B> = Wednesday, May=20 09, 2001 9:28 AM<BR><B>To:</B> Carlin Covey; drh@celocom.com; David A. = Cooper;=20 ambarish@valicert.com; Santosh Chokhani<BR><B>Cc:</B>=20 ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></DIV></FONT> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"></FONT> <P><FONT size=3D2>I am simply suggesting that the numbers be strictly=20 increasing, but if a base and delta are generated at the same time, = they will=20 have the same sequence number. Thus, if two CRLs (in the same = stream=20 identifier or when stream identifier is absent), have numbers n and m, = the=20 following shall be true (assuming no wrapping)</FONT></P> <P><FONT size=3D2> n =3D m if and only if thisUpdate of n =3D = thisUpdate of=20 m</FONT> </P> <P><FONT size=3D2> n > m if and only if thisUpdate of n > = thisUpdate=20 of m</FONT> </P> <P><FONT size=3D2> n < m if and only if thisUpdate of n < = thisUpdate=20 of m</FONT> </P> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From:=20 Carlin Covey [<A=20 href=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> = <BR><FONT=20 size=3D2>Sent: Wednesday, May 09, 2001 11:28 AM</FONT> <BR><FONT = size=3D2>To:=20 drh@celocom.com; David A. Cooper; ambarish@valicert.com;</FONT> = <BR><FONT=20 size=3D2>chokhani@cygnacom.com</FONT> <BR><FONT size=3D2>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>Subject: RE: delta = CRLs</FONT>=20 </P><BR> <P><FONT size=3D2>David, Stephen, Ambarish, and Santosh,</FONT> </P> <P><FONT size=3D2>Some of us are in the business for the looooong = haul. =20 ;>)</FONT> </P> <P><FONT size=3D2>Actually, I wasn't concerned about the CRL number = wrapping,=20 but that</FONT> <BR><FONT size=3D2>possibility was advanced a few days = ago as an=20 argument against the use of</FONT> <BR><FONT size=3D2>the "strictly = increasing"=20 wording. Another email commented that PKIX did</FONT> <BR><FONT=20 size=3D2>not permit the number to wrap, although X.509 might. = The only=20 evidence I</FONT> <BR><FONT size=3D2>could find for X.509 permitting = the number=20 to wrap was "(0 .. MAX)". As</FONT> <BR><FONT size=3D2>various = people have=20 pointed out, one could be drumming one's fingers for</FONT> <BR><FONT=20 size=3D2>quite a while........</FONT> </P> <P><FONT size=3D2>My real point was that the "monotonically = increasing" wording=20 permits the</FONT> <BR><FONT size=3D2>CRL number to stay the same, = while=20 "strictly increasing" forces the numbers</FONT> <BR><FONT size=3D2>to = be unique=20 (issues of wrapping aside in both cases). Stephen Henson = just</FONT>=20 <BR><FONT size=3D2>pointed out a reason why one might want the CRL = number to=20 stay the same when</FONT> <BR><FONT size=3D2>issuing a delta CRL at = the same=20 time as a full CRL. I am not arguing either</FONT> <BR><FONT = size=3D2>for=20 or against that case, but it seems desirable to force the CRL numbers=20 to</FONT> <BR><FONT size=3D2>be unique in most cases. (Unless, = the CRLs=20 are distinguished based upon</FONT> <BR><FONT size=3D2>thisUpdate, as = Santosh=20 has suggested.)</FONT> </P> <P><FONT size=3D2>Regards,</FONT> </P> <P><FONT size=3D2>Carlin</FONT> </P> <P><FONT size=3D2>____________________________</FONT> </P> <P><FONT size=3D2>- Carlin Covey</FONT> <BR><FONT = size=3D2> =20 Cylink Corporation</FONT> </P><BR><BR> <P><FONT size=3D2>-----Original Message-----</FONT> <BR><FONT = size=3D2>From: David=20 A. Cooper [<A=20 = href=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]</= FONT>=20 <BR><FONT size=3D2>Sent: Wednesday, May 09, 2001 6:03 AM</FONT> = <BR><FONT=20 size=3D2>To: 'ietf-pkix@imc.org '</FONT> <BR><FONT size=3D2>Subject: = RE: delta=20 CRLs</FONT> </P><BR> <P><FONT size=3D2> From a practical point of view, I don't think = that we=20 should need to worry</FONT> <BR><FONT size=3D2>about CRL numbers = wrapping. =20 According to my calculations, if one assigns</FONT> <BR><FONT = size=3D2>cRLNumber=20 1 to the first CRL and then numbers CRLs consecutively, one = could</FONT>=20 <BR><FONT size=3D2>issue a new CRL every second for 68 years before = the=20 cRLNumber would require</FONT> <BR><FONT size=3D2>more than 4 bytes = (32 bits) to=20 encode. On the other hand, if you're willing</FONT> <BR><FONT = size=3D2>to=20 issue a new CRL only once a minute, it would take 4083 years before = the</FONT>=20 <BR><FONT size=3D2>cRLNumber would require more than 4 bytes to = encode.</FONT>=20 </P> <P><FONT size=3D2>BTW, I thought that the purpose of the "(0 .. MAX)" = was just=20 to prevent use</FONT> <BR><FONT size=3D2>of negative numbers. While = there may,=20 in theory be a limit to the size of an</FONT> <BR><FONT = size=3D2>integer that=20 may be encoded, for all practical purposes, one can encode any</FONT>=20 <BR><FONT size=3D2>integet. According to "A Layman's Guide to a Subset = of ASN.1,=20 BER, and DER",</FONT> <BR><FONT size=3D2>a DER encoded value can have = a length=20 of up to 2 ** 1008 - 1 bytes. Thus,</FONT> <BR><FONT size=3D2>MAX =3D = 2 ** [8 *=20 ((2 ** 1008) - 1) - 1] - 1, which is far larger than any</FONT> = <BR><FONT=20 size=3D2>number we would ever need.</FONT> </P> <P><FONT size=3D2>Dave</FONT> </P> <P><FONT size=3D2>At 08:57 PM 5/8/01 -0700, Ambarish Malpani = wrote:</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>I always thought = MAX for=20 ASN.1 INTEGERs was something I would never</FONT> <BR><FONT = size=3D2>>need to=20 worry about.</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>Looks=20 like I was wrong :-)</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>>By the way, what is MAX? I know that we can represent = numbers=20 with</FONT> <BR><FONT size=3D2>>over 2048 bits...</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>A</FONT> <BR><FONT = size=3D2>></FONT>=20 <BR><FONT size=3D2>>-----Original Message-----</FONT> <BR><FONT=20 size=3D2>>From: Carlin Covey</FONT> <BR><FONT size=3D2>>To: = Housley, Russ;=20 Santosh Chokhani</FONT> <BR><FONT size=3D2>>Cc: = ietf-pkix@imc.org</FONT>=20 <BR><FONT size=3D2>>Sent: 5/8/01 5:53 PM</FONT> <BR><FONT = size=3D2>>Subject:=20 RE: delta CRLs</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>>Russ,</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>A=20 week or two ago we arrived at a consensus to remove the = requirement</FONT>=20 <BR><FONT size=3D2>>that a CA issue a full CRL whenever the CA = issues a=20 Delta-CRL. If the</FONT> <BR><FONT size=3D2>>CA chooses to = issue them=20 simultaneously, why would they need to be numbered</FONT> <BR><FONT=20 size=3D2>>the same? If this requirement were lifted, it seems = like=20 requiring the CRL</FONT> <BR><FONT size=3D2>>number to be "strictly = increasing" in a sequence would be preferable to</FONT> <BR><FONT=20 size=3D2>>"monotonically increasing". "Monotonically = increasing" allows=20 the</FONT> <BR><FONT size=3D2>possibility</FONT> <BR><FONT = size=3D2>>that the=20 CRL number never changes, which seems undesirable. I = realize</FONT>=20 <BR><FONT size=3D2>>that in either case the CRL number might wrap = around at=20 some point in the</FONT> <BR><FONT size=3D2>future.</FONT> <BR><FONT=20 size=3D2>>That is inevitable, given that that CRL number is defined = as=20 INTEGER</FONT> <BR><FONT size=3D2>(0..MAX).</FONT> <BR><FONT = size=3D2>>What=20 else can a CA do when CRL number reaches MAX, stop issuing = CRLs?</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>"monotonically = increasing" -=20 Definition: A function from a partially</FONT> <BR><FONT=20 size=3D2>order[ed]</FONT> <BR><FONT size=3D2>>domain to a partially = ordered=20 range such that x >=3D y implies f(x) >=3D f(y).</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>- From the NIST web = site:</FONT>=20 <BR><FONT size=3D2>><A=20 href=3D"http://hissa.nist.gov/dads/HTML/monotoncincr.html"=20 = target=3D_blank>http://hissa.nist.gov/dads/HTML/monotoncincr.html</A></FO= NT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>Regards,</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>Carlin</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT = size=3D2>>____________________________</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>>- Carlin = Covey</FONT>=20 <BR><FONT size=3D2>> Cylink Corporation</FONT> = <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>-----Original = Message-----</FONT>=20 <BR><FONT size=3D2>>From: Housley, Russ [<A=20 = href=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com<= /A>]</FONT>=20 <BR><FONT size=3D2>>Sent: Monday, May 07, 2001 6:21 AM</FONT> = <BR><FONT=20 size=3D2>>To: Santosh Chokhani</FONT> <BR><FONT size=3D2>>Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>>Subject: RE: delta = CRLs</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT size=3D2>></FONT> = <BR><FONT=20 size=3D2>>Santosh:</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>>X.509 may allow the CRL number to wrap around, but I do = not believe=20 that</FONT> <BR><FONT size=3D2>>PKIX does.</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>> = 5.2.3 =20 CRL Number</FONT> <BR><FONT size=3D2>></FONT> <BR><FONT=20 size=3D2>> The CRL number is a non-critical = CRL=20 extension which conveys a</FONT> <BR><FONT = size=3D2>> =20 monotonically increasing sequence number for each CRL issued by a = CA.</FONT>=20 <BR><FONT size=3D2>> This extension allows = users to=20 easily determine when a particular CRL</FONT> <BR><FONT=20 size=3D2>> supersedes another CRL. = CAs=20 conforming to this profile MUST include</FONT> <BR><FONT=20 size=3D2>> this extension in all = CRLs.</FONT>=20 <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>> =20 id-ce-cRLNumber OBJECT IDENTIFIER ::=3D { id-ce 20 }</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>>Russ</FONT> <BR><FONT=20 size=3D2>></FONT> <BR><FONT size=3D2>></FONT> <BR><FONT = size=3D2>>At 10:11=20 PM 5/5/2001 -0400, Santosh Chokhani wrote:</FONT> <BR><FONT = size=3D2>></FONT>=20 <BR><FONT size=3D2>> >Actually, the text allows for the wrap of = the=20 numbers. Please see Annex</FONT> <BR><FONT size=3D2>B</FONT> = <BR><FONT=20 size=3D2>> >of X.509. Thus, it is not strictly = increasing</FONT>=20 <BR><FONT size=3D2>> ></FONT> <BR><FONT size=3D2>> = >-----Original=20 Message-----</FONT> <BR><FONT size=3D2>> >From: Peter = Sylvester</FONT>=20 <BR><FONT size=3D2>> >[<<A=20 = href=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb= .fr</A>><A=20 = href=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWeb= .fr</A>]</FONT>=20 <BR><FONT size=3D2>> >Sent: Saturday, May 05, 2001 2:08 = PM</FONT>=20 <BR><FONT size=3D2>> >To: trevorf@windows.microsoft.com;=20 rhousley@rsasecurity.com;</FONT> <BR><FONT size=3D2>>=20 >chokhani@cygnacom.com</FONT> <BR><FONT size=3D2>> >Cc:=20 ietf-pkix@imc.org</FONT> <BR><FONT size=3D2>> >Subject: RE: = delta=20 CRLs</FONT> <BR><FONT size=3D2>> ></FONT> <BR><FONT = size=3D2>> > >=20 Trevor:</FONT> <BR><FONT size=3D2>> > ></FONT> <BR><FONT = size=3D2>>=20 > > The 2000 version of X.509 is very clear on this. For a = given=20 CRL</FONT> <BR><FONT size=3D2>stream</FONT> <BR><FONT size=3D2>> = > >=20 identifier, the CRL number is unique whether it is base or delta. = That</FONT>=20 <BR><FONT size=3D2>is</FONT> <BR><FONT size=3D2>> > > why = delta number=20 has to be greater than the base.</FONT> <BR><FONT size=3D2>> = ></FONT>=20 <BR><FONT size=3D2>> >" 8.5.2.1 CRL number extension</FONT> = <BR><FONT=20 size=3D2>> ></FONT> <BR><FONT size=3D2>> > = This CRL=20 extension field conveys a monotonically increasing sequence</FONT> = <BR><FONT=20 size=3D2>> > number .."</FONT> <BR><FONT size=3D2>> = ></FONT> <BR><FONT=20 size=3D2>> >The text might be clearer IMHO if 'strictly = increasing' would=20 be used</FONT> <BR><FONT size=3D2>> >instead.</FONT>=20 </P></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0054_01C0D871.0608D4C0-- Received: from mail.ec.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA02323 for <ietf-pkix@imc.org>; Wed, 9 May 2001 10:07:16 -0700 (PDT) Received: from kahu.cs.auckland.ac.nz (pgut001@kahu.cs.auckland.ac.nz [130.216.36.13]) by mail.ec.auckland.ac.nz (8.9.3/8.8.6/cs-master) with SMTP id FAA08266; Thu, 10 May 2001 05:07:13 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz) Received: by kahu.cs.auckland.ac.nz (relaymail v0.9) id <98942803230088>; Thu, 10 May 2001 05:07:12 (NZST) From: pgut001@cs.auckland.ac.nz (Peter Gutmann) To: ambarish@valicert.com Subject: RE: delta CRLs Cc: ietf-pkix@imc.org Sender: pgut001@cs.auckland.ac.nz Reply-To: pgut001@cs.auckland.ac.nz X-Charge-To: pgut001 X-Authenticated: relaymail v0.9 on kahu.cs.auckland.ac.nz Date: Thu, 10 May 2001 05:07:12 (NZST) Message-ID: <98942803230088@kahu.cs.auckland.ac.nz> Ambarish Malpani <ambarish@valicert.com> writes: >By the way, what is MAX? I know that we can represent numbers with over 2048 >bits... MAX is a symbolic, externally-specified value usually used to go with "(0..." (one or more) or "(1..." (1 or more, or minimum length 1). Peter. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA00362 for <ietf-pkix@imc.org>; Wed, 9 May 2001 09:37:38 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KS8ZMLHF>; Wed, 9 May 2001 12:37:08 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE930@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Carlin Covey <ccovey@cylink.com>, drh@celocom.com, "David A. Cooper" <david.cooper@nist.gov>, ambarish@valicert.com, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Wed, 9 May 2001 12:27:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D8A5.0094F760" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D8A5.0094F760 Content-Type: text/plain; charset="iso-8859-1" I am simply suggesting that the numbers be strictly increasing, but if a base and delta are generated at the same time, they will have the same sequence number. Thus, if two CRLs (in the same stream identifier or when stream identifier is absent), have numbers n and m, the following shall be true (assuming no wrapping) n = m if and only if thisUpdate of n = thisUpdate of m n > m if and only if thisUpdate of n > thisUpdate of m n < m if and only if thisUpdate of n < thisUpdate of m -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Wednesday, May 09, 2001 11:28 AM To: drh@celocom.com; David A. Cooper; ambarish@valicert.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: >http://hissa.nist.gov/dads/HTML/monotoncincr.html > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. ------_=_NextPart_001_01C0D8A5.0094F760 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I am simply suggesting that the numbers be strictly = increasing, but if a base and delta are generated at the same time, = they will have the same sequence number. Thus, if two CRLs (in = the same stream identifier or when stream identifier is absent), have = numbers n and m, the following shall be true (assuming no = wrapping)</FONT></P> <P><FONT SIZE=3D2> n =3D m if and only if thisUpdate of n =3D = thisUpdate of m</FONT> </P> <P><FONT SIZE=3D2> n > m if and only if thisUpdate of n > = thisUpdate of m</FONT> </P> <P><FONT SIZE=3D2> n < m if and only if thisUpdate of n < = thisUpdate of m</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Carlin Covey [<A = HREF=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 11:28 AM</FONT> <BR><FONT SIZE=3D2>To: drh@celocom.com; David A. Cooper; = ambarish@valicert.com;</FONT> <BR><FONT SIZE=3D2>chokhani@cygnacom.com</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>David, Stephen, Ambarish, and Santosh,</FONT> </P> <P><FONT SIZE=3D2>Some of us are in the business for the looooong = haul. ;>)</FONT> </P> <P><FONT SIZE=3D2>Actually, I wasn't concerned about the CRL number = wrapping, but that</FONT> <BR><FONT SIZE=3D2>possibility was advanced a few days ago as an = argument against the use of</FONT> <BR><FONT SIZE=3D2>the "strictly increasing" wording. = Another email commented that PKIX did</FONT> <BR><FONT SIZE=3D2>not permit the number to wrap, although X.509 = might. The only evidence I</FONT> <BR><FONT SIZE=3D2>could find for X.509 permitting the number to wrap = was "(0 .. MAX)". As</FONT> <BR><FONT SIZE=3D2>various people have pointed out, one could be = drumming one's fingers for</FONT> <BR><FONT SIZE=3D2>quite a while........</FONT> </P> <P><FONT SIZE=3D2>My real point was that the "monotonically = increasing" wording permits the</FONT> <BR><FONT SIZE=3D2>CRL number to stay the same, while "strictly = increasing" forces the numbers</FONT> <BR><FONT SIZE=3D2>to be unique (issues of wrapping aside in both = cases). Stephen Henson just</FONT> <BR><FONT SIZE=3D2>pointed out a reason why one might want the CRL = number to stay the same when</FONT> <BR><FONT SIZE=3D2>issuing a delta CRL at the same time as a full = CRL. I am not arguing either</FONT> <BR><FONT SIZE=3D2>for or against that case, but it seems desirable to = force the CRL numbers to</FONT> <BR><FONT SIZE=3D2>be unique in most cases. (Unless, the CRLs are = distinguished based upon</FONT> <BR><FONT SIZE=3D2>thisUpdate, as Santosh has suggested.)</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Carlin</FONT> </P> <P><FONT SIZE=3D2>____________________________</FONT> </P> <P><FONT SIZE=3D2>- Carlin Covey</FONT> <BR><FONT SIZE=3D2> Cylink Corporation</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David A. Cooper [<A = HREF=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, May 09, 2001 6:03 AM</FONT> <BR><FONT SIZE=3D2>To: 'ietf-pkix@imc.org '</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2> From a practical point of view, I don't think = that we should need to worry</FONT> <BR><FONT SIZE=3D2>about CRL numbers wrapping. According to my = calculations, if one assigns</FONT> <BR><FONT SIZE=3D2>cRLNumber 1 to the first CRL and then numbers CRLs = consecutively, one could</FONT> <BR><FONT SIZE=3D2>issue a new CRL every second for 68 years before the = cRLNumber would require</FONT> <BR><FONT SIZE=3D2>more than 4 bytes (32 bits) to encode. On the = other hand, if you're willing</FONT> <BR><FONT SIZE=3D2>to issue a new CRL only once a minute, it would take = 4083 years before the</FONT> <BR><FONT SIZE=3D2>cRLNumber would require more than 4 bytes to = encode.</FONT> </P> <P><FONT SIZE=3D2>BTW, I thought that the purpose of the "(0 .. = MAX)" was just to prevent use</FONT> <BR><FONT SIZE=3D2>of negative numbers. While there may, in theory be a = limit to the size of an</FONT> <BR><FONT SIZE=3D2>integer that may be encoded, for all practical = purposes, one can encode any</FONT> <BR><FONT SIZE=3D2>integet. According to "A Layman's Guide to a = Subset of ASN.1, BER, and DER",</FONT> <BR><FONT SIZE=3D2>a DER encoded value can have a length of up to 2 ** = 1008 - 1 bytes. Thus,</FONT> <BR><FONT SIZE=3D2>MAX =3D 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which = is far larger than any</FONT> <BR><FONT SIZE=3D2>number we would ever need.</FONT> </P> <P><FONT SIZE=3D2>Dave</FONT> </P> <P><FONT SIZE=3D2>At 08:57 PM 5/8/01 -0700, Ambarish Malpani = wrote:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I always thought MAX for ASN.1 INTEGERs was = something I would never</FONT> <BR><FONT SIZE=3D2>>need to worry about.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Looks like I was wrong :-)</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>By the way, what is MAX? I know that we can = represent numbers with</FONT> <BR><FONT SIZE=3D2>>over 2048 bits...</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>A</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>>From: Carlin Covey</FONT> <BR><FONT SIZE=3D2>>To: Housley, Russ; Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>>Sent: 5/8/01 5:53 PM</FONT> <BR><FONT SIZE=3D2>>Subject: RE: delta CRLs</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Russ,</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>A week or two ago we arrived at a consensus to = remove the requirement</FONT> <BR><FONT SIZE=3D2>>that a CA issue a full CRL whenever the CA = issues a Delta-CRL. If the</FONT> <BR><FONT SIZE=3D2>>CA chooses to issue them simultaneously, why = would they need to be numbered</FONT> <BR><FONT SIZE=3D2>>the same? If this requirement were lifted, = it seems like requiring the CRL</FONT> <BR><FONT SIZE=3D2>>number to be "strictly increasing" in = a sequence would be preferable to</FONT> <BR><FONT SIZE=3D2>>"monotonically increasing". = "Monotonically increasing" allows the</FONT> <BR><FONT SIZE=3D2>possibility</FONT> <BR><FONT SIZE=3D2>>that the CRL number never changes, which seems = undesirable. I realize</FONT> <BR><FONT SIZE=3D2>>that in either case the CRL number might wrap = around at some point in the</FONT> <BR><FONT SIZE=3D2>future.</FONT> <BR><FONT SIZE=3D2>>That is inevitable, given that that CRL number = is defined as INTEGER</FONT> <BR><FONT SIZE=3D2>(0..MAX).</FONT> <BR><FONT SIZE=3D2>>What else can a CA do when CRL number reaches = MAX, stop issuing CRLs?</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>"monotonically increasing" - = Definition: A function from a partially</FONT> <BR><FONT SIZE=3D2>order[ed]</FONT> <BR><FONT SIZE=3D2>>domain to a partially ordered range such that x = >=3D y implies f(x) >=3D f(y).</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>- From the NIST web site:</FONT> <BR><FONT SIZE=3D2>><A = HREF=3D"http://hissa.nist.gov/dads/HTML/monotoncincr.html" = TARGET=3D"_blank">http://hissa.nist.gov/dads/HTML/monotoncincr.html</A><= /FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Regards,</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Carlin</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>____________________________</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>- Carlin Covey</FONT> <BR><FONT SIZE=3D2>> Cylink Corporation</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>>Sent: Monday, May 07, 2001 6:21 AM</FONT> <BR><FONT SIZE=3D2>>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>>Subject: RE: delta CRLs</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Santosh:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>X.509 may allow the CRL number to wrap around, = but I do not believe that</FONT> <BR><FONT SIZE=3D2>>PKIX does.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> 5.2.3 CRL = Number</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> The CRL number is a = non-critical CRL extension which conveys a</FONT> <BR><FONT SIZE=3D2>> monotonically = increasing sequence number for each CRL issued by a CA.</FONT> <BR><FONT SIZE=3D2>> This extension allows = users to easily determine when a particular CRL</FONT> <BR><FONT SIZE=3D2>> supersedes another = CRL. CAs conforming to this profile MUST include</FONT> <BR><FONT SIZE=3D2>> this extension in all = CRLs.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> id-ce-cRLNumber OBJECT = IDENTIFIER ::=3D { id-ce 20 }</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>Russ</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>At 10:11 PM 5/5/2001 -0400, Santosh Chokhani = wrote:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> >Actually, the text allows for the wrap of = the numbers. Please see Annex</FONT> <BR><FONT SIZE=3D2>B</FONT> <BR><FONT SIZE=3D2>> >of X.509. Thus, it is not strictly = increasing</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >-----Original Message-----</FONT> <BR><FONT SIZE=3D2>> >From: Peter Sylvester</FONT> <BR><FONT SIZE=3D2>> >[<<A = HREF=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWe= b.fr</A>><A = HREF=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWe= b.fr</A>]</FONT> <BR><FONT SIZE=3D2>> >Sent: Saturday, May 05, 2001 2:08 PM</FONT> <BR><FONT SIZE=3D2>> >To: trevorf@windows.microsoft.com; = rhousley@rsasecurity.com;</FONT> <BR><FONT SIZE=3D2>> >chokhani@cygnacom.com</FONT> <BR><FONT SIZE=3D2>> >Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> >Subject: RE: delta CRLs</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > > Trevor:</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > The 2000 version of X.509 is very = clear on this. For a given CRL</FONT> <BR><FONT SIZE=3D2>stream</FONT> <BR><FONT SIZE=3D2>> > > identifier, the CRL number is unique = whether it is base or delta. That</FONT> <BR><FONT SIZE=3D2>is</FONT> <BR><FONT SIZE=3D2>> > > why delta number has to be greater = than the base.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >" 8.5.2.1 CRL number extension</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > This CRL extension field = conveys a monotonically increasing sequence</FONT> <BR><FONT SIZE=3D2>> > number .."</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >The text might be clearer IMHO if 'strictly = increasing' would be used</FONT> <BR><FONT SIZE=3D2>> >instead.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D8A5.0094F760-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA21653 for <ietf-pkix@imc.org>; Wed, 9 May 2001 08:29:13 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5XZV; Wed, 9 May 2001 08:23:35 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <drh@celocom.com>, "David A. Cooper" <david.cooper@nist.gov>, <ambarish@valicert.com>, <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Wed, 9 May 2001 08:28:26 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGOEFKCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <4.2.2.20010509084446.00b17e10@email.nist.gov> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 David, Stephen, Ambarish, and Santosh, Some of us are in the business for the looooong haul. ;>) Actually, I wasn't concerned about the CRL number wrapping, but that possibility was advanced a few days ago as an argument against the use of the "strictly increasing" wording. Another email commented that PKIX did not permit the number to wrap, although X.509 might. The only evidence I could find for X.509 permitting the number to wrap was "(0 .. MAX)". As various people have pointed out, one could be drumming one's fingers for quite a while........ My real point was that the "monotonically increasing" wording permits the CRL number to stay the same, while "strictly increasing" forces the numbers to be unique (issues of wrapping aside in both cases). Stephen Henson just pointed out a reason why one might want the CRL number to stay the same when issuing a delta CRL at the same time as a full CRL. I am not arguing either for or against that case, but it seems desirable to force the CRL numbers to be unique in most cases. (Unless, the CRLs are distinguished based upon thisUpdate, as Santosh has suggested.) Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Wednesday, May 09, 2001 6:03 AM To: 'ietf-pkix@imc.org ' Subject: RE: delta CRLs From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: >http://hissa.nist.gov/dads/HTML/monotoncincr.html > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA13017 for <ietf-pkix@imc.org>; Wed, 9 May 2001 06:16:14 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 9 May 2001 13:15:56 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA20996 for <ietf-pkix@imc.org>; Wed, 9 May 2001 09:16:14 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NV797>; Wed, 9 May 2001 09:16:14 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.52]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NV79Z; Wed, 9 May 2001 09:16:05 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Hal Lockhart <hal.lockhart@entegrity.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010509091102.0185b7f0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 09 May 2001 09:12:39 -0400 Subject: RE: Certificate Hold (was RE: delta CRLs) In-Reply-To: <899128A30EEDD1118FC900A0C9C74A34BA97A5@bigbird.gradient.co m> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Hal: The reality is that people are binding authorization information into certificates, and the hold is really being placed on the authorization, not the binding of the public key and the identity. This is one of the major reasons that I advocate the placement of authorization information elsewhere, like attribute certificates. Russ At 11:47 AM 5/8/2001 -0400, Hal Lockhart wrote: > Ambarish Malpani wrote: > > Certificate suspension is a useful mechanism to prevent the usage of > > a certificate while you figure out whether it should actually be > > revoked or not. > >Forgive me if this has been discussed in the past, but I am curious. If this >is the (only) purpose of hold, doesn't that simplify the NR issue? If the >cert can be established to be good at a later time, shouldn't the hold be >ignored? If the results of our investigation is that there was actually no >problem after all, why should signatures created during that period be >invalid? > >Hal Received: from tele-post-20.mail.demon.net (tele-post-20.mail.demon.net [194.217.242.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA12568 for <ietf-pkix@imc.org>; Wed, 9 May 2001 06:11:34 -0700 (PDT) Received: from drh-consultancy.demon.co.uk ([193.237.150.98] helo=celocom.com) by tele-post-20.mail.demon.net with esmtp (Exim 2.12 #2) id 14xTkc-000L7t-0K for ietf-pkix@imc.org; Wed, 9 May 2001 13:11:34 +0000 Message-ID: <3AF942C8.D9A3E93F@celocom.com> Date: Wed, 09 May 2001 14:14:48 +0100 From: Dr S N Henson <drh@celocom.com> Organization: S N Henson X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: delta CRLs References: <FLEELNBJKAIIGDJJKPDGIEFHCEAA.ccovey@cylink.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Carlin Covey wrote: > > > A week or two ago we arrived at a consensus to remove the requirement > that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the > CA chooses to issue them simultaneously, why would they need to be numbered > the same? Its my understanding that the CRL number of the delta CRL serves an additional purpose: it gives the CRL number of the equivalent full CRL (which may not have been issued with the new rule) which can be constructed by combining rhe delta with the base CRL (or a later CRL). They have to be the same to convey this information. See 5.2.4: > The constructed CRL has the CRL number specified in the CRL number > extension found in the delta CRL used in its construction. > Another consequence of this appears to be that if a CA sometimes issues deltas with no corresponding full CRLs then there will be gaps in the numbering scheme of the full CRLs. > If this requirement were lifted, it seems like requiring the CRL > number to be "strictly increasing" in a sequence would be preferable to > "monotonically increasing". "Monotonically increasing" allows the > possibility > that the CRL number never changes, which seems undesirable. I'd say its not only undesirable but it also makes handling delta CRLs difficult if not impossible. > I realize > that in either case the CRL number might wrap around at some point in the > future. > That is inevitable, given that that CRL number is defined as INTEGER > (0..MAX). > What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > Well depends on the value of MAX I suppose. Something like 32 bits and assuming the CA issues a CRL every second would mean that it wouldn't wrap around for 136 years or so, which is hopfully tolerable. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: shenson@drh-consultancy.demon.co.uk Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: drh@celocom.com PGP key: via homepage. Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA11726 for <ietf-pkix@imc.org>; Wed, 9 May 2001 06:03:39 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id JAA19089 for <ietf-pkix@imc.org>; Wed, 9 May 2001 09:03:35 -0400 (EDT) Message-Id: <4.2.2.20010509084446.00b17e10@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 09 May 2001 09:03:04 -0400 To: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8D0D@exchange.valicert .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" From a practical point of view, I don't think that we should need to worry about CRL numbers wrapping. According to my calculations, if one assigns cRLNumber 1 to the first CRL and then numbers CRLs consecutively, one could issue a new CRL every second for 68 years before the cRLNumber would require more than 4 bytes (32 bits) to encode. On the other hand, if you're willing to issue a new CRL only once a minute, it would take 4083 years before the cRLNumber would require more than 4 bytes to encode. BTW, I thought that the purpose of the "(0 .. MAX)" was just to prevent use of negative numbers. While there may, in theory be a limit to the size of an integer that may be encoded, for all practical purposes, one can encode any integet. According to "A Layman's Guide to a Subset of ASN.1, BER, and DER", a DER encoded value can have a length of up to 2 ** 1008 - 1 bytes. Thus, MAX = 2 ** [8 * ((2 ** 1008) - 1) - 1] - 1, which is far larger than any number we would ever need. Dave At 08:57 PM 5/8/01 -0700, Ambarish Malpani wrote: > >I always thought MAX for ASN.1 INTEGERs was something I would never >need to worry about. > >Looks like I was wrong :-) > >By the way, what is MAX? I know that we can represent numbers with >over 2048 bits... > >A > >-----Original Message----- >From: Carlin Covey >To: Housley, Russ; Santosh Chokhani >Cc: ietf-pkix@imc.org >Sent: 5/8/01 5:53 PM >Subject: RE: delta CRLs > >Russ, > >A week or two ago we arrived at a consensus to remove the requirement >that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the >CA chooses to issue them simultaneously, why would they need to be numbered >the same? If this requirement were lifted, it seems like requiring the CRL >number to be "strictly increasing" in a sequence would be preferable to >"monotonically increasing". "Monotonically increasing" allows the possibility >that the CRL number never changes, which seems undesirable. I realize >that in either case the CRL number might wrap around at some point in the future. >That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). >What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > >"monotonically increasing" - Definition: A function from a partially order[ed] >domain to a partially ordered range such that x >= y implies f(x) >= f(y). > >- From the NIST web site: >http://hissa.nist.gov/dads/HTML/monotoncincr.html > >Regards, > >Carlin > >____________________________ > >- Carlin Covey > Cylink Corporation > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Monday, May 07, 2001 6:21 AM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > >Santosh: > >X.509 may allow the CRL number to wrap around, but I do not believe that >PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > >Russ > > >At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA05733 for <ietf-pkix@imc.org>; Wed, 9 May 2001 04:54:37 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KSWBCZPZ>; Wed, 9 May 2001 07:54:07 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE8F6@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Carlin Covey <ccovey@cylink.com>, "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Wed, 9 May 2001 07:44:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D87D.778DFEC0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D87D.778DFEC0 Content-Type: text/plain; charset="iso-8859-1" I think if thisUpdate is the same, it is ok to give the same number. By the way, when you think about it, CRL Number is not such a great idea. The delta CRL extension (in my mind) should have been based on thisUpdate of the base. I made the suggestion at ISO meeting in 1998. While every one agreed, that omnipresent "backward compatibility" won out. -----Original Message----- From: Carlin Covey [mailto:ccovey@cylink.com] Sent: Tuesday, May 08, 2001 8:54 PM To: Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Russ, A week or two ago we arrived at a consensus to remove the requirement that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the CA chooses to issue them simultaneously, why would they need to be numbered the same? If this requirement were lifted, it seems like requiring the CRL number to be "strictly increasing" in a sequence would be preferable to "monotonically increasing". "Monotonically increasing" allows the possibility that the CRL number never changes, which seems undesirable. I realize that in either case the CRL number might wrap around at some point in the future. That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). What else can a CA do when CRL number reaches MAX, stop issuing CRLs? "monotonically increasing" - Definition: A function from a partially order[ed] domain to a partially ordered range such that x >= y implies f(x) >= f(y). - From the NIST web site: http://hissa.nist.gov/dads/HTML/monotoncincr.html Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Monday, May 07, 2001 6:21 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: X.509 may allow the CRL number to wrap around, but I do not believe that PKIX does. 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. This extension allows users to easily determine when a particular CRL supersedes another CRL. CAs conforming to this profile MUST include this extension in all CRLs. id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } Russ At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: >Actually, the text allows for the wrap of the numbers. Please see Annex B >of X.509. Thus, it is not strictly increasing > >-----Original Message----- >From: Peter Sylvester >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] >Sent: Saturday, May 05, 2001 2:08 PM >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; >chokhani@cygnacom.com >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > > Trevor: > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > identifier, the CRL number is unique whether it is base or delta. That is > > why delta number has to be greater than the base. > >" 8.5.2.1 CRL number extension > > This CRL extension field conveys a monotonically increasing sequence > number .." > >The text might be clearer IMHO if 'strictly increasing' would be used >instead. ------_=_NextPart_001_01C0D87D.778DFEC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I think if thisUpdate is the same, it is ok to give = the same number.</FONT> </P> <P><FONT SIZE=3D2>By the way, when you think about it, CRL Number is = not such a great idea. The delta CRL extension (in my mind) = should have been based on thisUpdate of the base. I made the = suggestion at ISO meeting in 1998. While every one agreed, that = omnipresent "backward compatibility" won out.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Carlin Covey [<A = HREF=3D"mailto:ccovey@cylink.com">mailto:ccovey@cylink.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, May 08, 2001 8:54 PM</FONT> <BR><FONT SIZE=3D2>To: Housley, Russ; Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>A week or two ago we arrived at a consensus to remove = the requirement</FONT> <BR><FONT SIZE=3D2>that a CA issue a full CRL whenever the CA issues a = Delta-CRL. If the</FONT> <BR><FONT SIZE=3D2>CA chooses to issue them simultaneously, why would = they need to be numbered</FONT> <BR><FONT SIZE=3D2>the same? If this requirement were lifted, it = seems like requiring the CRL</FONT> <BR><FONT SIZE=3D2>number to be "strictly increasing" in a = sequence would be preferable to</FONT> <BR><FONT SIZE=3D2>"monotonically increasing". = "Monotonically increasing" allows the</FONT> <BR><FONT SIZE=3D2>possibility</FONT> <BR><FONT SIZE=3D2>that the CRL number never changes, which seems = undesirable. I realize</FONT> <BR><FONT SIZE=3D2>that in either case the CRL number might wrap around = at some point in the</FONT> <BR><FONT SIZE=3D2>future.</FONT> <BR><FONT SIZE=3D2>That is inevitable, given that that CRL number is = defined as INTEGER</FONT> <BR><FONT SIZE=3D2>(0..MAX).</FONT> <BR><FONT SIZE=3D2>What else can a CA do when CRL number reaches MAX, = stop issuing CRLs?</FONT> </P> <P><FONT SIZE=3D2>"monotonically increasing" - Definition: A = function from a partially</FONT> <BR><FONT SIZE=3D2>order[ed]</FONT> <BR><FONT SIZE=3D2>domain to a partially ordered range such that x = >=3D y implies f(x) >=3D f(y).</FONT> </P> <P><FONT SIZE=3D2>- From the NIST web site: <A = HREF=3D"http://hissa.nist.gov/dads/HTML/monotoncincr.html" = TARGET=3D"_blank">http://hissa.nist.gov/dads/HTML/monotoncincr.html</A><= /FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Carlin</FONT> </P> <P><FONT SIZE=3D2>____________________________</FONT> </P> <P><FONT SIZE=3D2>- Carlin Covey</FONT> <BR><FONT SIZE=3D2> Cylink Corporation</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, May 07, 2001 6:21 AM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh:</FONT> </P> <P><FONT SIZE=3D2>X.509 may allow the CRL number to wrap around, but I = do not believe that</FONT> <BR><FONT SIZE=3D2>PKIX does.</FONT> </P> <P><FONT SIZE=3D2> 5.2.3 CRL Number</FONT> </P> <P><FONT SIZE=3D2> The CRL number is a non-critical = CRL extension which conveys a</FONT> <BR><FONT SIZE=3D2> monotonically increasing sequence = number for each CRL issued by a CA.</FONT> <BR><FONT SIZE=3D2> This extension allows users to = easily determine when a particular CRL</FONT> <BR><FONT SIZE=3D2> supersedes another CRL. CAs = conforming to this profile MUST include</FONT> <BR><FONT SIZE=3D2> this extension in all = CRLs.</FONT> </P> <P><FONT SIZE=3D2> id-ce-cRLNumber OBJECT IDENTIFIER = ::=3D { id-ce 20 }</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <BR> <P><FONT SIZE=3D2>At 10:11 PM 5/5/2001 -0400, Santosh Chokhani = wrote:</FONT> </P> <P><FONT SIZE=3D2>>Actually, the text allows for the wrap of the = numbers. Please see Annex B</FONT> <BR><FONT SIZE=3D2>>of X.509. Thus, it is not strictly = increasing</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>>From: Peter Sylvester</FONT> <BR><FONT SIZE=3D2>>[<<A = HREF=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWe= b.fr</A>><A = HREF=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWe= b.fr</A>]</FONT> <BR><FONT SIZE=3D2>>Sent: Saturday, May 05, 2001 2:08 PM</FONT> <BR><FONT SIZE=3D2>>To: trevorf@windows.microsoft.com; = rhousley@rsasecurity.com;</FONT> <BR><FONT SIZE=3D2>>chokhani@cygnacom.com</FONT> <BR><FONT SIZE=3D2>>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>>Subject: RE: delta CRLs</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> > Trevor:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > The 2000 version of X.509 is very clear on = this. For a given CRL stream</FONT> <BR><FONT SIZE=3D2>> > identifier, the CRL number is unique = whether it is base or delta. That</FONT> <BR><FONT SIZE=3D2>is</FONT> <BR><FONT SIZE=3D2>> > why delta number has to be greater than = the base.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>" 8.5.2.1 CRL number extension</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> This CRL extension field conveys a = monotonically increasing sequence</FONT> <BR><FONT SIZE=3D2>> number .."</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>The text might be clearer IMHO if 'strictly = increasing' would be used</FONT> <BR><FONT SIZE=3D2>>instead.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D87D.778DFEC0-- Received: from pavilion (a24b31n80client230.hawaii.rr.com [24.31.80.230]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA23405 for <ietf-pkix@imc.org>; Wed, 9 May 2001 02:55:12 -0700 (PDT) Message-ID: <955820015399477910@pavilion> X-EM-Version: 5, 0, 0, 19 X-EM-Registration: #01B0530810E603002D00 X-Priority: 3 X-MSMail-Priority: Normal From: "Mitchell" <mail2@pcpostal.com> To: ietf-pkix@imc.org Subject: Business/Employment Opportunity Date: Tue, 8 May 2001 23:47:07 -1000 MIME-Version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id CAA23406 Dear Friend: "Making over half million dollars every 4 to 5 months from your home for an investment of only $25 U.S. Dollars expense one time" THANKS TO THE COMPUTER AGE AND THE INTERNET! =============================================== BE A MILLIONAIRE LIKE OTHERS WITHIN A YEAR !! Before you say "Bull" , please read the following. This is the letter you have been hearing about on the news lately. Due to the popularity of this letter on the internet, a national weekly news program recently devoted an entire show to the investigation of this program described below , to see if it really can make people money. The show also investigated whether or not the program was legal. Their findings proved once and for all that there are "absolutely no laws prohibiting the participation in the program and if people can follow the simple instructions, they are bound to make some mega bucks with only $25 out of pocket cost". DUE TO THE RECENT INCREASE OF POPULARITY & RESPECT THIS PROGRAM HAS ATTAINED, IT IS CURRENTLY WORKING BETTER THAN EVER. This is what one had to say: "Thanks to this profitable opportunity. I was approached many times before but each time I passed on it. I am so glad I finally joined just to see what one could expect in return for the minimal effort and money required. To my astonishment, I received total $ 610,470.00 in 21 weeks, with money still coming in". Pam Hedland, Fort Lee, New Jersey. ------------------------------------------------------------------------- Here is another testimonial: "This program has been around for a long time but I never believed in it. But one day when I received this again in the mail I decided to gamble my $25 on it. I followed thesimple instructions and walaa ..... 3 weeks later the money started to come in. First month I only made $240.00 but the next 2 months after that I made a total of $290,000.00. So far, in the past 8 months by re-entering the program,I have made over $710,000.00 and I am playing it again. The key to success in this program is to follow the simple steps and NOT change anything ." More testimonials later but first, ****** PRINT THIS NOW FOR YOUR FUTURE REFERENCE ******* $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ If you would like to make at least $500,000 every 4 to 5 months easily and comfortably, please read the following...THEN READ IT AGAIN and AGAIN !!! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ FOLLOW THE SIMPLE INSTRUCTION BELOW AND YOUR FINANCIAL DREAMS WILL COME TRUE, GUARANTEED! INSTRUCTIONS: **** Order all 5 reports shown on the list below. **** For each report, send $5 CASH, THE NAME & NUMBER OF THE REPORT YOU ARE ORDERING and YOUR E-MAIL ADDRESS to the person whose name appears ON THAT LIST next to the report. MAKE SURE YOUR RETURN ADDRESS IS ON YOUR ENVELOPE TOP LEFT CORNER in case of any mail problems. **** When you place your order, make sure you order each of the 5 reports. You will need all 5 reports so that you can save them on your computer and resell them. YOUR TOTAL COST $5 X 5 = $25.00. **** Within a few days you will receive, via e-mail, each of the 5 reports from these 5 different individuals. Save them on your computer so they will be accessible for you to send to the 1,000's of people who will order them from you. Also make a floppy of these reports and keep it on your desk in case something happen to your computer. ****.IMPORTANT - DO NOT alter the names of the people who are listed next to each report, or their sequence on the list, in any way other than what is instructed below in steps 1 through6 or you will loose out on majority of your profits. Once you understand the way this works, you will also see how it does not work if you change it. Remember, this method has been tested, and if you alter, it will NOT work!!! People have tried to put their friends/relatives names on all five thinking they could get all the money. But it does not work this way. Believe us, we all have tried to be greedy and then nothing happened. So Do Not try to change anything other than what is instructed. Because if you do, it will not work for you. Remember, honesty reaps the reward!!! 1.. After you have ordered all 5 reports, take this advertisement and REMOVE the name & address of the person in REPORT # 5. This person has made it through the cycle and is no doubt counting their fortune. 2.... Move the name & address in REPORT # 4 down TO REPORT # 5. 3.... Move the name & address in REPORT # 3 down TO REPORT # 4. 4.... Move the name & address in REPORT # 2 down TO REPORT # 3. 5.... Move the name & address in REPORT # 1 down TO REPORT # 2 6.... Insert YOUR name & address in the REPORT # 1 Position. PLEASE MAKE SURE you copy every name & address ACCURATELY ! ========================================================= Take this entire letter, with the modified list of names, and save it on your computer. DO NOT MAKE ANY OTHER CHANGES. Save this on a disk as well just in case if you loose any data. To assist you with marketing your business on the internet, the 5 reports you purchase will provide you with invaluable marketing information which includes how to send bulk e-mails legally, where to find thousands of free classified ads and much more. There are 2 Primary methods to get this venture going: METHOD # 1 : BY SENDING BULK E-MAIL LEGALLY ============================================ let's say that you decide to start small, just to see how it goes, and we will assume You and those involved send out only 5,000 e-mails each. Let's also assume that the mailing receive only a0.2% response (the response could be much better but lets just say it is only 0.2% . Also many people will send out hundreds of thousands e-mails instead of only 5,000 each). Continuing with this example, you send out only 5,000 e-mails. With a 0.2% response, that is only 10 orders for report # 1. Those 10 people responded by sending out 5,000 e-mail each for a total of 50,000. Out of those 50,000 e-mails only 0.2% responded with orders. That's = 100 people responded and ordered Report # 2. Those 100 people mail out 5,000 e-mails each for a total of 500,000 e-mails. The 0.2% response to that is 1000 orders for Report # 3. Those 1000 people send out 5,000 e-mails each for a total of 5 million e-mails sent out. The 0.2% response to that is 10,000 orders for Report # 4. Those 10,000 people send out 5,000 e-mails each for a total of 50,000,000 (50 million) e-mails. The 0.2% response to that is 100,000 orders for Report # 5. THAT'S 100,000 ORDERS TIMES $5 EACH = $500,000.00 (half million). Your total income in this example is: 1..... $50 + 2..... $500 + 3..... $5,000 + 4..... $50,000 + 5..... $500,000 ......... Grand Total = $555,550.00 NUMBERS DO NOT LIE. GET A PENCIL & PAPER AND FIGURE OUT THE WORST POSSIBLE RESPONSES AND NO MATTER HOW YOU CALCULATE IT, YOU WILL STILL MAKE A LOT OF MONEY ! ------------------------------------------------------------------------------ REMEMBER FRIEND, THIS IS ASSUMING ONLY 10 PEOPLE ORDERING OUT OF 5,000 YOU MAILED TO. Dare to think for a moment what would happen if everyone, or half or even one 4th of those people mailed 100,000 e-mails each or more? There are over 250 million people on the internet worldwide and counting. Believe me, many people will do just that, and more! METHOD # 2 : BY PLACING FREE ADS ON THE INTERNET =================================================== Advertising on the net is very very inexpensive and there are hundreds of FREE places to advertise. Placing a lot of free adson the internet will easily get a larger response. We strongly suggest you start with Method # 1 and add METHOD # 2 as you go along. For every $5 you receive, all you must do is e-mail them the Report they ordered. That's it . Always provide same day service on all orders. This will guarantee that the e-mail they send out, with your name and address on it, will be prompt because they can not advertise until they receive the report. _____________________ AVAILABLE REPORTS_____________________ ORDER EACH REPORT BY ITS NUMBER & NAME ONLY. Notes: Always send $5 cash (U.S. CURRENCY) for each Report. Checks NOT accepted. Make sure the cash is concealed by wrapping it in at least 2 sheets of paper. On one of those sheets of paper, Write the NUMBER & the NAME of the Report you are ordering, YOUR E-MAIL ADDRESS and your name and postal address. PLACE YOUR ORDER FOR THESE REPORTS NOW : ============================================== REPORT #1, "The Insider's Guide to Sending Bulk E-mail on the Internet" ORDER REPORT #1 FROM: G. Donaldson P.O. Box 25884 Honolulu, Hawaii 96825-0884 don't forget to provide a permanent e-mail address in clear writing (better typed) to receive the reports. We had problems in delivery e-mails before!!! ============================================== REPORT #2 "The Insider's Guide to Advertising for Free on the Internet" ORDER REPORT #2 FROM: Vijay Paul C-291, Second Floor Defence Colony New Delhi - 110024 INDIA ============================================== REPORT #3 "The Secrets to Multilevel Marketing on the Internet" ORDER REPORT #3 FROM: JD P.O.Box 1114 Des Plaines, IL 60017 USA ============================================== REPORT #4 "How to become a Millionaire utilizing the Power of Multilevel Marketing and the Internet" ORDER REPORT #4 FROM: J Santi 833 Walter Ave Des Plaines, IL 60016 USA ============================================== REPORT #5 "How to SEND 1,000,000 e-mails for FREE" ORDER REPORT #5 FROM: Elaine Rix 138 Dundas Street, West, #243 Toronto, Ontario Canada M5G 1C3 ============================================== There are currently more than 250,000,000 people online worldwide! $$$$$$$$$ YOUR SUCCESS GUIDELINES $$$$$$$$$$$ Follow these guidelines to guarantee your success: If you do not receive at least 10 orders for Report #1 within 2 weeks, continue sending e-mails until you do. After you have received 10 orders, 2 to 3 weeks after that you should receive 100 orders or more for REPORT # 2. If you did not, continue advertising or sending e-mails until you do. Once you have received 100 or more orders for Report # 2, YOU CAN RELAX, because the system is already working for you , and the cash will continue to roll in ! THIS IS IMPORTANT TO REMEMBER : Every time your name is moved down on the list, you are placed in front of a different report. You can KEEP TRACK of your PROGRESS by watching which report people are ordering from you. IF YOU WANT TO GENERATE MORE INCOME SEND ANOTHER BATCH OF E-MAILS AND START THE WHOLE PROCESS AGAIN. There is NO LIMIT to the income you can generate from this business !!! ____________________________________________________ FOLLOWING IS A NOTE FROM THE ORIGINATOR OF THIS PROGRAM: You have just received information that can give you financial freedom for the rest of your life, with NO RISK and JUST A LITTLE BIT OF EFFORT. You can make more money in the next few weeks and months than you have ever imagined. Follow the program EXACTLY AS INSTRUCTED. Do Not change it in any way. It works exceedingly well as it is now. Remember to e-mail a copy of this exciting report after you have put your name and address in Report #1 and moved others to #2...........# 5 as instructed above. One of the people you send this to may send out 100,000 or more e-mails and your name will be on everyone of them. Remember though, the more you send out the more potential customers you will reach. So my friend, I have given you the ideas, information, materials and opportunity to become financially independent. IT IS UP TO YOU NOW ! ************** MORE TESTIMONIALS **************** "My name is Mitchell. My wife , Jody and I live in Chicago. I am an accountant with a major U.S. Corporation and I make pretty good money. When I received this program I grumbled to Jody about receiving ''junk mail''. I made fun of the whole thing, spouting my knowledge of the population and percentages involved. I ''knew'' it wouldn't work. Jody totally ignored my supposed intelligence and few days later she jumped in with both feet. I made merciless fun of her, and was ready to lay the old ''I told you so'' on her when the thing didn'twork. Well, the laugh was on me! Within 3 weeks she had received 50 responses. Within the next 45 days she had received a total of $ 147,200.00 all cash! I was shocked. I have joined Jody in her ''hobby''." Mitchell Wolf, Chicago, Illinois ------------------------------------------------------------ "Not being the gambling type, it took me several weeks to make up my mind to participate in this plan. But conservative that I am, I decided that the initial investment was so little that there was just no way that I wouldn't get enough orders to at least get my money back. I was surprised when I found my medium size post office box crammed with orders. I made $319,210.00 in the first 12 weeks. The nice thing about this deal is that it does not matter where people live. There simply isn't a better investment with a faster return and so big." Dan Sondstrom, Alberta, Canada ----------------------------------------------------------- "I had received this program before. I deleted it, but later I wondered if I should have given it a try. Of course, I had no idea who to contact to get another copy, so I had to wait until I was e-mailed again by someone else.........11 months passed then it luckily came again...... I did not delete this one! I made more than $490,000 on my first try and all the money came within 22 weeks". Susan De Suza, New York, N.Y. ---------------------------------------------------- "It really is a great opportunity to make relatively easy money with little cost to you. I followed the simple instructions carefully and within 10 days the money started to come in. My first month I made $ 20,560.00 and by the end of third month my total cash count was $ 362,840.00. Life is beautiful, Thanx to internet". Fred Dellaca, Westport, New Zealand ------------------------------------------------------------ ORDER YOUR REPORTS TODAY AND GET STARTED ON YOUR ROAD TO FINANCIAL FREEDOM ! ======================================================= If you have any questions of the legality of this program, contact the Office of Associate Director for Marketing Practices, Federal Trade Commission, Bureau of Consumer Protection, Washington, D.C. Under Bill s.1618 TITLE III passed by the 105th US Congress this letter cannot be considered spam as long as the sender includes contact information and a method of removal. This is one time e-mail transmission. No request for removal is necessary. ------------------------------------------------------------ This message is sent in compliance of the new email Bill HR 1910. Under Bill HR 1910 passed by the 106th US Congress on May 24, 1999, this message cannot be considered Spam as long as we include the way to be removed. Per Section HR 1910, Please type "REMOVE" in the subject line and reply to this email. All removal requests are handled personally an immediately once received. Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA23370 for <ietf-pkix@imc.org>; Wed, 9 May 2001 02:54:45 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id LAA23504; Wed, 9 May 2001 11:54:42 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id LAA18324; Wed, 9 May 2001 11:54:11 +0200 Message-ID: <3AF913D1.AA8FD6AA@bull.net> Date: Wed, 09 May 2001 11:54:25 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Carlin Covey <ccovey@cylink.com> CC: ietf-pkix@imc.org Subject: Re: delta CRLs References: <FLEELNBJKAIIGDJJKPDGIEFHCEAA.ccovey@cylink.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Carlin, I agree. This is the point that Peter Sylvester mentionned. Taking the definition of monotonically increasing, we do not expect CRLs to bear the same number ! On the contrary we expect that using that number we can uniquely identify a CRL. We need to fix of the text, as you point it out again, and change "monotonically increasing" by "strictly increasing". Denis > Russ, > > A week or two ago we arrived at a consensus to remove the requirement > that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the > CA chooses to issue them simultaneously, why would they need to be numbered > the same? If this requirement were lifted, it seems like requiring the CRL > number to be "strictly increasing" in a sequence would be preferable to > "monotonically increasing". "Monotonically increasing" allows the > possibility > that the CRL number never changes, which seems undesirable. I realize > that in either case the CRL number might wrap around at some point in the > future. > That is inevitable, given that that CRL number is defined as INTEGER > (0..MAX). > What else can a CA do when CRL number reaches MAX, stop issuing CRLs? > > "monotonically increasing" - Definition: A function from a partially > order[ed] > domain to a partially ordered range such that x >= y implies f(x) >= f(y). > > - From the NIST web site: http://hissa.nist.gov/dads/HTML/monotoncincr.html > > Regards, > > Carlin > > ____________________________ > > - Carlin Covey > Cylink Corporation > > -----Original Message----- > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > Sent: Monday, May 07, 2001 6:21 AM > To: Santosh Chokhani > Cc: ietf-pkix@imc.org > Subject: RE: delta CRLs > > Santosh: > > X.509 may allow the CRL number to wrap around, but I do not believe that > PKIX does. > > 5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > > id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } > > Russ > > At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: > > >Actually, the text allows for the wrap of the numbers. Please see Annex B > >of X.509. Thus, it is not strictly increasing > > > >-----Original Message----- > >From: Peter Sylvester > >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] > >Sent: Saturday, May 05, 2001 2:08 PM > >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; > >chokhani@cygnacom.com > >Cc: ietf-pkix@imc.org > >Subject: RE: delta CRLs > > > > > Trevor: > > > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > > identifier, the CRL number is unique whether it is base or delta. That > is > > > why delta number has to be greater than the base. > > > >" 8.5.2.1 CRL number extension > > > > This CRL extension field conveys a monotonically increasing sequence > > number .." > > > >The text might be clearer IMHO if 'strictly increasing' would be used > >instead. Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id UAA15315 for <ietf-pkix@imc.org>; Tue, 8 May 2001 20:58:50 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GD100101V2IIA@ext-mail.valicert.com> for ietf-pkix@imc.org; Tue, 8 May 2001 20:59:06 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GD10017UV2H71@ext-mail.valicert.com>; Tue, 08 May 2001 20:59:06 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26RP62>; Tue, 08 May 2001 20:57:08 -0700 Content-return: allowed Date: Tue, 08 May 2001 20:57:07 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: delta CRLs To: "'Carlin Covey '" <ccovey@cylink.com>, "'Housley, Russ '" <rhousley@rsasecurity.com>, "'Santosh Chokhani '" <chokhani@cygnacom.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8D0D@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe I always thought MAX for ASN.1 INTEGERs was something I would never need to worry about. Looks like I was wrong :-) By the way, what is MAX? I know that we can represent numbers with over 2048 bits... A -----Original Message----- From: Carlin Covey To: Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Sent: 5/8/01 5:53 PM Subject: RE: delta CRLs Russ, A week or two ago we arrived at a consensus to remove the requirement that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the CA chooses to issue them simultaneously, why would they need to be numbered the same? If this requirement were lifted, it seems like requiring the CRL number to be "strictly increasing" in a sequence would be preferable to "monotonically increasing". "Monotonically increasing" allows the possibility that the CRL number never changes, which seems undesirable. I realize that in either case the CRL number might wrap around at some point in the future. That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). What else can a CA do when CRL number reaches MAX, stop issuing CRLs? "monotonically increasing" - Definition: A function from a partially order[ed] domain to a partially ordered range such that x >= y implies f(x) >= f(y). - From the NIST web site: http://hissa.nist.gov/dads/HTML/monotoncincr.html Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Monday, May 07, 2001 6:21 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: X.509 may allow the CRL number to wrap around, but I do not believe that PKIX does. 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. This extension allows users to easily determine when a particular CRL supersedes another CRL. CAs conforming to this profile MUST include this extension in all CRLs. id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } Russ At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: >Actually, the text allows for the wrap of the numbers. Please see Annex B >of X.509. Thus, it is not strictly increasing > >-----Original Message----- >From: Peter Sylvester >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] >Sent: Saturday, May 05, 2001 2:08 PM >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; >chokhani@cygnacom.com >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > > Trevor: > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > identifier, the CRL number is unique whether it is base or delta. That is > > why delta number has to be greater than the base. > >" 8.5.2.1 CRL number extension > > This CRL extension field conveys a monotonically increasing sequence > number .." > >The text might be clearer IMHO if 'strictly increasing' would be used >instead. Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id RAA09785 for <ietf-pkix@imc.org>; Tue, 8 May 2001 17:52:41 -0700 (PDT) Received: from COVEY (cpe-24-221-22-72.az.sprintbbd.net [24.221.22.72]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5V6X; Tue, 8 May 2001 17:47:07 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, "Santosh Chokhani" <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> Subject: RE: delta CRLs Date: Tue, 8 May 2001 17:53:31 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGIEFHCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <5.0.1.4.2.20010507091957.01c945b8@exna07.securitydynamics.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Russ, A week or two ago we arrived at a consensus to remove the requirement that a CA issue a full CRL whenever the CA issues a Delta-CRL. If the CA chooses to issue them simultaneously, why would they need to be numbered the same? If this requirement were lifted, it seems like requiring the CRL number to be "strictly increasing" in a sequence would be preferable to "monotonically increasing". "Monotonically increasing" allows the possibility that the CRL number never changes, which seems undesirable. I realize that in either case the CRL number might wrap around at some point in the future. That is inevitable, given that that CRL number is defined as INTEGER (0..MAX). What else can a CA do when CRL number reaches MAX, stop issuing CRLs? "monotonically increasing" - Definition: A function from a partially order[ed] domain to a partially ordered range such that x >= y implies f(x) >= f(y). - From the NIST web site: http://hissa.nist.gov/dads/HTML/monotoncincr.html Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Monday, May 07, 2001 6:21 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: X.509 may allow the CRL number to wrap around, but I do not believe that PKIX does. 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. This extension allows users to easily determine when a particular CRL supersedes another CRL. CAs conforming to this profile MUST include this extension in all CRLs. id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } Russ At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: >Actually, the text allows for the wrap of the numbers. Please see Annex B >of X.509. Thus, it is not strictly increasing > >-----Original Message----- >From: Peter Sylvester >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] >Sent: Saturday, May 05, 2001 2:08 PM >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; >chokhani@cygnacom.com >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > > Trevor: > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > identifier, the CRL number is unique whether it is base or delta. That is > > why delta number has to be greater than the base. > >" 8.5.2.1 CRL number extension > > This CRL extension field conveys a monotonically increasing sequence > number .." > >The text might be clearer IMHO if 'strictly increasing' would be used >instead. Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA17544 for <ietf-pkix@imc.org>; Tue, 8 May 2001 11:34:50 -0700 (PDT) Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id LAA08463; Tue, 8 May 2001 11:34:21 -0700 (PDT) Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id LAA22807; Tue, 8 May 2001 11:34:16 -0700 (PDT) Message-Id: <4.3.2.7.2.20010508113354.00b2cd40@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 08 May 2001 11:39:50 -0700 To: Santosh Chokhani <chokhani@cygnacom.com>, Peter Sylvester <Peter.Sylvester@EdelWeb.fr>, trevorf@windows.microsoft.com, rhousley@rsasecurity.com, Santosh Chokhani <chokhani@cygnacom.com> From: Tony Bartoletti <azb@llnl.gov> Subject: RE: delta CRLs Cc: ietf-pkix@imc.org In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE739@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed If wrapping is allowed (reasonable), then the sequence is neither strictly nor monotonically increasing. I have once offered the definition "unitarily increasing" to mean "each new issue increases by one", but that is an invented term, and one still needs to specify either the number of digits or the maximal value if wrapping is an expectation. Technically, "0,1,0,1,..." would qualify in Z2. ___tony___ At 10:11 PM 5/5/01 -0400, Santosh Chokhani wrote: >Actually, the text allows for the wrap of the numbers. Please see Annex B >of X.509. Thus, it is not strictly increasing > >-----Original Message----- >From: Peter Sylvester >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] >Sent: Saturday, May 05, 2001 2:08 PM >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; >chokhani@cygnacom.com >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > > Trevor: > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > identifier, the CRL number is unique whether it is base or delta. That is > > why delta number has to be greater than the base. > >" 8.5.2.1 CRL number extension > > This CRL extension field conveys a monotonically increasing sequence > number .." > >The text might be clearer IMHO if 'strictly increasing' would be used >instead. Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA10234 for <ietf-pkix@imc.org>; Tue, 8 May 2001 08:57:52 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KRCMM7KH>; Tue, 8 May 2001 11:57:20 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE8CF@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Hal Lockhart <hal.lockhart@entegrity.com>, "'Ambarish Malpani'" <ambarish@valicert.com>, "'Housley, Russ '" <rhousley@rsasecurity.com>, "'Tom Gindin '" <tgindin@us.ibm.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Tue, 8 May 2001 11:48:08 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D7D6.47205B90" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D7D6.47205B90 Content-Type: text/plain; charset="iso-8859-1" Some times people put a certificate on hold because some one is out of pocket for a while. In that case, the signatures made during the hold period should be considered invalid. -----Original Message----- From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] Sent: Tuesday, May 08, 2001 11:47 AM To: 'Ambarish Malpani'; 'Housley, Russ '; 'Tom Gindin ' Cc: 'ietf-pkix@imc.org ' Subject: RE: Certificate Hold (was RE: delta CRLs) Ambarish Malpani wrote: > Certificate suspension is a useful mechanism to prevent the usage of > a certificate while you figure out whether it should actually be > revoked or not. Forgive me if this has been discussed in the past, but I am curious. If this is the (only) purpose of hold, doesn't that simplify the NR issue? If the cert can be established to be good at a later time, shouldn't the hold be ignored? If the results of our investigation is that there was actually no problem after all, why should signatures created during that period be invalid? Hal ------_=_NextPart_001_01C0D7D6.47205B90 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Certificate Hold (was RE: delta CRLs)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Some times people put a certificate on hold because = some one is out of pocket for a while. In that case, the = signatures made during the hold period should be considered = invalid.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Hal Lockhart [<A = HREF=3D"mailto:hal.lockhart@entegrity.com">mailto:hal.lockhart@entegrity= .com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, May 08, 2001 11:47 AM</FONT> <BR><FONT SIZE=3D2>To: 'Ambarish Malpani'; 'Housley, Russ '; 'Tom = Gindin '</FONT> <BR><FONT SIZE=3D2>Cc: 'ietf-pkix@imc.org '</FONT> <BR><FONT SIZE=3D2>Subject: RE: Certificate Hold (was RE: delta = CRLs)</FONT> </P> <BR> <P><FONT SIZE=3D2> Ambarish Malpani wrote: </FONT> <BR><FONT SIZE=3D2>> Certificate suspension is a useful mechanism to = prevent the usage of</FONT> <BR><FONT SIZE=3D2>> a certificate while you figure out whether it = should actually be</FONT> <BR><FONT SIZE=3D2>> revoked or not. </FONT> </P> <P><FONT SIZE=3D2>Forgive me if this has been discussed in the past, = but I am curious. If this</FONT> <BR><FONT SIZE=3D2>is the (only) purpose of hold, doesn't that simplify = the NR issue? If the</FONT> <BR><FONT SIZE=3D2>cert can be established to be good at a later time, = shouldn't the hold be</FONT> <BR><FONT SIZE=3D2>ignored? If the results of our investigation is that = there was actually no</FONT> <BR><FONT SIZE=3D2>problem after all, why should signatures created = during that period be</FONT> <BR><FONT SIZE=3D2>invalid?</FONT> </P> <P><FONT SIZE=3D2>Hal</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D7D6.47205B90-- Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA09690 for <ietf-pkix@imc.org>; Tue, 8 May 2001 08:56:08 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f48Ftcg17527; Tue, 8 May 2001 08:55:39 -0700 (PDT) From: "Michael Myers" <mike@traceroutesecurity.com> To: "Hal Lockhart" <hal.lockhart@entegrity.com> Cc: <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Tue, 8 May 2001 08:55:16 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDEEMACAAA.mike@traceroutesecurity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <899128A30EEDD1118FC900A0C9C74A34BA97A5@bigbird.gradient.com> Importance: Normal Hal, Among the effects of hold is the potential to collaterally suspend a transaction secured by the subject certificate, so it's not just NR. Mike > -----Original Message----- > From: Hal Lockhart [mailto:hal.lockhart@entegrity.com] > Sent: Tuesday, May 08, 2001 8:47 AM > To: 'Ambarish Malpani'; 'Housley, Russ '; 'Tom Gindin ' > Cc: 'ietf-pkix@imc.org ' > Subject: RE: Certificate Hold (was RE: delta CRLs) > > > Ambarish Malpani wrote: > > Certificate suspension is a useful mechanism to prevent the usage of > > a certificate while you figure out whether it should actually be > > revoked or not. > > Forgive me if this has been discussed in the past, but I am > curious. If this > is the (only) purpose of hold, doesn't that simplify the NR issue? If the > cert can be established to be good at a later time, shouldn't the hold be > ignored? If the results of our investigation is that there was actually no > problem after all, why should signatures created during that period be > invalid? > > Hal > Received: from indy.gradient.com (root@indy.gradient.com [192.92.110.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA06752 for <ietf-pkix@imc.org>; Tue, 8 May 2001 08:42:42 -0700 (PDT) Received: from bigbird.gradient.com (bigbird.gradient.com [192.92.110.50]) by indy.gradient.com (8.9.1a/8.9.1) with ESMTP id LAA06004; Tue, 8 May 2001 11:42:41 -0400 (EDT) Received: by bigbird.gradient.com with Internet Mail Service (5.5.2650.10) id <2YBR6XB5>; Tue, 8 May 2001 11:47:53 -0400 Message-ID: <899128A30EEDD1118FC900A0C9C74A34BA97A5@bigbird.gradient.com> From: Hal Lockhart <hal.lockhart@entegrity.com> To: "'Ambarish Malpani'" <ambarish@valicert.com>, "'Housley, Russ '" <rhousley@rsasecurity.com>, "'Tom Gindin '" <tgindin@us.ibm.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Tue, 8 May 2001 11:47:15 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.10) Content-Type: text/plain; charset="iso-8859-1" Ambarish Malpani wrote: > Certificate suspension is a useful mechanism to prevent the usage of > a certificate while you figure out whether it should actually be > revoked or not. Forgive me if this has been discussed in the past, but I am curious. If this is the (only) purpose of hold, doesn't that simplify the NR issue? If the cert can be established to be good at a later time, shouldn't the hold be ignored? If the results of our investigation is that there was actually no problem after all, why should signatures created during that period be invalid? Hal Received: from exchsvr1.entegrity.com (exchsvr1.entegrity.com [207.215.19.3]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA04260 for <ietf-pkix@imc.org>; Tue, 8 May 2001 08:31:27 -0700 (PDT) Received: from HEMLOCK ([10.10.3.101]) by exchsvr1.entegrity.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id GFR1DCV3; Tue, 8 May 2001 08:32:12 -0700 Message-ID: <009a01c0d7d3$cbf116a0$65030a0a@chromatix.com> Reply-To: "Steve Wang" <steve.wang@entegrity.com> From: "Steve Wang" <steve.wang@entegrity.com> To: "Erica Yang" <Erica.Yang@durham.ac.uk>, <ietf-pkix@imc.org> References: <00ae01c0d7c8$eb222b50$9ac8ea81@dur.ac.uk> Subject: Re: Secret Sharing Scheme and Threshold Cryptography Date: Tue, 8 May 2001 11:30:14 -0400 Organization: Entegrity Solutions MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 There are several applications of Threshold Cryptography, checking the following URLs: http://crypto.stanford.edu/~dabo/abstracts/ittc.html http://www.hrl.il.ibm.com/Proactive/index.html http://www.cs.gmu.edu/~xwang4/acsac00.ps (used to enable secure DNS dynamic update) AT&T also has an implementation but I do not have the URL at hand. Regards, Steve ----- Original Message ----- From: "Erica Yang" <Erica.Yang@durham.ac.uk> To: <ietf-pkix@imc.org> Sent: Tuesday, May 08, 2001 10:12 AM Subject: Secret Sharing Scheme and Threshold Cryptography > hi, all > > I am currently looking for working and practical systems that implement the > secret sharing scheme and/or threshold cryptography. If you have any > information about that, could you please let me know? > > I can see there are lots of theoretical results available, but so far I can > rarely find any practical systems (either from academics or from industry) > that implement them! Why? Am I missing something? > > Are there any survey papers about the state of the practice of threshold > cryptography? > > Any pointers are welcome. I will be grateful for any suggestions from you! > > Thanks for your time and patience. > > Regards, > > Erica Received: from hermes.dur.ac.uk (hermes.dur.ac.uk [129.234.4.9]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA28419 for <ietf-pkix@imc.org>; Tue, 8 May 2001 07:08:51 -0700 (PDT) Received: from mercury.dur.ac.uk (mercury.dur.ac.uk [129.234.4.40]) by hermes.dur.ac.uk (8.11.1/8.11.1) with ESMTP id f48E8pl12872 for <ietf-pkix@imc.org>; Tue, 8 May 2001 15:08:52 +0100 (BST) Received: from cs154 (cs-154.dur.ac.uk [129.234.200.154]) by mercury.dur.ac.uk (8.11.1/8.11.1) with SMTP id f48E8oZ04402 for <ietf-pkix@imc.org>; Tue, 8 May 2001 15:08:51 +0100 (BST) Message-ID: <00ae01c0d7c8$eb222b50$9ac8ea81@dur.ac.uk> Reply-To: "Erica Yang" <Erica.Yang@durham.ac.uk> From: "Erica Yang" <Erica.Yang@durham.ac.uk> To: <ietf-pkix@imc.org> Subject: Secret Sharing Scheme and Threshold Cryptography Date: Tue, 8 May 2001 15:12:29 +0100 Organization: Computer Science, University of Durham MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 hi, all I am currently looking for working and practical systems that implement the secret sharing scheme and/or threshold cryptography. If you have any information about that, could you please let me know? I can see there are lots of theoretical results available, but so far I can rarely find any practical systems (either from academics or from industry) that implement them! Why? Am I missing something? Are there any survey papers about the state of the practice of threshold cryptography? Any pointers are welcome. I will be grateful for any suggestions from you! Thanks for your time and patience. Regards, Erica Received: from VOLTAIRE.stic.net (mail.stic.net [216.198.0.5] (may be forged)) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA25508 for <ietf-pkix@imc.org>; Tue, 8 May 2001 06:51:44 -0700 (PDT) Received: from b6o1x7 ([216.198.62.19]) by VOLTAIRE.stic.net (Post.Office MTA v3.5.3 release 223 ID# 0-70040U18500L11000S0V35) with SMTP id net for <ietf-pkix@imc.org>; Tue, 8 May 2001 08:51:33 -0500 Message-ID: <000d01c0d7c6$b8df1ce0$133ec6d8@b6o1x7> From: "Bob & Pat Smith" <hillcountryrlty@stic.net> To: <ietf-pkix@imc.org> Subject: unsubscribe Date: Tue, 8 May 2001 08:56:46 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000A_01C0D79C.CF613C20" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 This is a multi-part message in MIME format. ------=_NextPart_000_000A_01C0D79C.CF613C20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Please unsubscribe us from this program immediately. Thank you ------=_NextPart_000_000A_01C0D79C.CF613C20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Please unsubscribe us from this program = immediately. Thank you</FONT></DIV></BODY></HTML> ------=_NextPart_000_000A_01C0D79C.CF613C20-- Received: from zolera.com (IDENT:root@[63.142.188.177]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA24849 for <ietf-pkix@imc.org>; Tue, 8 May 2001 06:49:31 -0700 (PDT) Received: from zolera.com (os390.zolera.com [10.0.1.9]) by zolera.com (8.11.0/8.11.0) with ESMTP id f48DnTf22372; Tue, 8 May 2001 09:49:29 -0400 Sender: rsalz@zolera.com Message-ID: <3AF7F96B.C1E0A3E5@zolera.com> Date: Tue, 08 May 2001 09:49:31 -0400 From: Rich Salz <rsalz@zolera.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: "Housley, Russ" <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: Certificate Hold (was RE: delta CRLs) References: <5.0.1.4.2.20010508084037.01887b78@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit > Many OCSP responders get their revocation information bay way of a > CRL, so this would seem to be a good reason to not prohibit the use of the > feature. The problem I've always had with hold is that it introduces state across CRL's. Still and all, I agree deprecation is the way to go. /r$ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA23034 for <ietf-pkix@imc.org>; Tue, 8 May 2001 06:07:13 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 8 May 2001 13:06:57 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA29144 for <ietf-pkix@imc.org>; Tue, 8 May 2001 09:07:08 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NVNVT>; Tue, 8 May 2001 09:07:08 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.68]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NVNVQ; Tue, 8 May 2001 09:07:05 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Ambarish Malpani <ambarish@valicert.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010508084037.01887b78@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Tue, 08 May 2001 08:42:04 -0400 Subject: RE: Certificate Hold (was RE: delta CRLs) In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8D0B@exchange.valicert .com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Ambarish: Thanks. Many OCSP responders get their revocation information bay way of a CRL, so this would seem to be a good reason to not prohibit the use of the feature. Russ At 09:54 PM 5/7/2001 -0700, Ambarish Malpani wrote: > >Russ, while I don't object to us deprecating the use of certificate >suspension, I don't think we should prohibit its usage. > >Certificate suspension is a useful mechanism to prevent the usage of >a certificate while you figure out whether it should actually be >revoked or not. > >I don't agree with us saying that PKIX supports suspension only via >OCSP - that just sounds wrong to me. > >Regards, >Ambarish > >-----Original Message----- >From: Housley, Russ >To: Tom Gindin >Cc: ietf-pkix@imc.org >Sent: 5/7/01 10:13 AM >Subject: RE: Certificate Hold (was RE: delta CRLs) > >Tom: > >I have not been able to make myself clear. Perhaps because you keep >looking to simple authentication applications. My hope is that the PKIX > >profile will readily meet the needs of these relatively straightforward >applications and also support the more demanding needs of applications >where non-repudiation is needed. > >All: > >My view of the question is that three people have voiced a desire to see > >the suspension feature removed, one is asking questions without voicing >a >position, and no one has asked to keep it. People who have an opinion >but >have not posted it yet please do so. > >Russ Received: from www.aptvs.org ([63.143.30.140]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA19954 for <ietf-pkix@imc.org>; Tue, 8 May 2001 05:29:20 -0700 (PDT) Received: from c4.com ([64.3.195.251]) by www.aptvs.org (Lotus Domino Release 5.0.6a) with SMTP id 2001050806240515:21059 ; Tue, 8 May 2001 06:24:05 -0400 From: <toner18@c4.com> To: ietf-pkix@imc.org Subject: toner supplies Date: Tue, 8 May 2001 06:14:06 Message-Id: <432.94912.240866@c4.com> Mime-Version: 1.0 X-MIMETrack: Itemize by SMTP Server on NotesAPT/American Public Television(Release 5.0.6a |January 17, 2001) at 05/08/2001 06:24:19 AM, Serialize by Router on NotesAPT/American Public Television(Release 5.0.6a |January 17, 2001) at 05/08/2001 08:37:53 AM, Serialize complete at 05/08/2001 08:37:53 AM Content-Type: text/plain; charset="us-ascii" PLEASE FORWARD TO THE PERSON RESPONSIBLE FOR PURCHASING YOUR LASER PRINTER SUPPLIES **** VORTEX SUPPLIES **** -SPECIALS OF THE DAY ON LASER TONER SUPPLIES AT DISCOUNT PRICES-- LASER PRINTER TONER CARTRIDGES COPIER AND FAX CARTRIDGES WE ARE -->THE<-- PLACE TO BUY YOUR TONER CARTRIDGES BECAUSE YOU SAVE UP TO 30% FROM OFFICE DEPOT'S, QUILL'S OR OFFICE MAX'S EVERY DAY LOW PRICES ORDER BY PHONE:1-888-288-9043 ORDER BY FAX: 1-888-977-1577 CUSTOMER SERVICE: 1-888-248-2015 E-MAIL REMOVAL LINE: 1-888-248-4930 UNIVERSITY AND/OR SCHOOL PURCHASE ORDERS WELCOME. (NO CREDIT APPROVAL REQUIRED) ALL OTHER PURCHASE ORDER REQUESTS REQUIRE CREDIT APPROVAL. PAY BY CHECK (C.O.D), CREDIT CARD OR PURCHASE ORDER (NET 30 DAYS). IF YOUR ORDER IS BY CREDIT CARD PLEASE LEAVE YOUR CREDIT CARD # PLUS EXPIRATION DATE. IF YOUR ORDER IS BY PURCHASE ORDER LEAVE YOUR SHIPPING/BILLING ADDRESSES AND YOUR P.O. NUMBER C.O.D. ORDERS ADD $4.5 TO SHIPPING CHARGES. FOR THOSE OF YOU WHO REQUIRE MORE INFORMATION ABOUT OUR COMPANY INCUDING FEDERAL TAX ID NUMBER, CLOSEST SHIPPING OR CORPORATE ADDRESS IN THE CONTINENTAL U.S. OR FOR CATALOG REQUESTS PLEASE CALL OUR CUSTOMER SERVICE LINE 1-888-248-2015 OUR NEW , LASER PRINTER TONER CARTRIDGE, PRICES ARE AS FOLLOWS: (PLEASE ORDER BY PAGE NUMBER AND/OR ITEM NUMBER) HEWLETT PACKARD: (ON PAGE 2) ITEM #1 LASERJET SERIES 4L,4P (74A)------------------------$44 ITEM #2 LASERJET SERIES 1100 (92A)-------------------------$44 ITEM #3 LASERJET SERIES 2 (95A)-------------------------------$39 ITEM #4 LASERJET SERIES 2P (75A)-----------------------------$54 ITEM #5 LASERJET SERIES 5P,6P,5MP, 6MP (3903A)--$44 ITEM #6 LASERJET SERIES 5SI, 8000 (09A)------------------$95 ITEM #7 LASERJET SERIES 2100 (96A)-------------------------$74 ITEM #8 LASERJET SERIES 8100 (82X)-----------------------$145 ITEM #9 LASERJET SERIES 5L/6L (3906A)------------------$35 ITEM #10 LASERJET SERIES 4V-------------------------------------$95 ITEM #11 LASERJET SERIES 4000 (27X)-------------------------$72 ITEM #12 LASERJET SERIES 3SI/4SI (91A)--------------------$54 ITEM #13 LASERJET SERIES 4, 4M, 5,5M-----------------------$49 ITEM #13A LASERJET SERIES 5000 (29X)---------------------$95 HEWLETT PACKARD FAX (ON PAGE 2) ITEM #14 LASERFAX 500, 700 (FX1)----------$49 ITEM #15 LASERFAX 5000,7000 (FX2)------$54 ITEM #16 LASERFAX (FX3)------------------------$59 ITEM #17 LASERFAX (FX4)------------------------$54 LEXMARK/IBM (ON PAGE 3) OPTRA 4019, 4029 HIGH YIELD---------------$89 OPTRA R, 4039, 4049 HIGH YIELD---------$105 OPTRA E----------------------------------------------------$59 OPTRA N--------------------------------------------------$115 OPTRA S--------------------------------------------------$165 EPSON (ON PAGE 4) ACTION LASER 7000,7500,8000,9000-------$105 ACTION LASER 1000,1500-------------------------$105 CANON PRINTERS (ON PAGE 5) PLEASE CALL FOR MODELS AND UPDATED PRICES FOR CANON PRINTER CARTRIDGES PANASONIC (0N PAGE 7) NEC SERIES 2 MODELS 90 AND 95----------$105 APPLE (0N PAGE 8) LASER WRITER PRO 600 or 16/600------------$49 LASER WRITER SELECT 300,320,360---------$74 LASER WRITER 300 AND 320----------------------$54 LASER WRITER NT, 2NT------------------------------$54 LASER WRITER 12/640--------------------------------$79 CANON FAX (ON PAGE 9) LASERCLASS 4000 (FX3)---------------------------$59 LASERCLASS 5000,6000,7000 (FX2)---------$54 LASERFAX 5000,7000 (FX2)----------------------$54 LASERFAX 8500,9000 (FX4)----------------------$54 CANON COPIERS (PAGE 10) PC 3, 6RE, 7 AND 11 (A30)---------------------$69 PC 300,320,700,720 and 760 (E-40)--------$89 IF YOUR CARTRIDGE IS NOT LISTED CALL CUSTOMER SERVICE AT 1-888-248-2015 90 DAY UNLIMITED WARRANTY INCLUDED ON ALL PRODUCTS. ALL TRADEMARKS AND BRAND NAMES LISTED ABOVE ARE PROPERTY OF THE RESPECTIVE HOLDERS AND USED FOR DESCRIPTIVE PURPOSES ONLY. Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id FAA18947 for <ietf-pkix@imc.org>; Tue, 8 May 2001 05:20:00 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 8 May 2001 12:19:44 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id IAA25981 for <ietf-pkix@imc.org>; Tue, 8 May 2001 08:19:57 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NVNCY>; Tue, 8 May 2001 08:19:56 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.42]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NVNCS; Tue, 8 May 2001 08:19:52 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010507193552.017f6e80@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 07 May 2001 19:41:32 -0400 Subject: RE: delta CRLs In-Reply-To: <4.2.2.20010507141844.00b1a1e0@email.nist.gov> References: <5.0.1.4.2.20010507133950.0186fec0@exna07.securitydynamics. com> <8D7EC1912E25D411A32100D0B76953978DE85D@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed David: >>I have read section 9 of X.509-2000 (4th Edition v7) three times >>today. I cannot find the requirement there. Where is it hidden? > >There used to be a requirement in X.509 that whenever a full CRL is issued >a delta-CRL must also be issued (if delta-CRLs are being used) and that >the full and the delta must have the same CRL number. I don't know why >that text was removed. However, there is the requirement that the CRL >numbers for a sequence of CRLs issued for a given scope must increase >monotonically. The fact that some of the CRLs in the sequence contain the >deltaCRLIndicator extension and some do not is irrelevant (just as the >presence or absence of the orderedList extension or the >authorityKeyIdentifier extension has no affect on the CRL number). Two independent sequence number streams can meet the remaining requirements. Sounds like the revisions have removed the only sentence that was crystal clear on this point. >There is also the following text in X.509 (2000): > > A CRL that is complete for a given scope, at the current time, > can be constructed > locally in either of the following ways: > > by retrieving the current dCRL for that scope, and > combining it with an issued > CRL that is complete for that scope and that has a > cRLNumber greater than or > equal to the cRLNumber of the base CRL referenced in the > dCRL; or > > by retrieving the current dCRL for that scope and > combining it with a locally > constructed CRL that is complete for that scope and that > was constructed with > a dCRL that has a cRLNumber greater than or equal to the > cRLNumber of the > base CRLreferenced in the current dCRL. > > >If full CRLs and delta-CRLs were independently numbered, then one could >not apply delta-CRLs to locally constructed delta-CRLs as described above. I agree that it could not be done in all cases. Perhaps this is where Denis gets the idea that there are circumstances where the full CRL must be fetched periodically. >To demonstrate the problem, I will the example that you provided (see >below). In this example, 144 hours (48 x 3) after delta-CRL number 49 was >issued, delta-CRL number 193 will be issued. Delta-CRL number 193 will >have a BaseCRLNumber of 49. The intention of this would be to specify that >delta-CRL number 193 may be combined with full CRL number 49 (which was >issued 143 hours after delta-CRL number 49 was issued). > >Suppose, however, that a relying party constructed a CRL locally using >full CRL number 1 and delta-CRL number 49. According to the above text >from X.509, that relying party could combine delta-CRL number 193 with the >CRL locally generated using delta-CRL number 49. The results of combining >delta-CRL number 193 with the locally generated CRL would clearly be >incorrect. Worse, it would not be obvious to the relying party that the >CRL numbers in the delta-CRLs were incorrect and so it would be very >difficult for the relying party to determine that the constructed CRL was >incorrect. > >The only way that one can safely combine a delta-CRL with a locally >generated CRL as specified above is if full CRLs and delta-CRLs are >numbered consistently. So, while one may argue that the requirement has >not been stated with sufficient clarity, it is there. As I have said, I am quite comfortable with imposing a single sequence number stream as a PKIX profile requirement. And, so far, I have not heard anyone argue that we should not have a single sequence number stream. Russ Received: from femail15.sdc1.sfba.home.com (femail15.sdc1.sfba.home.com [24.0.95.142]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA14919 for <ietf-pkix@imc.org>; Tue, 8 May 2001 04:44:37 -0700 (PDT) Received: from cc787228a ([24.180.131.6]) by femail15.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010508114432.ISQC20722.femail15.sdc1.sfba.home.com@cc787228a>; Tue, 8 May 2001 04:44:32 -0700 Message-ID: <002401c0d7b4$a5af7b40$6401a8c0@hwrd1.md.home.com> From: "Al Arsenault" <awa1@home.com> To: "Carlin Covey" <ccovey@cylink.com>, <ietf-pkix@imc.org> References: <FLEELNBJKAIIGDJJKPDGOEENCEAA.ccovey@cylink.com> Subject: Re: Certificate Hold (was RE: delta CRLs) Date: Tue, 8 May 2001 07:47:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 I cast a vote identical to Carlin's. Al Arsenault Chief Security Architect Diversinet Corp. ----- Original Message ----- From: "Carlin Covey" <ccovey@cylink.com> To: <ietf-pkix@imc.org> Sent: Monday, May 07, 2001 7:14 PM Subject: RE: Certificate Hold (was RE: delta CRLs) > I cast a vote for altering the wording of the PKIX profile > to deprecate the use of certificate suspension via CRLs. > > - Carlin Covey > Cylink Corporation > > -----Original Message----- > From: Michael Myers [mailto:mike@traceroutesecurity.com] > Sent: Monday, May 07, 2001 3:42 PM > To: ietf-pkix@imc.org > Subject: RE: Certificate Hold (was RE: delta CRLs) > > > > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > > On Monday, May 07, 2001 10:14 AM, Russ asked: > > > > . . . > > > > All: > > > > My view of the question is that three people have voiced a desire to see > > the suspension feature removed, one is asking questions without voicing a > > position, and no one has asked to keep it. People who have an > > opinion but have not posted it yet please do so. > > > Towards consensus, I agree to the removal of the CRL-based suspension > feature. Suspension requirements are still important but PKIX has devised a > means via OCSP of more effectively addressing this need. > > Mike > Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id VAA26512 for <ietf-pkix@imc.org>; Mon, 7 May 2001 21:56:34 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GD000I0132QW5@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 7 May 2001 21:56:50 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GD000I5O32QS8@ext-mail.valicert.com>; Mon, 07 May 2001 21:56:50 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26RL4L>; Mon, 07 May 2001 21:54:55 -0700 Content-return: allowed Date: Mon, 07 May 2001 21:54:54 -0700 From: Ambarish Malpani <ambarish@valicert.com> Subject: RE: Certificate Hold (was RE: delta CRLs) To: "'Housley, Russ '" <rhousley@rsasecurity.com>, "'Tom Gindin '" <tgindin@us.ibm.com> Cc: "'ietf-pkix@imc.org '" <ietf-pkix@imc.org> Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8D0B@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe Russ, while I don't object to us deprecating the use of certificate suspension, I don't think we should prohibit its usage. Certificate suspension is a useful mechanism to prevent the usage of a certificate while you figure out whether it should actually be revoked or not. I don't agree with us saying that PKIX supports suspension only via OCSP - that just sounds wrong to me. Regards, Ambarish -----Original Message----- From: Housley, Russ To: Tom Gindin Cc: ietf-pkix@imc.org Sent: 5/7/01 10:13 AM Subject: RE: Certificate Hold (was RE: delta CRLs) Tom: I have not been able to make myself clear. Perhaps because you keep looking to simple authentication applications. My hope is that the PKIX profile will readily meet the needs of these relatively straightforward applications and also support the more demanding needs of applications where non-repudiation is needed. All: My view of the question is that three people have voiced a desire to see the suspension feature removed, one is asking questions without voicing a position, and no one has asked to keep it. People who have an opinion but have not posted it yet please do so. Russ Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA19085 for <ietf-pkix@imc.org>; Mon, 7 May 2001 18:02:36 -0700 (PDT) Received: from [128.33.238.50] (TC050.BBN.COM [128.33.238.50]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id VAA11413; Mon, 7 May 2001 21:02:36 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010402b710c404b898@[128.33.238.42]> In-Reply-To: <2B55DABB95C4D4119C1300508BD953F11442D5@BLUE01> References: <2B55DABB95C4D4119C1300508BD953F11442D5@BLUE01> Date: Sat, 28 Apr 2001 15:03:04 -0400 To: Dave Oshman <Dave.Oshman@identrus.com> From: Stephen Kent <kent@bbn.com> Subject: RE: keyCertSign and cRLSign Key Usage Bits Cc: ietf-pkix@imc.org Content-Type: multipart/alternative; boundary="============_-1222838761==_ma============" --============_-1222838761==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 8:46 PM -0400 4/25/01, Dave Oshman wrote: >Steve-- >2459 does not seem to disallow this now. It is simply not clear on >it. I agree that the standard needs to be unambiguous. We need to >clearly define what CA=true means. If it means the PK in this cert >is used to verify signatures on certificates, then this means that >the CA flag should not be set for a CRL Signing certificate. >Regards, >Dave Dave, Neither X.509 not 2459 name any entity other than a CA than can sign CRLs and both refer to CAs or to "authorities" extensively in their discussion of CRLs and mandated requirements re CRL issuance. So, while I agree that there is some syntactic ambiguity here, there has not been semantic ambiguity. Steve --============_-1222838761==_ma============ Content-Type: text/html; charset="us-ascii" <!doctype html public "-//W3C//DTD W3 HTML//EN"> <html><head><style type="text/css"><!-- blockquote, dl, ul, ol, li { margin-top: 0 ; margin-bottom: 0 } --></style><title>RE: keyCertSign and cRLSign Key Usage Bits</title></head><body> <div>At 8:46 PM -0400 4/25/01, Dave Oshman wrote:</div> <blockquote type="cite" cite><font face="Arial" size="-1" color="#0000FF">Steve--</font></blockquote> <blockquote type="cite" cite><font face="Arial" size="-1" color="#0000FF">2459 does not seem to disallow this now. It is simply not clear on it. I agree that the standard needs to be unambiguous. We need to clearly define what CA=true means. If it means the PK in this cert is used to verify signatures on certificates, then this means that the CA flag should not be set for a CRL Signing certificate.</font></blockquote> <blockquote type="cite" cite><font face="Arial" size="-1" color="#0000FF">Regards,</font></blockquote> <blockquote type="cite" cite><font face="Arial" size="-1" color="#0000FF">Dave</font></blockquote> <div><br></div> <div>Dave,</div> <div><br></div> <div>Neither X.509 not 2459 name any entity other than a CA than can sign CRLs and both refer to CAs or to "authorities" extensively in their discussion of CRLs and mandated requirements re CRL issuance. So, while I agree that there is some syntactic ambiguity here, there has not been semantic ambiguity.</div> <div><br></div> <div>Steve</div> </body> </html> --============_-1222838761==_ma============-- Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA19069 for <ietf-pkix@imc.org>; Mon, 7 May 2001 18:02:33 -0700 (PDT) Received: from [128.33.238.50] (TC050.BBN.COM [128.33.238.50]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id VAA11408; Mon, 7 May 2001 21:02:33 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010401b710bf7aa776@[128.33.238.42]> In-Reply-To: <4.2.2.20010425132032.00af9740@email.nist.gov> References: <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010418133051.00addb60@email.nist.gov> <3ADC45A6.71B550EA@baltimore.ie> <000801c0c6a7$60e9d870$0e00a8c0@soaringhawk.net> <5.0.1.4.2.20010418110046.01b54cb0@exna07.securitydynamics.com> <3ADDB13C.D85E216A@baltimore.ie> <3ADDC6B4.13B96602@missi.ncsc.mil> <4.2.2.20010418133051.00addb60@email.nist.gov> <4.2.2.20010419092845.00ae0920@email.nist.gov> <4.2.2.20010425132032.00af9740@email.nist.gov> Date: Sat, 28 Apr 2001 17:31:08 -0400 To: "David A. Cooper" <david.cooper@nist.gov> From: Stephen Kent <kent@bbn.com> Subject: Re: cA flag and CRL issuers (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" David, >Steve, > >If we are going to change PKIX to require the cA bit in >basicConstraints to be set even when the subject public key can only >be used to verify signatures on CRLs, then we need to be sure that >the text clearly explains to readers when the cA bit should or >should not be set. Currently new-part1-06 states that "[t]he cA bit >indicates if the certified public key may be used to verify >signatures on other certificates." The clearly is not accurate, >since if the cA bit is set one still does not know whether the >subject public key may be used to verify signatures on certificates. >One must look at the keyUsage extension to make that determination. > >I think it would be helpful to the discussion that we are having if >you would clearly state your interpretation of the meaning of the cA >bit in basicConstraints. First, it's not an issue of "my interpretation." As I noted earlier, prior to v3 certs and v2 CRLs, there was no way that anyone could interpret the text to suggest that a non-CA entity could issue a CRL. V3 certs and v2 CRLs might admit this possibility, syntactically, but no text in X.509 nor 2459 identifies a new entity type that could issue CRLs, and thus the syntactic ambiguity is not supported by the semantics expressed by the rest of the text that describes PKI components and responsibilities. So, the status quo is that only CAs sign CRLs. The suggestion is to change this. I am comfortable if we do that, but only if we go back and introduce a new entity that can sign a CRL and not be a CA. So, my "interpretation" of the CA bit is simple; it identifies a cert as belonging to a CA and used to validate certs or CRLs. This is consistent with the notion that the bit needs to be set whenever the processing of the object using the public key from the cert is constrained by the presence or absence of that bit. > From what I have read so far, it appears that you believe that the >cA bit should be used to indicate if the subject of the certificate >is a CA. But, if this is the case, then new-part1-06 still does not >accurately reflect your notion of the cA bit. Currently the text >states that the cA bit may only be set if the keyCertSign bit or the >cRLSign bit in keyUsage is set. However, a CA does more than just >issue certificates and CRLs. A CA may have a private key dedicated >to signing PKI transaction messages (e.g., certification response, >revocation response, proof-of-possession challenge). If a >certificate were issued to a CA with its PKI transaction message >verification key as the subject public key, neither the keyCertSign >nor the cRLSign bit in KeyUsage would be set, but the subject of the >certificate would still be a CA. This is an example where the processing of the signature on the signed object is not constrained by the presence or absence of the CA bit. I think the text you cite about setting the CA bit ONLY when other bits are set should be reviewed; it may be fine as is, but we need to decide whether we backed into this characterization or whether we mean exactly what it says. >So, should the cA bit be used to indicate if the certificate subject >is a CA or to indicate that the subject public key may be used to >verify signatures on certificates and/or CRLs? If the latter, then >not all certificates issued to CAs will have the cA bit set. A fair question. My answer above would say that not all certs employed by a CA would have to have the bit set, e.g., because some objects signed using a key associated with a CA are employed in protocols that do not mandate checking the CA flag. Steve Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA13144 for <ietf-pkix@imc.org>; Mon, 7 May 2001 16:13:48 -0700 (PDT) Received: from COVEY (cpe-24-221-22-72.az.sprintbbd.net [24.221.22.72]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5QM7; Mon, 7 May 2001 16:08:17 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Mon, 7 May 2001 16:14:29 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGOEENCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <EOEGJNFMMIBDKGFONJJDOELDCAAA.mike@traceroutesecurity.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 I cast a vote for altering the wording of the PKIX profile to deprecate the use of certificate suspension via CRLs. - Carlin Covey Cylink Corporation -----Original Message----- From: Michael Myers [mailto:mike@traceroutesecurity.com] Sent: Monday, May 07, 2001 3:42 PM To: ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > On Monday, May 07, 2001 10:14 AM, Russ asked: > > . . . > > All: > > My view of the question is that three people have voiced a desire to see > the suspension feature removed, one is asking questions without voicing a > position, and no one has asked to keep it. People who have an > opinion but have not posted it yet please do so. Towards consensus, I agree to the removal of the CRL-based suspension feature. Suspension requirements are still important but PKIX has devised a means via OCSP of more effectively addressing this need. Mike Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA11281 for <ietf-pkix@imc.org>; Mon, 7 May 2001 15:49:54 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K3SGK5J6>; Mon, 7 May 2001 18:49:26 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE899@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Trevor Freeman <trevorf@windows.microsoft.com>, "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Mon, 7 May 2001 18:40:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D746.B0136EC0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D746.B0136EC0 Content-Type: text/plain; charset="iso-8859-1" Trevor: A CA does not use a CRL. CRL is used by relying party. A CA can publish the base based on its policy, e.g., nextUpdate. All we are saying is that when the delta that says removeFrom CRL is issued, any base issued at that time or after that time need not have the certificateHold entry. -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] Sent: Monday, May 07, 2001 2:45 PM To: David A. Cooper; ietf-pkix@imc.org Subject: RE: delta CRLs I Guess I need to clarify my question a little. I accept that the standard is clear that the remove from CRL must apply as long as the referenced base had the revocation entry. What is not clear is when can a CA switch the base no it uses with the delta CRL safely. Now you could leave that to local policy - which is to say we give no guidance, or we can clarify a rule at which time a CA must discontinue use of a base CRL. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Monday, May 07, 2001 10:57 AM To: ietf-pkix@imc.org Subject: RE: delta CRLs At 04:00 PM 5/4/01 -0700, Trevor Freeman wrote: >To clarify point three, the delta CRL must include "remove from" entries >until the nextupdate time in the referenced base. A CA does not know if >clients have picked up the base or knot, and to assume they have would >introduce an error. Trevor, new-part1-06 is very clear on when removeFromCRL must appear on a delta-CRL. A delta-CRL must state "removeFromCRL" for a certificate as long as the base CRL referenced by the delta was issued before the hold was removed. The nextUpdate time in the referenced base is irrelevant. The reason is that there is no requirement that a delta-CRL be applied to the most recently issued base CRL. Any full CRL whose cRLNumber is greater than or equal to the BaseCRLNumber specified in the delta-CRL can be used. The relevant text from new-part1-06 is as follows: If a CA supports the certificateHold revocation reason the following rules must be applied when generating delta CRLs: (a) If a certificate was listed as revoked with revocation reason certificateHold on a CRL (either a delta CRL or a CRL that is complete for a given scope), whose cRLNumber is n, and the hold is subsequently released, the certificate must be included in all delta CRLs issued after the hold is released where the cRLNumber of the referenced base CRL is less than or equal to n. The certificate must be listed with revocation reason removeFromCRL unless the certificate is subsequently revoked again for one of the revocation reasons covered by the delta CRL, in which case the certificate must be listed with the revocation reason appropriate for the subsequent revocation. (b) If the certificate was not removed from hold, but was permanently revoked, then it must be listed on all subsequent delta CRLs where the cRLNumber of the referenced base CRL is less than the cRLNumber of the CRL (either a delta CRL or a CRL that is complete for the given scope) on which the permanent revocation notice first appeared. ------_=_NextPart_001_01C0D746.B0136EC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Trevor:</FONT> </P> <P><FONT SIZE=3D2>A CA does not use a CRL. CRL is used by relying = party. A CA can publish the base based on its policy, e.g., = nextUpdate.</FONT></P> <P><FONT SIZE=3D2>All we are saying is that when the delta that says = removeFrom CRL is issued, any base issued at that time or after that = time need not have the certificateHold entry.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Trevor Freeman [<A = HREF=3D"mailto:trevorf@windows.microsoft.com">mailto:trevorf@windows.mic= rosoft.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, May 07, 2001 2:45 PM</FONT> <BR><FONT SIZE=3D2>To: David A. Cooper; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>I Guess I need to clarify my question a = little.</FONT> <BR><FONT SIZE=3D2>I accept that the standard is clear that the remove = from CRL must apply</FONT> <BR><FONT SIZE=3D2>as long as the referenced base had the revocation = entry. What is not</FONT> <BR><FONT SIZE=3D2>clear is when can a CA switch the base no it uses = with the delta CRL</FONT> <BR><FONT SIZE=3D2>safely. Now you could leave that to local policy - = which is to say we</FONT> <BR><FONT SIZE=3D2>give no guidance, or we can clarify a rule at which = time a CA must</FONT> <BR><FONT SIZE=3D2>discontinue use of a base CRL. </FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David A. Cooper [<A = HREF=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>] = </FONT> <BR><FONT SIZE=3D2>Sent: Monday, May 07, 2001 10:57 AM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <P><FONT SIZE=3D2>At 04:00 PM 5/4/01 -0700, Trevor Freeman = wrote:</FONT> <BR><FONT SIZE=3D2>>To clarify point three, the delta CRL must = include "remove from"</FONT> <BR><FONT SIZE=3D2>entries</FONT> <BR><FONT SIZE=3D2>>until the nextupdate time in the referenced = base. A CA does not know if</FONT> <BR><FONT SIZE=3D2>>clients have picked up the base or knot, and to = assume they have would</FONT> <BR><FONT SIZE=3D2>>introduce an error.</FONT> </P> <P><FONT SIZE=3D2>Trevor,</FONT> </P> <P><FONT SIZE=3D2>new-part1-06 is very clear on when removeFromCRL must = appear on a</FONT> <BR><FONT SIZE=3D2>delta-CRL. A delta-CRL must state = "removeFromCRL" for a certificate as</FONT> <BR><FONT SIZE=3D2>long as the base CRL referenced by the delta was = issued before the hold</FONT> <BR><FONT SIZE=3D2>was removed. The nextUpdate time in the referenced = base is irrelevant.</FONT> <BR><FONT SIZE=3D2>The reason is that there is no requirement that a = delta-CRL be applied</FONT> <BR><FONT SIZE=3D2>to the most recently issued base CRL. Any full CRL = whose cRLNumber is</FONT> <BR><FONT SIZE=3D2>greater than or equal to the BaseCRLNumber specified = in the delta-CRL</FONT> <BR><FONT SIZE=3D2>can be used. The relevant text from new-part1-06 is = as follows:</FONT> </P> <P><FONT SIZE=3D2> If a CA supports the certificateHold = revocation reason the following</FONT> <BR><FONT SIZE=3D2>rules must be applied when generating delta = CRLs:</FONT> </P> <P><FONT SIZE=3D2> (a) = If a certificate was listed as revoked with revocation</FONT> <BR><FONT SIZE=3D2>reason</FONT> <BR><FONT SIZE=3D2> = certificateHold on a CRL (either a delta CRL or a CRL that is</FONT> <BR><FONT SIZE=3D2> = complete for a given scope), whose cRLNumber is n, and the hold</FONT> <BR><FONT SIZE=3D2>is</FONT> <BR><FONT SIZE=3D2> = subsequently released, the certificate must be included in all</FONT> <BR><FONT SIZE=3D2> = delta CRLs issued after the hold is released where the</FONT> <BR><FONT SIZE=3D2>cRLNumber</FONT> <BR><FONT SIZE=3D2> of = the referenced base CRL is less than or equal to n. The</FONT> <BR><FONT SIZE=3D2> = certificate must be listed with revocation reason removeFromCRL</FONT> <BR><FONT SIZE=3D2> = unless the certificate is subsequently revoked again for one of</FONT> <BR><FONT SIZE=3D2> the = revocation reasons covered by the delta CRL, in which case</FONT> <BR><FONT SIZE=3D2>the</FONT> <BR><FONT SIZE=3D2> = certificate must be listed with the revocation reason</FONT> <BR><FONT SIZE=3D2>appropriate</FONT> <BR><FONT SIZE=3D2> for = the subsequent revocation.</FONT> </P> <P><FONT SIZE=3D2> (b) = If the certificate was not removed from hold, but was</FONT> <BR><FONT SIZE=3D2> = permanently revoked, then it must be listed on all subsequent</FONT> <BR><FONT SIZE=3D2> = delta CRLs where the cRLNumber of the referenced base CRL is</FONT> <BR><FONT SIZE=3D2>less</FONT> <BR><FONT SIZE=3D2> = than the cRLNumber of the CRL (either a delta CRL or a CRL that</FONT> <BR><FONT SIZE=3D2>is</FONT> <BR><FONT SIZE=3D2> = complete for the given scope) on which the permanent revocation</FONT> <BR><FONT SIZE=3D2> = notice first appeared.</FONT> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C0D746.B0136EC0-- Received: from geos.coastside.net (geos.coastside.net [207.213.212.4]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA10650 for <ietf-pkix@imc.org>; Mon, 7 May 2001 15:42:09 -0700 (PDT) Received: from HEATHERDALE (dsl-63-194-153-52.coastside.net [63.194.153.52]) by geos.coastside.net (8.11.0/8.11.1) with SMTP id f47MgBg11372 for <ietf-pkix@imc.org>; Mon, 7 May 2001 15:42:11 -0700 (PDT) From: "Michael Myers" <mike@traceroutesecurity.com> To: <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Mon, 7 May 2001 15:41:49 -0700 Message-ID: <EOEGJNFMMIBDKGFONJJDOELDCAAA.mike@traceroutesecurity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-reply-to: <5.0.1.4.2.20010507130843.01d39c78@exna07.securitydynamics.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > On Monday, May 07, 2001 10:14 AM, Russ asked: > > . . . > > All: > > My view of the question is that three people have voiced a desire to see > the suspension feature removed, one is asking questions without voicing a > position, and no one has asked to keep it. People who have an > opinion but have not posted it yet please do so. Towards consensus, I agree to the removal of the CRL-based suspension feature. Suspension requirements are still important but PKIX has devised a means via OCSP of more effectively addressing this need. Mike Received: from mail2.microsoft.com (mail2.microsoft.com [131.107.3.124]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA01970 for <ietf-pkix@imc.org>; Mon, 7 May 2001 13:48:06 -0700 (PDT) Received: from 157.54.9.108 by mail2.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 07 May 2001 11:45:49 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-05.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Mon, 7 May 2001 11:45:27 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Mon, 7 May 2001 11:45:26 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Mon, 7 May 2001 11:45:07 -0700 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta CRLs X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Date: Mon, 7 May 2001 11:45:06 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD68952B@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta CRLs Thread-Index: AcDXH4olws4kV18bThyw356uNfSk0gABZ62A From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "David A. Cooper" <david.cooper@nist.gov>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 07 May 2001 18:45:07.0523 (UTC) FILETIME=[D648C930:01C0D725] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id NAA01971 I Guess I need to clarify my question a little. I accept that the standard is clear that the remove from CRL must apply as long as the referenced base had the revocation entry. What is not clear is when can a CA switch the base no it uses with the delta CRL safely. Now you could leave that to local policy - which is to say we give no guidance, or we can clarify a rule at which time a CA must discontinue use of a base CRL. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Monday, May 07, 2001 10:57 AM To: ietf-pkix@imc.org Subject: RE: delta CRLs At 04:00 PM 5/4/01 -0700, Trevor Freeman wrote: >To clarify point three, the delta CRL must include "remove from" entries >until the nextupdate time in the referenced base. A CA does not know if >clients have picked up the base or knot, and to assume they have would >introduce an error. Trevor, new-part1-06 is very clear on when removeFromCRL must appear on a delta-CRL. A delta-CRL must state "removeFromCRL" for a certificate as long as the base CRL referenced by the delta was issued before the hold was removed. The nextUpdate time in the referenced base is irrelevant. The reason is that there is no requirement that a delta-CRL be applied to the most recently issued base CRL. Any full CRL whose cRLNumber is greater than or equal to the BaseCRLNumber specified in the delta-CRL can be used. The relevant text from new-part1-06 is as follows: If a CA supports the certificateHold revocation reason the following rules must be applied when generating delta CRLs: (a) If a certificate was listed as revoked with revocation reason certificateHold on a CRL (either a delta CRL or a CRL that is complete for a given scope), whose cRLNumber is n, and the hold is subsequently released, the certificate must be included in all delta CRLs issued after the hold is released where the cRLNumber of the referenced base CRL is less than or equal to n. The certificate must be listed with revocation reason removeFromCRL unless the certificate is subsequently revoked again for one of the revocation reasons covered by the delta CRL, in which case the certificate must be listed with the revocation reason appropriate for the subsequent revocation. (b) If the certificate was not removed from hold, but was permanently revoked, then it must be listed on all subsequent delta CRLs where the cRLNumber of the referenced base CRL is less than the cRLNumber of the CRL (either a delta CRL or a CRL that is complete for the given scope) on which the permanent revocation notice first appeared. Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA27162 for <ietf-pkix@imc.org>; Mon, 7 May 2001 12:43:54 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id PAA29959 for <ietf-pkix@imc.org>; Mon, 7 May 2001 15:43:55 -0400 (EDT) Message-Id: <4.2.2.20010507152506.00b13cf0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 07 May 2001 15:43:27 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD68952B@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Trevor, PKIX states that the CRL referenced as the base CRL must have been issued as a full CRL. One could always use the most recently issued full CRL as the base CRL, but this is not required. In my paper on delta-CRLs (http://csrc.nist.gov/pki/documents/sliding_window.pdf), I argue that a scheme that does not use the most recently issued full CRL as the base is more efficient. So, a CRL issuer can safely switch the base that it uses whenever it issues a full CRL. However, to be efficient, one should take into account the usage patterns of the relying parties to determine which base should be used for a delta. Since such usage patterns are a local matter, we should leave it to local policy to determine the relationship between full CRLs and delta-CRLs. Tim Polk has suggested writing a short informational RFC about delta-CRLs. This document could include some sample delta-CRL issuing scenarios that would help to clarify the connections between base CRLs and delta-CRLs. Dave At 11:45 AM 5/7/01 -0700, Trevor Freeman wrote: >I Guess I need to clarify my question a little. >I accept that the standard is clear that the remove from CRL must apply >as long as the referenced base had the revocation entry. What is not >clear is when can a CA switch the base no it uses with the delta CRL >safely. Now you could leave that to local policy - which is to say we >give no guidance, or we can clarify a rule at which time a CA must >discontinue use of a base CRL. Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA26244 for <ietf-pkix@imc.org>; Mon, 7 May 2001 12:24:28 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id PAA13284 for <ietf-pkix@imc.org>; Mon, 7 May 2001 15:24:28 -0400 (EDT) Message-Id: <4.2.2.20010507141844.00b1a1e0@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 07 May 2001 15:03:30 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs In-Reply-To: <5.0.1.4.2.20010507133950.0186fec0@exna07.securitydynamics. com> References: <8D7EC1912E25D411A32100D0B76953978DE85D@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_12064353==_.ALT" --=====================_12064353==_.ALT Content-Type: text/plain; charset="us-ascii" At 01:41 PM 5/7/01 -0400, Housley, Russ wrote: >I have read section 9 of X.509-2000 (4th Edition v7) three times today. I cannot find the requirement there. Where is it hidden? Russ, There used to be a requirement in X.509 that whenever a full CRL is issued a delta-CRL must also be issued (if delta-CRLs are being used) and that the full and the delta must have the same CRL number. I don't know why that text was removed. However, there is the requirement that the CRL numbers for a sequence of CRLs issued for a given scope must increase monotonically. The fact that some of the CRLs in the sequence contain the deltaCRLIndicator extension and some do not is irrelevant (just as the presence or absence of the orderedList extension or the authorityKeyIdentifier extension has no affect on the CRL number). There is also the following text in X.509 (2000): A CRL that is complete for a given scope, at the current time, can be constructed locally in either of the following ways: by retrieving the current dCRL for that scope, and combining it with an issued CRL that is complete for that scope and that has a cRLNumber greater than or equal to the cRLNumber of the base CRL referenced in the dCRL; or by retrieving the current dCRL for that scope and combining it with a locally constructed CRL that is complete for that scope and that was constructed with a dCRL that has a cRLNumber greater than or equal to the cRLNumber of the base CRLreferenced in the current dCRL. If full CRLs and delta-CRLs were independently numbered, then one could not apply delta-CRLs to locally constructed delta-CRLs as described above. To demonstrate the problem, I will the example that you provided (see below). In this example, 144 hours (48 x 3) after delta-CRL number 49 was issued, delta-CRL number 193 will be issued. Delta-CRL number 193 will have a BaseCRLNumber of 49. The intention of this would be to specify that delta-CRL number 193 may be combined with full CRL number 49 (which was issued 143 hours after delta-CRL number 49 was issued). Suppose, however, that a relying party constructed a CRL locally using full CRL number 1 and delta-CRL number 49. According to the above text from X.509, that relying party could combine delta-CRL number 193 with the CRL locally generated using delta-CRL number 49. The results of combining delta-CRL number 193 with the locally generated CRL would clearly be incorrect. Worse, it would not be obvious to the relying party that the CRL numbers in the delta-CRLs were incorrect and so it would be very difficult for the relying party to determine that the constructed CRL was incorrect. The only way that one can safely combine a delta-CRL with a locally generated CRL as specified above is if full CRLs and delta-CRLs are numbered consistently. So, while one may argue that the requirement has not been stated with sufficient clarity, it is there. Dave >>current revoked >>time certificates full CRL delta CRL >>------------------------------------------------------------------------------------------------------------------ >>12:00 {14} cRLNumber = 1 cRLNumber = 48 >> thisUpdate = 12:00 thisUpdate = 12:00 >> nextUpdate = 15:00 nextUpdate = 13:00 >> BaseCRLNumber = 1 >> CertificateList = {14} CertificateList = {} >> >> >>13:00 {14, 124} cRLNumber = 49 >> thisUpdate = 13:00 >> nextUpdate = 14:00 >> BaseCRLNumber = 1 >> CertificateList = {124} >> >> >>14:00 {14, 124} cRLNumber = 50 >> thisUpdate = 14:00 >> nextUpdate = 15:00 >> BaseCRLNumber = 1 >> CertificateList = {124} >> >> >>15:00 {14, 124, 39} cRLNumber = 2 cRLNumber = 51 >> thisUpdate = 15:00 thisUpdate = 15:00 >> nextUpdate = 18:00 nextUpdate = 16:00 >> BaseCRLNumber = 1 >> CertificateList = {14, 124, 39} CertificateList = {124, 39} >> >> >>16:00 {14, 124, 39, cRLNumber = 52 >> 67} thisUpdate = 16:00 >> nextUpdate = 17:00 >> BaseCRLNumber = 2 >> CertificateList = {67} >> >> >>17:00 {14, 124, 39, cRLNumber = 53 >> 67} thisUpdate = 17:00 >> nextUpdate = 18:00 >> BaseCRLNumber = 2 >> CertificateList = {67} >> >> >>18:00 {14, 124, 39, cRLNumber = 3 cRLNumber = 54 >> 67} thisUpdate = 18:00 thisUpdate = 18:00 >> nextUpdate = 21:00 nextUpdate = 19:00 >> BaseCRLNumber = 2 >> CertificateList = {14, 124, 39, CertificateList = {67} >> 21} >> >> >>19:00 {14, 124, 39, cRLNumber = 55 >> 67} thisUpdate = 19:00 >> nextUpdate = 20:00 >> BaseCRLNumber = 3 >> CertificateList = {} --=====================_12064353==_.ALT Content-Type: text/html; charset="us-ascii" <html> At 01:41 PM 5/7/01 -0400, Housley, Russ wrote:<br> <blockquote type=cite cite>I have read section 9 of X.509-2000 (4th Edition v7) three times today. I cannot find the requirement there. Where is it hidden?</blockquote><br> Russ,<br> <br> There used to be a requirement in X.509 that whenever a full CRL is issued a delta-CRL must also be issued (if delta-CRLs are being used) and that the full and the delta must have the same CRL number. I don't know why that text was removed. However, there is the requirement that the CRL numbers for a sequence of CRLs issued for a given scope must increase monotonically. The fact that some of the CRLs in the sequence contain the deltaCRLIndicator extension and some do not is irrelevant (just as the presence or absence of the orderedList extension or the authorityKeyIdentifier extension has no affect on the CRL number). There is also the following text in X.509 (2000):<br> <br> <x-tab> </x-tab>A CRL that is complete for a given scope, at the current time, can be constructed<br> <x-tab> </x-tab>locally in either of the following ways:<br> <br> <x-tab> </x-tab><x-tab> </x-tab>by retrieving the current dCRL for that scope, and combining it with an issued<br> <x-tab> </x-tab><x-tab> </x-tab>CRL that is complete for that scope and that has a <font size=2>cRLNumber</font> greater than or<br> <x-tab> </x-tab><x-tab> </x-tab>equal to the <font size=2>cRLNumber</font> of the base CRL referenced in the dCRL; or<br> <br> <x-tab> </x-tab><x-tab> </x-tab>by retrieving the current dCRL for that scope and combining it with a locally<br> <x-tab> </x-tab><x-tab> </x-tab>constructed CRL that is complete for that scope and that was constructed with<br> <x-tab> </x-tab><x-tab> </x-tab>a dCRL that has a <font size=2>cRLNumber</font> greater than or equal to the <font size=2>cRLNumber</font> of the<br> <x-tab> </x-tab><x-tab> </x-tab>base CRLreferenced in the current dCRL.<br> <br> <br> If full CRLs and delta-CRLs were independently numbered, then one could not apply delta-CRLs to locally constructed delta-CRLs as described above.<br> <br> To demonstrate the problem, I will the example that you provided (see below). In this example, 144 hours (48 x 3) after delta-CRL number 49 was issued, delta-CRL number 193 will be issued. Delta-CRL number 193 will have a BaseCRLNumber of 49. The intention of this would be to specify that delta-CRL number 193 may be combined with full CRL number 49 (which was issued 143 hours after delta-CRL number 49 was issued). <br> <br> Suppose, however, that a relying party constructed a CRL locally using full CRL number 1 and delta-CRL number 49. According to the above text from X.509, that relying party could combine delta-CRL number 193 with the CRL locally generated using delta-CRL number 49. The results of combining delta-CRL number 193 with the locally generated CRL would clearly be incorrect. Worse, it would not be obvious to the relying party that the CRL numbers in the delta-CRLs were incorrect and so it would be very difficult for the relying party to determine that the constructed CRL was incorrect.<br> <br> The only way that one can safely combine a delta-CRL with a locally generated CRL as specified above is if full CRLs and delta-CRLs are numbered consistently. So, while one may argue that the requirement has not been stated with sufficient clarity, it is there.<br> <br> Dave<br> <br> <br> <blockquote type=cite cite><blockquote type=cite cite>current revoked<br> time certificates<x-tab> </x-tab>full CRL<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>delta CRL<br> ------------------------------------------------------------------------------------------------------------------<br> 12:00<x-tab> </x-tab>{14}<x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 1<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 48<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 12:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 12:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 15:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 13:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14}<x-tab> </x-tab><x-tab> </x-tab>CertificateList = {}<br> <br> <br> 13:00<x-tab> </x-tab>{14, 124}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 49<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 13:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 14:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {124}<br> <br> <br> 14:00<x-tab> </x-tab>{14, 124}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 50<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 14:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 15:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {124}<br> <br> <br> 15:00<x-tab> </x-tab>{14, 124, 39}<x-tab> </x-tab>cRLNumber = 2<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 51<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 15:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 15:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 18:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 16:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14, 124, 39}<x-tab> </x-tab>CertificateList = {124, 39}<br> <br> <br> 16:00<x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 52<br> <x-tab> </x-tab><x-tab> </x-tab>67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 16:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 17:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {67}<br> <br> <br> 17:00<x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 53<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 17:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 18:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {67}<br> <br> <br> 18:00<x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab>cRLNumber = 3<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 54<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 18:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 18:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 21:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 19:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14, 124, 39,<x-tab> </x-tab>CertificateList = {67}<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab> 21}<br> <br> <br> 19:00<x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 55<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 19:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 20:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 3<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {}<br> </blockquote></blockquote><br> </html> --=====================_12064353==_.ALT-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA22617 for <ietf-pkix@imc.org>; Mon, 7 May 2001 11:19:33 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GCZ00F019KTXP@ext-mail.valicert.com> for ietf-pkix@imc.org; Mon, 7 May 2001 11:19:41 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GCZ00FDX9KTGT@ext-mail.valicert.com>; Mon, 07 May 2001 11:19:41 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26RJRC>; Mon, 07 May 2001 11:17:47 -0700 Content-return: allowed Date: Mon, 07 May 2001 11:17:46 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: Certificate Hold (was RE: delta CRLs) To: Tom Gindin <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182C8F@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" The impact of suspending of the operational period (aka the subscribers sining authority) of a certificate by suspension is discussed at length in the ABA's legal infrastructure for certification and e-commerce. Suspending a certificate suspends the operational period, and directly impacts the outcome of the process of verification of a digital signature. Clearly, an unverifiable impacts ISO NR. When a notarial service confirms a signature upon countersigning data, it is responsible for establishing that the signing authority is effective. This means technically, that it must 'determine' whether the certificate is currently operational by reference to the official repository that maintains the records controlling certificate status, where status is "issued, {valid*, operational*, revoked}, expired} If any CRL or signed CertificateList reflects the official repository records accurately, then that object can signal operational period. Repositories will suspend certificate, whether or not CRLs signal that state. NR is a function of the repository records and other factors, not the CRL which may not even serve as an adequate record. In X.509, a CRL is but one bit format for communicating revocation notices. Whether the notices have force upon the NR conditions is controlled by repository records management processes. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Monday, May 07, 2001 5:36 AM To: Tom Gindin Cc: ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) Tom: It is not that simple. In my view, non-repudiation is significantly complicated by the processing necessary to determine whether a certificate was suspended (a.k.a., on hold). This is a topic that you do not discuss in your Internet Draft on non-repudiation. Russ At 06:50 PM 5/4/2001 -0400, Tom Gindin wrote: > I don't know why this particular feature is so unpopular. I can >understand why handling "removeFromCRL" in deltas could be an extra load on >clients, but wouldn't the maximum remedy for that be to say that CA's which >issue delta CRL's SHOULD NOT use hold, while RP's MAY process >removeFromCRL? What extra complexity does hold add to an RP for a CA which >doesn't issue deltas but issues full CRL's (perhaps full distribution point >CRL's) instead? > > Tom Gindin > > >Stephen Kent <kent@bbn.com> on 05/04/2001 02:42:33 PM > >To: "Housley, Russ" <rhousley@rsasecurity.com> >cc: ietf-pkix@imc.org >Subject: RE: Certificate Hold (was RE: delta CRLs) > > >At 1:30 PM -0400 5/4/01, Housley, Russ wrote: > >Carlin: > > > >>Russ, it appears from your comment: > >>"Fair reply. And, unless there is a ground swell of > >>support, I will drop it." > >>that you have interpreted Denis as meaning > >>"I have withdrawn my support for 'hold'." > >> > >>Russ, is that correct? > >> > >>And Russ, I am further confused by "... I will drop it." > >> > >>Did you mean that you will add text to prohibit compliant > >>CA's from issuing delta CRL's that include "hold" and > >>"removeFromCRL" reason codes or text that will prohibit > >>this for full CRL's as well as delta-CRLs, or did you > >>mean something else entirely? > > > >I have NEVER liked the on-hold feature. I still do not like the > >on-hold feature. > > > >I will not delay the Last Call process on son-of-rfc 2459 to debate > >the issue unless I see that there are others that support my view. > >I feel the same as Russ, i.e., have never liked it and still think >it's a bad idea. Since we deprecated the hold instruction (vis our >comments on the hold instruction code entry extension) last time, is >there are basis for change this time around? > >Steve Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA21650 for <ietf-pkix@imc.org>; Mon, 7 May 2001 11:09:03 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 7 May 2001 18:08:48 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA09450 for <ietf-pkix@imc.org>; Mon, 7 May 2001 14:09:04 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NVFCX>; Mon, 7 May 2001 14:09:04 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.20]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NVFCT; Mon, 7 May 2001 14:09:01 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Tim Polk <tim.polk@nist.gov> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010507133354.0186be88@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 07 May 2001 13:38:00 -0400 Subject: RE: delta CRLs In-Reply-To: <4.2.0.58.20010507125525.01cf87f0@email.nist.gov> References: <5.0.1.4.2.20010507114747.01d68650@exna07.securitydynamics. com> <4AEE3169443CDD4796CA8A00B02191CD689525@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Tim: >>I have updated the figure that David Cooper posted last week. I think >>that the update illustrates Trevor's point. The full CRL and the delta >>CRL can have two independent monotonically increasing sequence of >>integers and still meet all of the PKIX and X.509-2000 requirements. > >I expect you are correct; the description of CRL numbering currently in >PKIX may permit this scheme. However, I think we should tighten the wording. > >>The numbering scheme that David proposed seems much easier to implement, >>but I cannot find any text that the scheme below violates. >> >>I do not know what to call the full CRL at 13:00 that is generated by >>merging base CRL 1 and delta CRL 49... > >I believe that is the problem with Trevor's proposal. The CRL number of >the constructed CRL does not help you determine whether or not a future >delta can be applied safely to the constructed CRL. > >The most glaring example of this is the delta CRL number 51. When it is >combined with full CRL number 1, you actually obtain full CRL number >2. However, at 16:00 the CA issues delta 52, which points to full CRL 2 >as a base. Using Trevor's numbering scheme, there is no way to be sure >that CRL 1 and delta 51 are the same CRL as the full CRL with CRL number >2. As a result, at 16:00 the relying party must download both full CRL >number 2 and delta number 52. > >That is the sort of behavior we want to avoid. If a common number sequence is used, then you can avoid ever fetching another base CRL. If separate number sequence is used, then you will have to periodically fetch base CRLs. To avoid this behavior, PKIX would have to mandate the use of a single CRL sequence number space for the full CRLs and delta CRLs that cover the same scope. This seems like a very reasonable thing for the PKIX profile to do. Do we have consensus on this idea? Russ Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA20491 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:57:49 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA01066 for <ietf-pkix@imc.org>; Mon, 7 May 2001 13:57:50 -0400 (EDT) Message-Id: <4.2.2.20010507134827.00a61d70@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 07 May 2001 13:57:22 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD689523@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" At 04:00 PM 5/4/01 -0700, Trevor Freeman wrote: >To clarify point three, the delta CRL must include "remove from" entries >until the nextupdate time in the referenced base. A CA does not know if >clients have picked up the base or knot, and to assume they have would >introduce an error. Trevor, new-part1-06 is very clear on when removeFromCRL must appear on a delta-CRL. A delta-CRL must state "removeFromCRL" for a certificate as long as the base CRL referenced by the delta was issued before the hold was removed. The nextUpdate time in the referenced base is irrelevant. The reason is that there is no requirement that a delta-CRL be applied to the most recently issued base CRL. Any full CRL whose cRLNumber is greater than or equal to the BaseCRLNumber specified in the delta-CRL can be used. The relevant text from new-part1-06 is as follows: If a CA supports the certificateHold revocation reason the following rules must be applied when generating delta CRLs: (a) If a certificate was listed as revoked with revocation reason certificateHold on a CRL (either a delta CRL or a CRL that is complete for a given scope), whose cRLNumber is n, and the hold is subsequently released, the certificate must be included in all delta CRLs issued after the hold is released where the cRLNumber of the referenced base CRL is less than or equal to n. The certificate must be listed with revocation reason removeFromCRL unless the certificate is subsequently revoked again for one of the revocation reasons covered by the delta CRL, in which case the certificate must be listed with the revocation reason appropriate for the subsequent revocation. (b) If the certificate was not removed from hold, but was permanently revoked, then it must be listed on all subsequent delta CRLs where the cRLNumber of the referenced base CRL is less than the cRLNumber of the CRL (either a delta CRL or a CRL that is complete for the given scope) on which the permanent revocation notice first appeared. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA18293 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:33:35 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K3SGKVZB>; Mon, 7 May 2001 13:33:06 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE862@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Mon, 7 May 2001 13:23:56 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D71A.7EA618F0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D71A.7EA618F0 Content-Type: text/plain; charset="iso-8859-1" I agree with Dave Cooper. I have the same understanding of how X.509 is supposed to work. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Monday, May 07, 2001 1:26 PM To: ietf-pkix@imc.org Subject: RE: delta CRLs Russ, Trevor, The CRL numbers of full CRLs and delta-CRLs are not independent. The only differences between a full CRL and a delta-CRL are the inclusion or exclusion of the deltaCRLIndicator extension and the contents of revokedCertificates. Otherwise, there should be no difference between a delta-CRL and a full CRL issued for the same scope. The cRLNumber for a delta-CRL should be the same as the cRLNumber that would have been assigned to a full CRL issued at the same time. In fact, new-part1-06 states: When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope. Both the delta CRL and the complete CRL MUST include the CRL number extension (see sec. 5.2.3). The CRL number extension in the delta CRL and the complete CRL MUST contain the same value. When a delta CRL is issued, it MUST cover the same set of reasons and same set of certificates that were covered by the base CRL it references. The text explicitly states that when a delta-CRL and full CRL are issued at the same time, the CRL numbers of both CRLs MUST be the same. The text also states that a locally constructed CRL takes on the CRL number of the delta-CRL used in its construction and that this constructed CRL may be used in place of an issued CRL : An application can construct a CRL that is complete for a given scope, at the current time, in either of the following ways: (a) by retrieving the current delta CRL for that scope, and combining it with an issued CRL that is complete for that scope and that has a cRLNumber greater than or equal to the cRLNumber of the base CRL referenced in the delta CRL; or (b) by retrieving the current delta CRL for that scope and combining it with a locally constructed CRL whose cRLNumber is greater than or equal to the cRLNumber of the base CRL referenced in the current delta CRL. The constructed CRL has the CRL number specified in the CRL number extension found in the delta CRL used in its construction. If the CRL number of the delta-CRLs and full CRLs were independent, one could not apply a delta-CRL to a locally constructed CRL as is described in (b) above. Perhaps the requirement to coordinate CRL numbers between full and delta-CRLs is not as clear now that the requirement to issue a full CRL with every delta has been deleted. If that is the case, then some text should be added to make sure that this point is clear. Dave At 11:59 AM 5/7/01 -0400, Housley, Russ wrote: >I have updated the figure that David Cooper posted last week. I think that the update illustrates Trevor's point. The full CRL and the delta CRL can have two independent monotonically increasing sequence of integers and still meet all of the PKIX and X.509-2000 requirements. ------_=_NextPart_001_01C0D71A.7EA618F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I agree with Dave Cooper.</FONT> </P> <P><FONT SIZE=3D2>I have the same understanding of how X.509 is = supposed to work.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: David A. Cooper [<A = HREF=3D"mailto:david.cooper@nist.gov">mailto:david.cooper@nist.gov</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Monday, May 07, 2001 1:26 PM</FONT> <BR><FONT SIZE=3D2>To: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ, Trevor,</FONT> </P> <P><FONT SIZE=3D2>The CRL numbers of full CRLs and delta-CRLs are not = independent. The only differences between a full CRL and a delta-CRL = are the inclusion or exclusion of the deltaCRLIndicator extension and = the contents of revokedCertificates. Otherwise, there should be no = difference between a delta-CRL and a full CRL issued for the same = scope. The cRLNumber for a delta-CRL should be the same as the = cRLNumber that would have been assigned to a full CRL issued at the = same time. In fact, new-part1-06 states:</FONT></P> <P><FONT SIZE=3D2> When = a conforming CA issues a delta CRL, the CA MUST also issue a CRL</FONT> <BR><FONT SIZE=3D2> = that is complete for the given scope. Both the delta CRL and = the</FONT> <BR><FONT SIZE=3D2> = complete CRL MUST include the CRL number extension (see sec. = 5.2.3).</FONT> <BR><FONT SIZE=3D2> The = CRL number extension in the delta CRL and the complete CRL MUST</FONT> <BR><FONT SIZE=3D2> = contain the same value. When a delta CRL is issued, it MUST = cover</FONT> <BR><FONT SIZE=3D2> the = same set of reasons and same set of certificates that were</FONT> <BR><FONT SIZE=3D2> = covered by the base CRL it references.</FONT> </P> <P><FONT SIZE=3D2>The text explicitly states that when a delta-CRL and = full CRL are issued at the same time, the CRL numbers of both CRLs MUST = be the same. The text also states that a locally constructed CRL takes = on the CRL number of the delta-CRL used in its construction and that = this constructed CRL may be used in place of an issued CRL :</FONT></P> <P><FONT SIZE=3D2> An = application can construct a CRL that is complete for a given</FONT> <BR><FONT SIZE=3D2> = scope, at the current time, in either of the following ways:</FONT> </P> <P><FONT = SIZE=3D2> &nb= sp; (a) by retrieving the current delta = CRL for that scope, and</FONT> <BR><FONT = SIZE=3D2> &nb= sp; combining it with an issued CRL that = is complete for that scope</FONT> <BR><FONT = SIZE=3D2> &nb= sp; and that has a cRLNumber greater than = or equal to the cRLNumber of</FONT> <BR><FONT = SIZE=3D2> &nb= sp; the base CRL referenced in the delta = CRL; or</FONT> </P> <P><FONT = SIZE=3D2> &nb= sp; (b) by retrieving the current delta = CRL for that scope and</FONT> <BR><FONT = SIZE=3D2> &nb= sp; combining it with a locally = constructed CRL whose cRLNumber is</FONT> <BR><FONT = SIZE=3D2> &nb= sp; greater than or equal to the = cRLNumber of the base CRL referenced</FONT> <BR><FONT = SIZE=3D2> &nb= sp; in the current delta CRL.</FONT> </P> <P><FONT SIZE=3D2> The = constructed CRL has the CRL number specified in the CRL number</FONT> <BR><FONT SIZE=3D2> = extension found in the delta CRL used in its construction.</FONT> </P> <P><FONT SIZE=3D2>If the CRL number of the delta-CRLs and full CRLs = were independent, one could not apply a delta-CRL to a locally = constructed CRL as is described in (b) above. Perhaps the requirement = to coordinate CRL numbers between full and delta-CRLs is not as clear = now that the requirement to issue a full CRL with every delta has been = deleted. If that is the case, then some text should be added to make = sure that this point is clear.</FONT></P> <P><FONT SIZE=3D2>Dave</FONT> </P> <P><FONT SIZE=3D2>At 11:59 AM 5/7/01 -0400, Housley, Russ wrote:</FONT> <BR><FONT SIZE=3D2>>I have updated the figure that David Cooper = posted last week. I think that the update illustrates Trevor's = point. The full CRL and the delta CRL can have two independent = monotonically increasing sequence of integers and still meet all of the = PKIX and X.509-2000 requirements.</FONT></P> </BODY> </HTML> ------_=_NextPart_001_01C0D71A.7EA618F0-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA17645 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:28:27 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 7 May 2001 17:28:12 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA06100 for <ietf-pkix@imc.org>; Mon, 7 May 2001 13:28:28 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NV1KX>; Mon, 7 May 2001 13:28:28 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.113]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NV1KW; Mon, 7 May 2001 13:28:26 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Tom Gindin <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010507130843.01d39c78@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 07 May 2001 13:13:39 -0400 Subject: RE: Certificate Hold (was RE: delta CRLs) In-Reply-To: <OF437865FF.8FEFF860-ON85256A45.00552BF3@somers.hqregion.ib m.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Tom: I have not been able to make myself clear. Perhaps because you keep looking to simple authentication applications. My hope is that the PKIX profile will readily meet the needs of these relatively straightforward applications and also support the more demanding needs of applications where non-repudiation is needed. All: My view of the question is that three people have voiced a desire to see the suspension feature removed, one is asking questions without voicing a position, and no one has asked to keep it. People who have an opinion but have not posted it yet please do so. Russ At 11:32 AM 5/7/2001 -0400, Tom Gindin wrote: > I don't actually think that "removeFromCRL" is unduly complex, nor did >I say so. What I wanted to point out was that when delta CRL's are not in >use the "certificateHold" reason adds no extra complexity to standard CRL >processing at all (exclusive of NR, which is not a simple case), and >therefore I can't understand why anyone would want to deprecate that >reason. > > Tom Gindin > > >Santosh Chokhani <chokhani@cygnacom.com> on 05/05/2001 07:58:09 AM > >To: Tom Gindin/Watson/IBM@IBMUS, Stephen Kent <kent@bbn.com> >cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org >Subject: RE: Certificate Hold (was RE: delta CRLs) > > >Tom: > > >I also am not a fan of "hold: feature. But, I fail to see why >"removeFromHold" is in delta CRL is unduly complex. I would say either not >have the "hold" feature or require "hold' and "release" irrespective of >delta. > > >-----Original Message----- >From: Tom Gindin [mailto:tgindin@us.ibm.com] >Sent: Friday, May 04, 2001 6:50 PM >To: Stephen Kent >Cc: Housley, Russ; ietf-pkix@imc.org >Subject: RE: Certificate Hold (was RE: delta CRLs) > > > > > > > I don't know why this particular feature is so unpopular. I can >understand why handling "removeFromCRL" in deltas could be an extra load on > >clients, but wouldn't the maximum remedy for that be to say that CA's which > >issue delta CRL's SHOULD NOT use hold, while RP's MAY process >removeFromCRL? What extra complexity does hold add to an RP for a CA which > >doesn't issue deltas but issues full CRL's (perhaps full distribution point > >CRL's) instead? > > > Tom Gindin > > > > > >Stephen Kent <kent@bbn.com> on 05/04/2001 02:42:33 PM > > >To: "Housley, Russ" <rhousley@rsasecurity.com> >cc: ietf-pkix@imc.org >Subject: RE: Certificate Hold (was RE: delta CRLs) > > > > > >At 1:30 PM -0400 5/4/01, Housley, Russ wrote: > >Carlin: > > > >>Russ, it appears from your comment: > >>"Fair reply. And, unless there is a ground swell of > >>support, I will drop it." > >>that you have interpreted Denis as meaning > >>"I have withdrawn my support for 'hold'." > >> > >>Russ, is that correct? > >> > >>And Russ, I am further confused by "... I will drop it." > >> > >>Did you mean that you will add text to prohibit compliant > >>CA's from issuing delta CRL's that include "hold" and > >>"removeFromCRL" reason codes or text that will prohibit > >>this for full CRL's as well as delta-CRLs, or did you > >>mean something else entirely? > > > >I have NEVER liked the on-hold feature. I still do not like the > >on-hold feature. > > > >I will not delay the Last Call process on son-of-rfc 2459 to debate > >the issue unless I see that there are others that support my view. > > >I feel the same as Russ, i.e., have never liked it and still think >it's a bad idea. Since we deprecated the hold instruction (vis our >comments on the hold instruction code entry extension) last time, is >there are basis for change this time around? > > >Steve Received: from netscape.com (c3po.netscape.com [205.217.237.46]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA17365 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:27:30 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id f47HR1v06392 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:27:01 -0700 (PDT) Received: from netscape.com ([192.18.121.215]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id GCZ75103.CCD; Mon, 7 May 2001 10:27:01 -0700 Message-ID: <3AF6DAE2.1040100@netscape.com> Date: Mon, 07 May 2001 10:26:58 -0700 From: thayes@netscape.com (Terry Hayes) User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9+) Gecko/20010326 X-Accept-Language: en MIME-Version: 1.0 To: Tim Polk <tim.polk@nist.gov> CC: "Housley Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: Re: delta CRLs References: <4AEE3169443CDD4796CA8A00B02191CD689525@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> <4.2.0.58.20010507125525.01cf87f0@email.nist.gov> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I agree with Tim on all points. He points out exactly the example to show why this numbering scheme is wrong. The numbering of the deltas *must* correspond with the numbering of the base CRLs. Terry Tim Polk wrote: > Russ, > > At 11:59 AM 5/7/01 -0400, you wrote: > >> I have updated the figure that David Cooper posted last week. I >> think that the update illustrates Trevor's point. The full CRL and >> the delta CRL can have two independent monotonically increasing >> sequence of integers and still meet all of the PKIX and X.509-2000 >> requirements. > > > I expect you are correct; the description of CRL numbering currently > in PKIX may permit this scheme. However, I think we should tighten > the wording. > >> The numbering scheme that David proposed seems much easier to >> implement, but I cannot find any text that the scheme below violates. >> >> I do not know what to call the full CRL at 13:00 that is generated by >> merging base CRL 1 and delta CRL 49... > > > I believe that is the problem with Trevor's proposal. The CRL number > of the constructed CRL does not help you determine whether or not a > future delta can be applied safely to the constructed CRL. > > The most glaring example of this is the delta CRL number 51. When it > is combined with full CRL number 1, you actually obtain full CRL > number 2. However, at 16:00 the CA issues delta 52, which points to > full CRL 2 as a base. Using Trevor's numbering scheme, there is no > way to be sure that CRL 1 and delta 51 are the same CRL as the full > CRL with CRL number 2. As a result, at 16:00 the relying party must > download both full CRL number 2 and delta number 52. > > That is the sort of behavior we want to avoid. > > Tim > >> Russ >> >> >> = = = = = = = = = = >> >> >> current revoked >> time certificates full CRL delta CRL >> ------------------------------------------------------------ >> 12:00 {14} cRLNumber = 1 >> cRLNumber = 48 >> thisUpdate = 12:00 >> thisUpdate = 12:00 >> nextUpdate = 15:00 >> nextUpdate = 13:00 >> >> BaseCRLNumber = 1 >> CertificateList = {14} >> CertificateList = {} >> >> >> 13:00 {14, 124} >> cRLNumber = 49 >> >> thisUpdate = 13:00 >> >> nextUpdate = 14:00 >> >> BaseCRLNumber = 1 >> >> CertificateList = {124} >> >> >> 14:00 {14, 124} >> cRLNumber = 50 >> >> thisUpdate = 14:00 >> >> nextUpdate = 15:00 >> >> BaseCRLNumber = 1 >> >> CertificateList = {124} >> >> >> 15:00 {14, 124, 39} cRLNumber = 2 >> cRLNumber = 51 >> thisUpdate = 15:00 >> thisUpdate = 15:00 >> nextUpdate = 18:00 >> nextUpdate = 16:00 >> >> BaseCRLNumber = 1 >> CertificateList = {14, 124, 39} >> CertificateList = {124, 39} >> >> >> 16:00 {14, 124, 39, >> cRLNumber = 52 >> 67} thisUpdate = 16:00 >> >> nextUpdate = 17:00 >> >> BaseCRLNumber = 2 >> >> CertificateList = {67} >> >> >> 17:00 {14, 124, 39, >> cRLNumber = 53 >> 67} thisUpdate = 17:00 >> >> nextUpdate = 18:00 >> >> BaseCRLNumber = 2 >> >> CertificateList = {67} >> >> >> 18:00 {14, 124, 39, cRLNumber = 3 >> cRLNumber = 54 >> 67} thisUpdate = 18:00 >> thisUpdate = 18:00 >> nextUpdate = 21:00 >> nextUpdate = 19:00 >> >> BaseCRLNumber = 2 >> CertificateList = {14, 124, 39, >> CertificateList = {67} >> 21} >> >> >> 19:00 {14, 124, 39, >> cRLNumber = 55 >> 67} thisUpdate = 19:00 >> >> nextUpdate = 20:00 >> >> BaseCRLNumber = 3 >> >> CertificateList = {} >> > Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA17063 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:26:23 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA05496 for <ietf-pkix@imc.org>; Mon, 7 May 2001 13:26:23 -0400 (EDT) Message-Id: <4.2.2.20010507123027.00b11e20@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 07 May 2001 13:25:54 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: RE: delta CRLs In-Reply-To: <5.0.1.4.2.20010507114747.01d68650@exna07.securitydynamics. com> References: <4AEE3169443CDD4796CA8A00B02191CD689525@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Russ, Trevor, The CRL numbers of full CRLs and delta-CRLs are not independent. The only differences between a full CRL and a delta-CRL are the inclusion or exclusion of the deltaCRLIndicator extension and the contents of revokedCertificates. Otherwise, there should be no difference between a delta-CRL and a full CRL issued for the same scope. The cRLNumber for a delta-CRL should be the same as the cRLNumber that would have been assigned to a full CRL issued at the same time. In fact, new-part1-06 states: When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope. Both the delta CRL and the complete CRL MUST include the CRL number extension (see sec. 5.2.3). The CRL number extension in the delta CRL and the complete CRL MUST contain the same value. When a delta CRL is issued, it MUST cover the same set of reasons and same set of certificates that were covered by the base CRL it references. The text explicitly states that when a delta-CRL and full CRL are issued at the same time, the CRL numbers of both CRLs MUST be the same. The text also states that a locally constructed CRL takes on the CRL number of the delta-CRL used in its construction and that this constructed CRL may be used in place of an issued CRL : An application can construct a CRL that is complete for a given scope, at the current time, in either of the following ways: (a) by retrieving the current delta CRL for that scope, and combining it with an issued CRL that is complete for that scope and that has a cRLNumber greater than or equal to the cRLNumber of the base CRL referenced in the delta CRL; or (b) by retrieving the current delta CRL for that scope and combining it with a locally constructed CRL whose cRLNumber is greater than or equal to the cRLNumber of the base CRL referenced in the current delta CRL. The constructed CRL has the CRL number specified in the CRL number extension found in the delta CRL used in its construction. If the CRL number of the delta-CRLs and full CRLs were independent, one could not apply a delta-CRL to a locally constructed CRL as is described in (b) above. Perhaps the requirement to coordinate CRL numbers between full and delta-CRLs is not as clear now that the requirement to issue a full CRL with every delta has been deleted. If that is the case, then some text should be added to make sure that this point is clear. Dave At 11:59 AM 5/7/01 -0400, Housley, Russ wrote: >I have updated the figure that David Cooper posted last week. I think that the update illustrates Trevor's point. The full CRL and the delta CRL can have two independent monotonically increasing sequence of integers and still meet all of the PKIX and X.509-2000 requirements. Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA16154 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:18:45 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K3SGKVPW>; Mon, 7 May 2001 13:18:16 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE85E@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Tim Polk <tim.polk@nist.gov>, "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Mon, 7 May 2001 13:09:05 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D718.6C04BA50" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D718.6C04BA50 Content-Type: text/plain; charset="iso-8859-1" Tim and Russ: The base and delta share the SAME NUMBER SPACE. Your example is like a work of art that is not REALIZABLE in real word. -----Original Message----- From: Tim Polk [mailto:tim.polk@nist.gov] Sent: Monday, May 07, 2001 1:06 PM To: Housley, Russ; ietf-pkix@imc.org Subject: RE: delta CRLs Russ, At 11:59 AM 5/7/01 -0400, you wrote: >I have updated the figure that David Cooper posted last week. I think >that the update illustrates Trevor's point. The full CRL and the delta >CRL can have two independent monotonically increasing sequence of integers >and still meet all of the PKIX and X.509-2000 requirements. I expect you are correct; the description of CRL numbering currently in PKIX may permit this scheme. However, I think we should tighten the wording. >The numbering scheme that David proposed seems much easier to implement, >but I cannot find any text that the scheme below violates. > >I do not know what to call the full CRL at 13:00 that is generated by >merging base CRL 1 and delta CRL 49... I believe that is the problem with Trevor's proposal. The CRL number of the constructed CRL does not help you determine whether or not a future delta can be applied safely to the constructed CRL. The most glaring example of this is the delta CRL number 51. When it is combined with full CRL number 1, you actually obtain full CRL number 2. However, at 16:00 the CA issues delta 52, which points to full CRL 2 as a base. Using Trevor's numbering scheme, there is no way to be sure that CRL 1 and delta 51 are the same CRL as the full CRL with CRL number 2. As a result, at 16:00 the relying party must download both full CRL number 2 and delta number 52. That is the sort of behavior we want to avoid. Tim >Russ > > >= = = = = = = = = = > > >current revoked >time certificates full CRL delta CRL >------------------------------------------------------------ >12:00 {14} cRLNumber = 1 cRLNumber = 48 > thisUpdate = > 12:00 thisUpdate = 12:00 > nextUpdate = > 15:00 nextUpdate = 13:00 > >BaseCRLNumber = 1 > CertificateList = > {14} CertificateList = {} > > >13:00 {14, 124} cRLNumber = 49 > >thisUpdate = 13:00 > >nextUpdate = 14:00 > >BaseCRLNumber = 1 > >CertificateList = {124} > > >14:00 {14, 124} cRLNumber = 50 > >thisUpdate = 14:00 > >nextUpdate = 15:00 > >BaseCRLNumber = 1 > >CertificateList = {124} > > >15:00 {14, 124, 39} cRLNumber = 2 cRLNumber = 51 > thisUpdate = > 15:00 thisUpdate = 15:00 > nextUpdate = > 18:00 nextUpdate = 16:00 > >BaseCRLNumber = 1 > CertificateList = {14, 124, 39} > CertificateList = {124, 39} > > >16:00 {14, 124, 39, cRLNumber = 52 > 67} > thisUpdate = 16:00 > >nextUpdate = 17:00 > >BaseCRLNumber = 2 > >CertificateList = {67} > > >17:00 {14, 124, 39, cRLNumber = 53 > 67} > thisUpdate = 17:00 > >nextUpdate = 18:00 > >BaseCRLNumber = 2 > >CertificateList = {67} > > >18:00 {14, 124, 39, cRLNumber = 3 cRLNumber = 54 > 67} thisUpdate = > 18:00 thisUpdate = 18:00 > nextUpdate = > 21:00 nextUpdate = 19:00 > >BaseCRLNumber = 2 > CertificateList = {14, 124, 39, > CertificateList = {67} > 21} > > >19:00 {14, 124, 39, cRLNumber = 55 > 67} > thisUpdate = 19:00 > >nextUpdate = 20:00 > >BaseCRLNumber = 3 > >CertificateList = {} > ------_=_NextPart_001_01C0D718.6C04BA50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Tim and Russ:</FONT> </P> <P><FONT SIZE=3D2>The base and delta share the SAME NUMBER SPACE. = Your example is like a work of art that is not REALIZABLE in real = word.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Tim Polk [<A = HREF=3D"mailto:tim.polk@nist.gov">mailto:tim.polk@nist.gov</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, May 07, 2001 1:06 PM</FONT> <BR><FONT SIZE=3D2>To: Housley, Russ; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Russ,</FONT> </P> <P><FONT SIZE=3D2>At 11:59 AM 5/7/01 -0400, you wrote:</FONT> <BR><FONT SIZE=3D2>>I have updated the figure that David Cooper = posted last week. I think </FONT> <BR><FONT SIZE=3D2>>that the update illustrates Trevor's = point. The full CRL and the delta </FONT> <BR><FONT SIZE=3D2>>CRL can have two independent monotonically = increasing sequence of integers </FONT> <BR><FONT SIZE=3D2>>and still meet all of the PKIX and X.509-2000 = requirements.</FONT> </P> <P><FONT SIZE=3D2>I expect you are correct; the description of CRL = numbering currently in </FONT> <BR><FONT SIZE=3D2>PKIX may permit this scheme. However, I think = we should tighten the wording.</FONT> </P> <P><FONT SIZE=3D2>>The numbering scheme that David proposed seems = much easier to implement, </FONT> <BR><FONT SIZE=3D2>>but I cannot find any text that the scheme below = violates.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I do not know what to call the full CRL at 13:00 = that is generated by </FONT> <BR><FONT SIZE=3D2>>merging base CRL 1 and delta CRL 49...</FONT> </P> <P><FONT SIZE=3D2>I believe that is the problem with Trevor's = proposal. The CRL number of </FONT> <BR><FONT SIZE=3D2>the constructed CRL does not help you determine = whether or not a future </FONT> <BR><FONT SIZE=3D2>delta can be applied safely to the constructed = CRL.</FONT> </P> <P><FONT SIZE=3D2>The most glaring example of this is the delta CRL = number 51. When it is </FONT> <BR><FONT SIZE=3D2>combined with full CRL number 1, you actually obtain = full CRL number </FONT> <BR><FONT SIZE=3D2>2. However, at 16:00 the CA issues delta 52, = which points to full CRL 2 as </FONT> <BR><FONT SIZE=3D2>a base. Using Trevor's numbering scheme, there = is no way to be sure that </FONT> <BR><FONT SIZE=3D2>CRL 1 and delta 51 are the same CRL as the full CRL = with CRL number 2. As </FONT> <BR><FONT SIZE=3D2>a result, at 16:00 the relying party must download = both full CRL number 2 </FONT> <BR><FONT SIZE=3D2>and delta number 52.</FONT> </P> <P><FONT SIZE=3D2>That is the sort of behavior we want to avoid.</FONT> </P> <P><FONT SIZE=3D2>Tim</FONT> </P> <P><FONT SIZE=3D2>>Russ</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>=3D =3D =3D =3D =3D =3D =3D =3D =3D =3D</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>current revoked</FONT> <BR><FONT SIZE=3D2>>time = certificates full = CRL &nb= sp; = delta CRL</FONT> <BR><FONT = SIZE=3D2>>-----------------------------------------------------------= -</FONT> <BR><FONT = SIZE=3D2>>12:00 = = {14} = cRLNumber =3D = 1  = ; cRLNumber =3D 48</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = thisUpdate =3D </FONT> <BR><FONT SIZE=3D2>> = 12:00 &= nbsp; thisUpdate =3D 12:00</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = nextUpdate =3D </FONT> <BR><FONT SIZE=3D2>> = 15:00 &= nbsp; nextUpdate =3D 13:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 1</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = CertificateList =3D </FONT> <BR><FONT SIZE=3D2>> = {14} = CertificateList =3D {}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>13:00 = {14, = 124} &n= bsp; &n= bsp; &n= bsp; cRLNumber =3D 49</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>thisUpdate =3D 13:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>nextUpdate =3D 14:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 1</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>CertificateList =3D {124}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>14:00 = {14, = 124} &n= bsp; &n= bsp; &n= bsp; cRLNumber =3D 50</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>thisUpdate =3D 14:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>nextUpdate =3D 15:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 1</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>CertificateList =3D {124}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>15:00 = {14, 124, 39} cRLNumber =3D = 2  = ; cRLNumber =3D 51</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = thisUpdate =3D </FONT> <BR><FONT SIZE=3D2>> = 15:00 &= nbsp; thisUpdate =3D 15:00</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = nextUpdate =3D </FONT> <BR><FONT SIZE=3D2>> = 18:00 &= nbsp; nextUpdate =3D 16:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 1</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = CertificateList =3D {14, 124, 39} </FONT> <BR><FONT SIZE=3D2>> CertificateList =3D {124, 39}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>16:00 = {14, 124, = 39, &nb= sp; &nb= sp; = cRLNumber =3D 52</FONT> <BR><FONT = SIZE=3D2>>  = ; 67} </FONT> <BR><FONT SIZE=3D2>> thisUpdate =3D 16:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>nextUpdate =3D 17:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 2</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>CertificateList =3D {67}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>17:00 = {14, 124, = 39, &nb= sp; &nb= sp; = cRLNumber =3D 53</FONT> <BR><FONT = SIZE=3D2>>  = ; 67} </FONT> <BR><FONT SIZE=3D2>> thisUpdate =3D 17:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>nextUpdate =3D 18:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 2</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>CertificateList =3D {67}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>18:00 = {14, 124, 39, cRLNumber =3D = 3  = ; cRLNumber =3D 54</FONT> <BR><FONT = SIZE=3D2>>  = ; = 67} &nb= sp; thisUpdate =3D </FONT> <BR><FONT SIZE=3D2>> = 18:00 &= nbsp; thisUpdate =3D 18:00</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = nextUpdate =3D </FONT> <BR><FONT SIZE=3D2>> = 21:00 &= nbsp; nextUpdate =3D 19:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 2</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ; = CertificateList =3D {14, 124, 39, </FONT> <BR><FONT SIZE=3D2>> CertificateList =3D {67}</FONT> <BR><FONT = SIZE=3D2>>  = ;  = ;  = ;  = ; = 21}</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT = SIZE=3D2>>19:00 = {14, 124, = 39, &nb= sp; &nb= sp; = cRLNumber =3D 55</FONT> <BR><FONT = SIZE=3D2>>  = ; 67} </FONT> <BR><FONT SIZE=3D2>> thisUpdate =3D 19:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>nextUpdate =3D 20:00</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>BaseCRLNumber =3D 3</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>>CertificateList =3D {}</FONT> <BR><FONT SIZE=3D2>></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D718.6C04BA50-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA15743 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:16:30 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K3SGKV3G>; Mon, 7 May 2001 13:16:01 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953978DE85D@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Mon, 7 May 2001 13:06:50 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D718.1B758F10" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D718.1B758F10 Content-Type: text/plain; charset="iso-8859-1" Russ: What is stated below in your e-mail is INCORRECT. I just spoke with David Cooper. He is going to make a posting again. What I have said on this list happens to be (by accident) correct. And that is the base CRL and delta CRL share the number from the same space and the number is monotonically increasing. We have added Stream Identifier feature to allow to differentiate (only if the CA wishes) among indirect CRL, partitioned CRL etc. Thus, a base and delta must have the same stream identifier in order to be merged. If the delta thisUpdate > base thisUpdate, delta CRL Number > base CRL Number (for the same or no stream identifier). This rule is invariant except for number wrapping. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Monday, May 07, 2001 12:00 PM To: ietf-pkix@imc.org Subject: RE: delta CRLs I have updated the figure that David Cooper posted last week. I think that the update illustrates Trevor's point. The full CRL and the delta CRL can have two independent monotonically increasing sequence of integers and still meet all of the PKIX and X.509-2000 requirements. The numbering scheme that David proposed seems much easier to implement, but I cannot find any text that the scheme below violates. I do not know what to call the full CRL at 13:00 that is generated by merging base CRL 1 and delta CRL 49... Russ = = = = = = = = = = current revoked time certificates full CRL delta CRL ------------------------------------------------------------ 12:00 {14} cRLNumber = 1 cRLNumber = 48 thisUpdate = 12:00 thisUpdate = 12:00 nextUpdate = 15:00 nextUpdate = 13:00 BaseCRLNumber = 1 CertificateList = {14} CertificateList = {} 13:00 {14, 124} cRLNumber = 49 thisUpdate = 13:00 nextUpdate = 14:00 BaseCRLNumber = 1 CertificateList = {124} 14:00 {14, 124} cRLNumber = 50 thisUpdate = 14:00 nextUpdate = 15:00 BaseCRLNumber = 1 CertificateList = {124} 15:00 {14, 124, 39} cRLNumber = 2 cRLNumber = 51 thisUpdate = 15:00 thisUpdate = 15:00 nextUpdate = 18:00 nextUpdate = 16:00 BaseCRLNumber = 1 CertificateList = {14, 124, 39} CertificateList = {124, 39} 16:00 {14, 124, 39, cRLNumber = 52 67} thisUpdate = 16:00 nextUpdate = 17:00 BaseCRLNumber = 2 CertificateList = {67} 17:00 {14, 124, 39, cRLNumber = 53 67} thisUpdate = 17:00 nextUpdate = 18:00 BaseCRLNumber = 2 CertificateList = {67} 18:00 {14, 124, 39, cRLNumber = 3 cRLNumber = 54 67} thisUpdate = 18:00 thisUpdate = 18:00 nextUpdate = 21:00 nextUpdate = 19:00 BaseCRLNumber = 2 CertificateList = {14, 124, 39, CertificateList = {67} 21} 19:00 {14, 124, 39, cRLNumber = 55 67} thisUpdate = 19:00 nextUpdate = 20:00 BaseCRLNumber = 3 CertificateList = {} ------_=_NextPart_001_01C0D718.1B758F10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.00.2014.210" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D109370817-07052001>Russ:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D109370817-07052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D109370817-07052001>What=20 is stated below in your e-mail is INCORRECT. I just spoke with = David=20 Cooper. He is going to make a posting again. What I have = said on=20 this list happens to be (by accident) correct. And that is the = base CRL=20 and delta CRL share the number from the same space and the number is=20 monotonically increasing.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D109370817-07052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D109370817-07052001>We=20 have added Stream Identifier feature to allow to differentiate (only if = the CA=20 wishes) among indirect CRL, partitioned CRL etc.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D109370817-07052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D109370817-07052001>Thus,=20 a base and delta must have the same stream identifier in order to be=20 merged. If the delta thisUpdate > base thisUpdate, delta CRL = Number=20 > base CRL Number (for the same or no stream identifier). This = rule is=20 invariant except for number wrapping.</SPAN></FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV class=3DOutlookMessageHeader><FONT face=3D"Times New Roman"=20 size=3D2>-----Original Message-----<BR><B>From:</B> Housley, Russ=20 [mailto:rhousley@rsasecurity.com]<BR><B>Sent:</B> Monday, May 07, 2001 = 12:00=20 PM<BR><B>To:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta=20 CRLs<BR><BR></FONT></DIV>I have updated the figure that David Cooper = posted last=20 week. I think that the update illustrates Trevor's point. = The full=20 CRL and the delta CRL can have two independent monotonically increasing = sequence=20 of integers and still meet all of the PKIX and X.509-2000=20 requirements.<BR><BR>The numbering scheme that David proposed seems = much easier=20 to implement, but I cannot find any text that the scheme below=20 violates.<BR><BR>I do not know what to call the full CRL at 13:00 that = is=20 generated by merging base CRL 1 and delta CRL = 49...<BR><BR>Russ<BR><BR><BR>=3D =3D =3D=20 =3D =3D =3D =3D =3D =3D =3D <BR><BR><BR><FONT face=3D"Courier New, = Courier">current =20 revoked<BR>time<X-TAB> </X-TAB> =20 certificates<X-TAB> </X-TAB>full=20 CRL<X-TAB> </X-TAB><X-TAB= > </X-TAB><X-TAB> &n= bsp; </X-TAB>delta=20 CRL<BR>------------------------------------------------------------<BR><= /FONT>12:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>{14}<X-TAB> </= X-TAB><X-TAB> </X-TAB>cRL= Number=20 =3D=20 1<X-TAB> </X-TAB><X-TAB> &= nbsp; </X-TAB><X-TAB> &nbs= p; </X-TAB>cRLNumber=20 =3D=20 48<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB><X-TAB> = ; </X-TAB><X-TAB> &n= bsp; </X-TAB>thisUpdate=20 =3D=20 12:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>thisUpdate=20 =3D=20 12:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB>nextUpdate=20 =3D=20 15:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>nextUpdate=20 =3D=20 13:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 1<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB>CertificateList=20 =3D=20 {14}<X-TAB> </X-TAB><X-TAB> &nbs= p; </X-TAB>CertificateList=20 =3D=20 {}<BR><BR><BR>13:00<X-TAB> </X-TAB><X-TAB> &= nbsp; </X-TAB>{14,=20 124}<X-TAB> </X-TAB><X-TAB>&nbs= p; </X-TAB><X-TAB> &= nbsp; </X-TAB><X-TAB> &nbs= p; </X-TAB><X-TAB> &= nbsp; </X-TAB>cRLNumber=20 =3D=20 49<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB><X-TAB> = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> </= X-TAB>thisUpdate=20 =3D=20 13:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>nextUpdate=20 =3D=20 14:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 1<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> </X= -TAB>CertificateList=20 =3D=20 {124}<BR><BR><BR>14:00<X-TAB> </X-TAB><X-TAB> &nbs= p; </X-TAB>{14,=20 124}<X-TAB> </X-TAB><X-TAB>&nbs= p; </X-TAB><X-TAB> &= nbsp; </X-TAB><X-TAB> &nbs= p; </X-TAB><X-TAB> &= nbsp; </X-TAB>cRLNumber=20 =3D=20 50<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB><X-TAB> = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> </= X-TAB>thisUpdate=20 =3D=20 14:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>nextUpdate=20 =3D=20 15:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 1<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> </X= -TAB>CertificateList=20 =3D=20 {124}<BR><BR><BR>15:00<X-TAB> </X-TAB><X-TAB> &nbs= p; </X-TAB>{14,=20 124, 39}<X-TAB> </X-TAB>cRLNumber =3D=20 2<X-TAB> </X-TAB><X-TAB> &= nbsp; </X-TAB><X-TAB> &nbs= p; </X-TAB>cRLNumber=20 =3D=20 51<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB><X-TAB> = ; </X-TAB><X-TAB> &n= bsp; </X-TAB>thisUpdate=20 =3D=20 15:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>thisUpdate=20 =3D=20 15:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB>nextUpdate=20 =3D=20 18:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>nextUpdate=20 =3D=20 16:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 1<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB>CertificateList=20 =3D {14, 124, 39}<X-TAB> </X-TAB>CertificateList =3D {124,=20 39}<BR><BR><BR>16:00<X-TAB> </X-TAB><X-TAB> = </X-TAB>{14,=20 124,=20 39,<X-TAB> </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB><X-TAB> </X-TAB>= cRLNumber=20 =3D=20 52<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB>67}<X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB><X-TAB> </X-TAB>= <X-TAB> </X-TAB>thisUpdat= e=20 =3D=20 16:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>nextUpdate=20 =3D=20 17:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 2<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> </X= -TAB>CertificateList=20 =3D=20 {67}<BR><BR><BR>17:00<X-TAB> </X-TAB><X-TAB>  = ; </X-TAB>{14,=20 124,=20 39,<X-TAB> </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB><X-TAB> </X-TAB>= cRLNumber=20 =3D=20 53<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB>67}<X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB><X-TAB> </X-TAB>= <X-TAB> </X-TAB>thisUpdat= e=20 =3D=20 17:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>nextUpdate=20 =3D=20 18:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 2<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> </X= -TAB>CertificateList=20 =3D=20 {67}<BR><BR><BR>18:00<X-TAB> </X-TAB><X-TAB>  = ; </X-TAB>{14,=20 124, 39,<X-TAB> </X-TAB>cRLNumber =3D=20 3<X-TAB> </X-TAB><X-TAB> &= nbsp; </X-TAB><X-TAB> &nbs= p; </X-TAB>cRLNumber=20 =3D=20 54<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB>67}<X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB>thisUpdate=20 =3D=20 18:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>thisUpdate=20 =3D=20 18:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB>nextUpdate=20 =3D=20 21:00<X-TAB> </X-TAB><X-TAB> &nb= sp; </X-TAB>nextUpdate=20 =3D=20 19:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 2<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB>CertificateList=20 =3D {14, 124, 39,<X-TAB> </X-TAB>CertificateList =3D=20 {67}<BR><X-TAB> </X-TAB><= X-TAB> </X-TAB><X-TAB>&nb= sp; </X-TAB><X-TAB> = </X-TAB> &nbs= p; &nbs= p; =20 21}<BR><BR><BR>19:00<X-TAB> </X-TAB><X-TAB> = </X-TAB>{14,=20 124,=20 39,<X-TAB> </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB><X-TAB> </X-TAB>= cRLNumber=20 =3D=20 55<BR><X-TAB> </X-TAB><X-= TAB> </X-TAB>67}<X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB><X-TAB> </X-TAB>= <X-TAB> </X-TAB>thisUpdat= e=20 =3D=20 19:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>nextUpdate=20 =3D=20 20:00<BR><X-TAB> </X-TAB>= <X-TAB> </X-TAB><X-TAB>&n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ; </X-TAB><X-TAB> &n= bsp; </X-TAB><X-TAB>  = ;</X-TAB>BaseCRLNumber=20 =3D=20 3<BR><X-TAB> </X-TAB><X-T= AB> </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> &nb= sp; </X-TAB><X-TAB> = </X-TAB><X-TAB> </X= -TAB>CertificateList=20 =3D {}<BR><BR><BR></BODY></HTML> ------_=_NextPart_001_01C0D718.1B758F10-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA14954 for <ietf-pkix@imc.org>; Mon, 7 May 2001 10:08:08 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id NAA21045; Mon, 7 May 2001 13:08:08 -0400 (EDT) Message-Id: <4.2.0.58.20010507125525.01cf87f0@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 07 May 2001 13:05:52 -0400 To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> Subject: RE: delta CRLs In-Reply-To: <5.0.1.4.2.20010507114747.01d68650@exna07.securitydynamics. com> References: <4AEE3169443CDD4796CA8A00B02191CD689525@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Russ, At 11:59 AM 5/7/01 -0400, you wrote: >I have updated the figure that David Cooper posted last week. I think >that the update illustrates Trevor's point. The full CRL and the delta >CRL can have two independent monotonically increasing sequence of integers >and still meet all of the PKIX and X.509-2000 requirements. I expect you are correct; the description of CRL numbering currently in PKIX may permit this scheme. However, I think we should tighten the wording. >The numbering scheme that David proposed seems much easier to implement, >but I cannot find any text that the scheme below violates. > >I do not know what to call the full CRL at 13:00 that is generated by >merging base CRL 1 and delta CRL 49... I believe that is the problem with Trevor's proposal. The CRL number of the constructed CRL does not help you determine whether or not a future delta can be applied safely to the constructed CRL. The most glaring example of this is the delta CRL number 51. When it is combined with full CRL number 1, you actually obtain full CRL number 2. However, at 16:00 the CA issues delta 52, which points to full CRL 2 as a base. Using Trevor's numbering scheme, there is no way to be sure that CRL 1 and delta 51 are the same CRL as the full CRL with CRL number 2. As a result, at 16:00 the relying party must download both full CRL number 2 and delta number 52. That is the sort of behavior we want to avoid. Tim >Russ > > >= = = = = = = = = = > > >current revoked >time certificates full CRL delta CRL >------------------------------------------------------------ >12:00 {14} cRLNumber = 1 cRLNumber = 48 > thisUpdate = > 12:00 thisUpdate = 12:00 > nextUpdate = > 15:00 nextUpdate = 13:00 > >BaseCRLNumber = 1 > CertificateList = > {14} CertificateList = {} > > >13:00 {14, 124} cRLNumber = 49 > >thisUpdate = 13:00 > >nextUpdate = 14:00 > >BaseCRLNumber = 1 > >CertificateList = {124} > > >14:00 {14, 124} cRLNumber = 50 > >thisUpdate = 14:00 > >nextUpdate = 15:00 > >BaseCRLNumber = 1 > >CertificateList = {124} > > >15:00 {14, 124, 39} cRLNumber = 2 cRLNumber = 51 > thisUpdate = > 15:00 thisUpdate = 15:00 > nextUpdate = > 18:00 nextUpdate = 16:00 > >BaseCRLNumber = 1 > CertificateList = {14, 124, 39} > CertificateList = {124, 39} > > >16:00 {14, 124, 39, cRLNumber = 52 > 67} > thisUpdate = 16:00 > >nextUpdate = 17:00 > >BaseCRLNumber = 2 > >CertificateList = {67} > > >17:00 {14, 124, 39, cRLNumber = 53 > 67} > thisUpdate = 17:00 > >nextUpdate = 18:00 > >BaseCRLNumber = 2 > >CertificateList = {67} > > >18:00 {14, 124, 39, cRLNumber = 3 cRLNumber = 54 > 67} thisUpdate = > 18:00 thisUpdate = 18:00 > nextUpdate = > 21:00 nextUpdate = 19:00 > >BaseCRLNumber = 2 > CertificateList = {14, 124, 39, > CertificateList = {67} > 21} > > >19:00 {14, 124, 39, cRLNumber = 55 > 67} > thisUpdate = 19:00 > >nextUpdate = 20:00 > >BaseCRLNumber = 3 > >CertificateList = {} > Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA12105 for <ietf-pkix@imc.org>; Mon, 7 May 2001 09:24:14 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id MAA317196; Mon, 7 May 2001 12:21:52 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id MAA47550; Mon, 7 May 2001 12:18:07 -0400 Importance: Normal Subject: RE: Certificate Hold (was RE: delta CRLs) To: Santosh Chokhani <chokhani@cygnacom.com> Cc: Stephen Kent <kent@bbn.com>, "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF437865FF.8FEFF860-ON85256A45.00552BF3@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Mon, 7 May 2001 11:32:49 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/07/2001 12:23:22 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii I don't actually think that "removeFromCRL" is unduly complex, nor did I say so. What I wanted to point out was that when delta CRL's are not in use the "certificateHold" reason adds no extra complexity to standard CRL processing at all (exclusive of NR, which is not a simple case), and therefore I can't understand why anyone would want to deprecate that reason. Tom Gindin Santosh Chokhani <chokhani@cygnacom.com> on 05/05/2001 07:58:09 AM To: Tom Gindin/Watson/IBM@IBMUS, Stephen Kent <kent@bbn.com> cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) Tom: I also am not a fan of "hold: feature. But, I fail to see why "removeFromHold" is in delta CRL is unduly complex. I would say either not have the "hold" feature or require "hold' and "release" irrespective of delta. -----Original Message----- From: Tom Gindin [mailto:tgindin@us.ibm.com] Sent: Friday, May 04, 2001 6:50 PM To: Stephen Kent Cc: Housley, Russ; ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) I don't know why this particular feature is so unpopular. I can understand why handling "removeFromCRL" in deltas could be an extra load on clients, but wouldn't the maximum remedy for that be to say that CA's which issue delta CRL's SHOULD NOT use hold, while RP's MAY process removeFromCRL? What extra complexity does hold add to an RP for a CA which doesn't issue deltas but issues full CRL's (perhaps full distribution point CRL's) instead? Tom Gindin Stephen Kent <kent@bbn.com> on 05/04/2001 02:42:33 PM To: "Housley, Russ" <rhousley@rsasecurity.com> cc: ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) At 1:30 PM -0400 5/4/01, Housley, Russ wrote: >Carlin: > >>Russ, it appears from your comment: >>"Fair reply. And, unless there is a ground swell of >>support, I will drop it." >>that you have interpreted Denis as meaning >>"I have withdrawn my support for 'hold'." >> >>Russ, is that correct? >> >>And Russ, I am further confused by "... I will drop it." >> >>Did you mean that you will add text to prohibit compliant >>CA's from issuing delta CRL's that include "hold" and >>"removeFromCRL" reason codes or text that will prohibit >>this for full CRL's as well as delta-CRLs, or did you >>mean something else entirely? > >I have NEVER liked the on-hold feature. I still do not like the >on-hold feature. > >I will not delay the Last Call process on son-of-rfc 2459 to debate >the issue unless I see that there are others that support my view. I feel the same as Russ, i.e., have never liked it and still think it's a bad idea. Since we deprecated the hold instruction (vis our comments on the hold instruction code entry extension) last time, is there are basis for change this time around? Steve Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA10046 for <ietf-pkix@imc.org>; Mon, 7 May 2001 09:02:31 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 7 May 2001 16:02:17 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id MAA29987 for <ietf-pkix@imc.org>; Mon, 7 May 2001 12:02:30 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NVDAB>; Mon, 7 May 2001 12:02:29 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.115]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NVC99; Mon, 7 May 2001 12:00:05 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010507114747.01d68650@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 07 May 2001 11:59:58 -0400 Subject: RE: delta CRLs In-Reply-To: <4AEE3169443CDD4796CA8A00B02191CD689525@win-msg-01.wingroup .windeploy.ntdev.microsoft.com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> I have updated the figure that David Cooper posted last week. I think that the update illustrates Trevor's point. The full CRL and the delta CRL can have two independent monotonically increasing sequence of integers and still meet all of the PKIX and X.509-2000 requirements.<br> <br> The numbering scheme that David proposed seems much easier to implement, but I cannot find any text that the scheme below violates.<br> <br> I do not know what to call the full CRL at 13:00 that is generated by merging base CRL 1 and delta CRL 49...<br> <br> Russ<br> <br> <br> = = = = = = = = = = <br> <br> <br> <font face="Courier New, Courier">current revoked<br> time<x-tab> </x-tab> certificates<x-tab> </x-tab>full CRL<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>delta CRL<br> ------------------------------------------------------------<br> </font>12:00<x-tab> </x-tab><x-tab> </x-tab>{14}<x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 1<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 48<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 12:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 12:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 15:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 13:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14}<x-tab> </x-tab><x-tab> </x-tab>CertificateList = {}<br> <br> <br> 13:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 49<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 13:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 14:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {124}<br> <br> <br> 14:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 50<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 14:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 15:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {124}<br> <br> <br> 15:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39}<x-tab> </x-tab>cRLNumber = 2<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 51<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 15:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 15:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 18:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 16:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14, 124, 39}<x-tab> </x-tab>CertificateList = {124, 39}<br> <br> <br> 16:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 52<br> <x-tab> </x-tab><x-tab> </x-tab>67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 16:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 17:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {67}<br> <br> <br> 17:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 53<br> <x-tab> </x-tab><x-tab> </x-tab>67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 17:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 18:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {67}<br> <br> <br> 18:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab>cRLNumber = 3<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 54<br> <x-tab> </x-tab><x-tab> </x-tab>67}<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 18:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 18:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 21:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 19:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14, 124, 39,<x-tab> </x-tab>CertificateList = {67}<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab> 21}<br> <br> <br> 19:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 55<br> <x-tab> </x-tab><x-tab> </x-tab>67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 19:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 20:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 3<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {}<br> <br> <br> </html> Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA26253 for <ietf-pkix@imc.org>; Mon, 7 May 2001 06:43:00 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 7 May 2001 13:42:45 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA18789 for <ietf-pkix@imc.org>; Mon, 7 May 2001 09:43:01 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NVAND>; Mon, 7 May 2001 09:43:00 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.21]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NVAM0; Mon, 7 May 2001 09:42:56 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010507091957.01c945b8@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 07 May 2001 09:21:08 -0400 Subject: RE: delta CRLs In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE739@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: X.509 may allow the CRL number to wrap around, but I do not believe that PKIX does. 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. This extension allows users to easily determine when a particular CRL supersedes another CRL. CAs conforming to this profile MUST include this extension in all CRLs. id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } Russ At 10:11 PM 5/5/2001 -0400, Santosh Chokhani wrote: >Actually, the text allows for the wrap of the numbers. Please see Annex B >of X.509. Thus, it is not strictly increasing > >-----Original Message----- >From: Peter Sylvester >[<mailto:Peter.Sylvester@EdelWeb.fr>mailto:Peter.Sylvester@EdelWeb.fr] >Sent: Saturday, May 05, 2001 2:08 PM >To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; >chokhani@cygnacom.com >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > > > Trevor: > > > > The 2000 version of X.509 is very clear on this. For a given CRL stream > > identifier, the CRL number is unique whether it is base or delta. That is > > why delta number has to be greater than the base. > >" 8.5.2.1 CRL number extension > > This CRL extension field conveys a monotonically increasing sequence > number .." > >The text might be clearer IMHO if 'strictly increasing' would be used >instead. Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id GAA26238 for <ietf-pkix@imc.org>; Mon, 7 May 2001 06:42:57 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 7 May 2001 13:42:42 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id JAA18783 for <ietf-pkix@imc.org>; Mon, 7 May 2001 09:42:58 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NVANB>; Mon, 7 May 2001 09:42:57 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.21]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NVAM5; Mon, 7 May 2001 09:42:53 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Tom Gindin <tgindin@us.ibm.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010507081848.01ce5978@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Mon, 07 May 2001 08:36:04 -0400 Subject: RE: Certificate Hold (was RE: delta CRLs) In-Reply-To: <OF4FA48C18.3ABD782E-ON85256A42.006D4335@somers.hqregion.ib m.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Tom: It is not that simple. In my view, non-repudiation is significantly complicated by the processing necessary to determine whether a certificate was suspended (a.k.a., on hold). This is a topic that you do not discuss in your Internet Draft on non-repudiation. Russ At 06:50 PM 5/4/2001 -0400, Tom Gindin wrote: > I don't know why this particular feature is so unpopular. I can >understand why handling "removeFromCRL" in deltas could be an extra load on >clients, but wouldn't the maximum remedy for that be to say that CA's which >issue delta CRL's SHOULD NOT use hold, while RP's MAY process >removeFromCRL? What extra complexity does hold add to an RP for a CA which >doesn't issue deltas but issues full CRL's (perhaps full distribution point >CRL's) instead? > > Tom Gindin > > >Stephen Kent <kent@bbn.com> on 05/04/2001 02:42:33 PM > >To: "Housley, Russ" <rhousley@rsasecurity.com> >cc: ietf-pkix@imc.org >Subject: RE: Certificate Hold (was RE: delta CRLs) > > >At 1:30 PM -0400 5/4/01, Housley, Russ wrote: > >Carlin: > > > >>Russ, it appears from your comment: > >>"Fair reply. And, unless there is a ground swell of > >>support, I will drop it." > >>that you have interpreted Denis as meaning > >>"I have withdrawn my support for 'hold'." > >> > >>Russ, is that correct? > >> > >>And Russ, I am further confused by "... I will drop it." > >> > >>Did you mean that you will add text to prohibit compliant > >>CA's from issuing delta CRL's that include "hold" and > >>"removeFromCRL" reason codes or text that will prohibit > >>this for full CRL's as well as delta-CRLs, or did you > >>mean something else entirely? > > > >I have NEVER liked the on-hold feature. I still do not like the > >on-hold feature. > > > >I will not delay the Last Call process on son-of-rfc 2459 to debate > >the issue unless I see that there are others that support my view. > >I feel the same as Russ, i.e., have never liked it and still think >it's a bad idea. Since we deprecated the hold instruction (vis our >comments on the hold instruction code entry extension) last time, is >there are basis for change this time around? > >Steve Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA18099 for <ietf-pkix@imc.org>; Mon, 7 May 2001 04:55:50 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K3SGKP00>; Mon, 7 May 2001 07:55:20 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE77E@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Trevor Freeman <trevorf@windows.microsoft.com>, Santosh Chokhani <chokhani@cygnacom.com>, "Housley, Russ" <rhousley@rsasecurity.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Mon, 7 May 2001 07:46:10 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D6EB.4FA584C0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D6EB.4FA584C0 Content-Type: text/plain; charset="iso-8859-1" Trevor: One more time, there is a relationship between the two CRL numbers. The number is monotonically increasing and shared. Thus, if a base number n is issued and a later delta to that or any other base is issued (with the same CRL Stream Identifier, if implemented), the delta's number m and n have the following relationship: m > n. Again that persistence rule is also a generation rule and not processing rule and hence belongs in the CA side. That said, the removeFromCRL will be present in a delta CRL until a base is issued that does NOT contain that entry and the delta refers to that or later base. -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] Sent: Monday, May 07, 2001 1:35 AM To: Santosh Chokhani; Housley, Russ Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, I agree that the Delta CRL indicator extension which identifies the CRL as a delta CRL, contains a number, and that number refers to the CRL Number extension in the base CRL, and the client must have a base CRL which contains a CRL number equal to or grater than the number in the Delta CRL indicator. That is not what I am taking about. The way I read Russ's rule 2 is that he inferring a relationship between the CRL number extension in the delta CRL and the CRL number extension in the base. I am pointing out that there is no relationship between these two numbers. THE point I am trying to clarify in rule three is how long to persist the "remove from CRL" entry in the delta. We have a rule when to purge expired revoked certificates from a full CRLs. What we need is an equally precise rule when to purge remove from CRL entries from a base CRL. Trevor -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Saturday, May 05, 2001 4:58 AM To: Trevor Freeman; Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Trevor: The 2000 version of X.509 is very clear on this. For a given CRL stream identifier, the CRL number is unique whether it is base or delta. That is why delta number has to be greater than the base. However, since the CRL number is not a mandatory extension (although PKIX profile requires it), a check based on thisUpdate is more general and preferred. As for rule 3, I did not mention it, but this is a CRL generation rule and applicable to the CA, where as first two rules are CRL processing rule and hence applicable to relying parties. I hope the revision will put these rules in different places for processing and generation. The processing rule should be that if the removeFromCRL is on delta, then the entry (if present in the base) should be deleted. -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com <mailto:trevorf@windows.microsoft.com> ] Sent: Friday, May 04, 2001 7:01 PM To: Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am not sure about rule 2. Surly the CRL number of the base and delta are orthogonal. The delta indicator binds the delta to a specific base in the base CRL sequence, but the absolute value of the two sequences are independent. A CA may have been issuing base CRLs for some time, before it gets into the business of using delta CRLs and it does not really matter it the delta CRL number starts at 1 or the current number of the base. To clarify point three, the delta CRL must include "remove from" entries until the nextupdate time in the referenced base. A CA does not know if clients have picked up the base or knot, and to assume they have would introduce an error. Trevor -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Friday, May 04, 2001 1:32 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: I see your point. There are three rules that interact to make it all work, and I think that we are only clear about two of the rules. 1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied. 2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base). 3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary. Russ ------_=_NextPart_001_01C0D6EB.4FA584C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Trevor:</FONT> </P> <P><FONT SIZE=3D2>One more time, there is a relationship between the = two CRL numbers. The number is monotonically increasing and = shared. Thus, if a base number n is issued and a later delta to = that or any other base is issued (with the same CRL Stream Identifier, = if implemented), the delta's number m and n have the following = relationship: m > n.</FONT></P> <P><FONT SIZE=3D2>Again that persistence rule is also a generation rule = and not processing rule and hence belongs in the CA side. That = said, the removeFromCRL will be present in a delta CRL until a base is = issued that does NOT contain that entry and the delta refers to that or = later base.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Trevor Freeman [<A = HREF=3D"mailto:trevorf@windows.microsoft.com">mailto:trevorf@windows.mic= rosoft.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, May 07, 2001 1:35 AM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani; Housley, Russ</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh,</FONT> <BR><FONT SIZE=3D2>I agree that the Delta CRL indicator extension which = identifies the CRL</FONT> <BR><FONT SIZE=3D2>as a delta CRL, contains a number, and that number = refers to the CRL</FONT> <BR><FONT SIZE=3D2>Number extension in the base CRL, and the client = must have a base CRL</FONT> <BR><FONT SIZE=3D2>which contains a CRL number equal to or grater than = the number in the</FONT> <BR><FONT SIZE=3D2>Delta CRL indicator.</FONT> <BR><FONT SIZE=3D2>That is not what I am taking about. </FONT> <BR><FONT SIZE=3D2>The way I read Russ's rule 2 is that he inferring a = relationship between</FONT> <BR><FONT SIZE=3D2>the CRL number extension in the delta CRL and the = CRL number extension</FONT> <BR><FONT SIZE=3D2>in the base. I am pointing out that there is no = relationship between</FONT> <BR><FONT SIZE=3D2>these two numbers. </FONT> <BR><FONT SIZE=3D2>THE point I am trying to clarify in rule three is = how long to persist</FONT> <BR><FONT SIZE=3D2>the "remove from CRL" entry in the delta. = We have a rule when to purge</FONT> <BR><FONT SIZE=3D2>expired revoked certificates from a full CRLs. What = we need is an</FONT> <BR><FONT SIZE=3D2>equally precise rule when to purge remove from CRL = entries from a base</FONT> <BR><FONT SIZE=3D2>CRL.</FONT> <BR><FONT SIZE=3D2>Trevor</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Santosh Chokhani [<A = HREF=3D"mailto:chokhani@cygnacom.com">mailto:chokhani@cygnacom.com</A>] = </FONT> <BR><FONT SIZE=3D2>Sent: Saturday, May 05, 2001 4:58 AM</FONT> <BR><FONT SIZE=3D2>To: Trevor Freeman; Housley, Russ; Santosh = Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Trevor: </FONT> <BR><FONT SIZE=3D2>The 2000 version of X.509 is very clear on = this. For a given CRL stream</FONT> <BR><FONT SIZE=3D2>identifier, the CRL number is unique whether it is = base or delta. That</FONT> <BR><FONT SIZE=3D2>is why delta number has to be greater than the = base.</FONT> <BR><FONT SIZE=3D2>However, since the CRL number is not a mandatory = extension (although</FONT> <BR><FONT SIZE=3D2>PKIX profile requires it), a check based on = thisUpdate is more general</FONT> <BR><FONT SIZE=3D2>and preferred.</FONT> <BR><FONT SIZE=3D2>As for rule 3, I did not mention it, but this is a = CRL generation rule</FONT> <BR><FONT SIZE=3D2>and applicable to the CA, where as first two rules = are CRL processing</FONT> <BR><FONT SIZE=3D2>rule and hence applicable to relying parties. = I hope the revision will</FONT> <BR><FONT SIZE=3D2>put these rules in different places for processing = and generation.</FONT> <BR><FONT SIZE=3D2>The processing rule should be that if the = removeFromCRL is on delta,</FONT> <BR><FONT SIZE=3D2>then the entry (if present in the base) should be = deleted.</FONT> <BR><FONT SIZE=3D2>-----Original Message----- </FONT> <BR><FONT SIZE=3D2>From: Trevor Freeman [<A = HREF=3D"mailto:trevorf@windows.microsoft.com">mailto:trevorf@windows.mic= rosoft.com</A></FONT> <BR><FONT SIZE=3D2><<A = HREF=3D"mailto:trevorf@windows.microsoft.com">mailto:trevorf@windows.mic= rosoft.com</A>> ] </FONT> <BR><FONT SIZE=3D2>Sent: Friday, May 04, 2001 7:01 PM </FONT> <BR><FONT SIZE=3D2>To: Housley, Russ; Santosh Chokhani </FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org </FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>I am not sure about rule 2. Surly the CRL number of = the base and delta </FONT> <BR><FONT SIZE=3D2>are orthogonal. The delta indicator binds the delta = to a specific base </FONT> <BR><FONT SIZE=3D2>in the base CRL sequence, but the absolute value of = the two sequences </FONT> <BR><FONT SIZE=3D2>are independent. A CA may have been issuing base = CRLs for some time, </FONT> <BR><FONT SIZE=3D2>before it gets into the business of using delta CRLs = and it does not </FONT> <BR><FONT SIZE=3D2>really matter it the delta CRL number starts at 1 or = the current number </FONT> <BR><FONT SIZE=3D2>of the base. </FONT> <BR><FONT SIZE=3D2>To clarify point three, the delta CRL must include = "remove from" entries</FONT> </P> <P><FONT SIZE=3D2>until the nextupdate time in the referenced base. A = CA does not know if </FONT> <BR><FONT SIZE=3D2>clients have picked up the base or knot, and to = assume they have would </FONT> <BR><FONT SIZE=3D2>introduce an error. </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Trevor </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-----Original Message----- </FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A></FONT> <BR><FONT SIZE=3D2><<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>> ] </FONT> <BR><FONT SIZE=3D2>Sent: Friday, May 04, 2001 1:32 PM </FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani </FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org </FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Santosh: </FONT> <BR><FONT SIZE=3D2>I see your point. </FONT> <BR><FONT SIZE=3D2>There are three rules that interact to make it all = work, and I think </FONT> <BR><FONT SIZE=3D2>that we are only clear about two of the rules. = </FONT> <BR><FONT SIZE=3D2>1. The base CRL referenced by the delta CRL = MUST be less than or equal </FONT> <BR><FONT SIZE=3D2>to the base CRL to which the updates will be = applied. </FONT> <BR><FONT SIZE=3D2>2. The CRL number in the delta CRL MUST be = greater than or equal to the</FONT> </P> <P><FONT SIZE=3D2>CRL number of the base (otherwise the entries are = already accommodated </FONT> <BR><FONT SIZE=3D2>by the base). </FONT> <BR><FONT SIZE=3D2>3. Delta CRLs MUST continue to include = removeFromCRL entries even if </FONT> <BR><FONT SIZE=3D2>they are not otherwise needed to update the = referenced base. David's </FONT> <BR><FONT SIZE=3D2>posting provided the rules to describe when they are = not longer </FONT> <BR><FONT SIZE=3D2>necessary. </FONT> <BR><FONT SIZE=3D2>Russ </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D6EB.4FA584C0-- Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.123]) by above.proper.com (8.9.3/8.9.3) with SMTP id WAA05685 for <ietf-pkix@imc.org>; Sun, 6 May 2001 22:59:14 -0700 (PDT) Received: from 157.54.9.100 by mail3.microsoft.com (InterScan E-Mail VirusWall NT); Sun, 06 May 2001 22:33:09 -0700 (Pacific Daylight Time) Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-imc-03.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 6 May 2001 22:35:16 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Sun, 6 May 2001 22:35:15 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Sun, 6 May 2001 22:34:57 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta CRLs Date: Sun, 6 May 2001 22:34:56 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631B81@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta CRLs Thread-Index: AcDVW+6sDu0uLYyJQtuAMV4kKvifPwBWKO6g From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Santosh Chokhani" <chokhani@cygnacom.com>, "Housley, Russ" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 07 May 2001 05:34:57.0437 (UTC) FILETIME=[73ABC4D0:01C0D6B7] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id WAA05686 Santosh, I agree that the Delta CRL indicator extension which identifies the CRL as a delta CRL, contains a number, and that number refers to the CRL Number extension in the base CRL, and the client must have a base CRL which contains a CRL number equal to or grater than the number in the Delta CRL indicator. That is not what I am taking about. The way I read Russ's rule 2 is that he inferring a relationship between the CRL number extension in the delta CRL and the CRL number extension in the base. I am pointing out that there is no relationship between these two numbers. THE point I am trying to clarify in rule three is how long to persist the "remove from CRL" entry in the delta. We have a rule when to purge expired revoked certificates from a full CRLs. What we need is an equally precise rule when to purge remove from CRL entries from a base CRL. Trevor -----Original Message----- From: Santosh Chokhani [mailto:chokhani@cygnacom.com] Sent: Saturday, May 05, 2001 4:58 AM To: Trevor Freeman; Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Trevor: The 2000 version of X.509 is very clear on this. For a given CRL stream identifier, the CRL number is unique whether it is base or delta. That is why delta number has to be greater than the base. However, since the CRL number is not a mandatory extension (although PKIX profile requires it), a check based on thisUpdate is more general and preferred. As for rule 3, I did not mention it, but this is a CRL generation rule and applicable to the CA, where as first two rules are CRL processing rule and hence applicable to relying parties. I hope the revision will put these rules in different places for processing and generation. The processing rule should be that if the removeFromCRL is on delta, then the entry (if present in the base) should be deleted. -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com <mailto:trevorf@windows.microsoft.com> ] Sent: Friday, May 04, 2001 7:01 PM To: Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am not sure about rule 2. Surly the CRL number of the base and delta are orthogonal. The delta indicator binds the delta to a specific base in the base CRL sequence, but the absolute value of the two sequences are independent. A CA may have been issuing base CRLs for some time, before it gets into the business of using delta CRLs and it does not really matter it the delta CRL number starts at 1 or the current number of the base. To clarify point three, the delta CRL must include "remove from" entries until the nextupdate time in the referenced base. A CA does not know if clients have picked up the base or knot, and to assume they have would introduce an error. Trevor -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com <mailto:rhousley@rsasecurity.com> ] Sent: Friday, May 04, 2001 1:32 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: I see your point. There are three rules that interact to make it all work, and I think that we are only clear about two of the rules. 1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied. 2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base). 3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary. Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id TAA14533 for <ietf-pkix@imc.org>; Sat, 5 May 2001 19:21:30 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KKT63FSC>; Sat, 5 May 2001 22:21:04 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE739@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Peter Sylvester <Peter.Sylvester@EdelWeb.fr>, trevorf@windows.microsoft.com, rhousley@rsasecurity.com, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Sat, 5 May 2001 22:11:57 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D5D1.ED350550" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D5D1.ED350550 Content-Type: text/plain; charset="iso-8859-1" Actually, the text allows for the wrap of the numbers. Please see Annex B of X.509. Thus, it is not strictly increasing -----Original Message----- From: Peter Sylvester [mailto:Peter.Sylvester@EdelWeb.fr] Sent: Saturday, May 05, 2001 2:08 PM To: trevorf@windows.microsoft.com; rhousley@rsasecurity.com; chokhani@cygnacom.com Cc: ietf-pkix@imc.org Subject: RE: delta CRLs > Trevor: > > The 2000 version of X.509 is very clear on this. For a given CRL stream > identifier, the CRL number is unique whether it is base or delta. That is > why delta number has to be greater than the base. " 8.5.2.1 CRL number extension This CRL extension field conveys a monotonically increasing sequence number .." The text might be clearer IMHO if 'strictly increasing' would be used instead. ------_=_NextPart_001_01C0D5D1.ED350550 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Actually, the text allows for the wrap of the = numbers. Please see Annex B of X.509. Thus, it is not = strictly increasing</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Peter Sylvester [<A = HREF=3D"mailto:Peter.Sylvester@EdelWeb.fr">mailto:Peter.Sylvester@EdelWe= b.fr</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Saturday, May 05, 2001 2:08 PM</FONT> <BR><FONT SIZE=3D2>To: trevorf@windows.microsoft.com; = rhousley@rsasecurity.com;</FONT> <BR><FONT SIZE=3D2>chokhani@cygnacom.com</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>> Trevor:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The 2000 version of X.509 is very clear on = this. For a given CRL stream</FONT> <BR><FONT SIZE=3D2>> identifier, the CRL number is unique whether it = is base or delta. That is</FONT> <BR><FONT SIZE=3D2>> why delta number has to be greater than the = base.</FONT> </P> <P><FONT SIZE=3D2>" 8.5.2.1 CRL number extension</FONT> </P> <P><FONT SIZE=3D2> This CRL extension field conveys a = monotonically increasing sequence number .."</FONT> </P> <P><FONT SIZE=3D2>The text might be clearer IMHO if 'strictly = increasing' would be used instead.</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D5D1.ED350550-- Received: from edelweb.fr (edelweb.fr [212.234.46.16]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA12316 for <ietf-pkix@imc.org>; Sat, 5 May 2001 11:07:57 -0700 (PDT) Received: from champagne.edelweb.fr (localhost.edelweb.fr [127.0.0.1]) by edelweb.fr with ESMTP id UAA22621; Sat, 5 May 2001 20:07:50 +0200 (MET DST) Received: from champagne.edelweb.fr (champagne.edelweb.fr [193.51.14.161]) by edelweb.fr (nospam/1.3); Sat, 5 May 2001 20:07:50 +0200 (MET DST) Received: from emeriau.edelweb.fr (emeriau.edelweb.fr [193.51.14.5]) by champagne.edelweb.fr (8.7.6/8.6.6) with ESMTP id UAA03572; Sat, 5 May 2001 20:07:48 +0200 (MET DST) From: Peter Sylvester <Peter.Sylvester@EdelWeb.fr> Received: (sylvest@localhost) by emeriau.edelweb.fr (8.7.6/8.6.6) id UAA28918; Sat, 5 May 2001 20:07:48 +0200 (MET DST) Date: Sat, 5 May 2001 20:07:48 +0200 (MET DST) Message-Id: <200105051807.UAA28918@emeriau.edelweb.fr> To: trevorf@windows.microsoft.com, rhousley@rsasecurity.com, chokhani@cygnacom.com Subject: RE: delta CRLs Cc: ietf-pkix@imc.org > Trevor: > > The 2000 version of X.509 is very clear on this. For a given CRL stream > identifier, the CRL number is unique whether it is base or delta. That is > why delta number has to be greater than the base. " 8.5.2.1 CRL number extension This CRL extension field conveys a monotonically increasing sequence number .." The text might be clearer IMHO if 'strictly increasing' would be used instead. Received: from cmps1.collectivemind.com.pe ([200.60.29.181]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA10061 for <ietf-pkix@imc.org>; Sat, 5 May 2001 10:29:53 -0700 (PDT) Received: from mail pickup service by cmps1.collectivemind.com.pe with Microsoft SMTPSVC; Sat, 5 May 2001 12:09:58 -0500 From: "=?iso-8859-1?Q?CLUB_CUSQUE=D1A?=" <Chopp@cusquena.com.pe> To: <ietf-pkix@imc.org> Subject: =?iso-8859-1?Q?Promoci=F3n_Chopp_Cusque=F1a?= Date: Sat, 5 May 2001 12:09:16 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_15798_01C0D55C.3487DAC0" X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Message-ID: <04d125809170551CMPS1@cmps1.collectivemind.com.pe> This is a multi-part message in MIME format. ------=_NextPart_000_15798_01C0D55C.3487DAC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <http://www.cusquena.com.pe/chopp/CH_pedido.asp?IdCliente=3Dx&Idcliente2=3D= x > =20 ..P=EDdelo=20 AQU=CD =20 <http://www.cusquena.com.pe/chopp/CH_ordenchopp.asp?IdCliente=3Dx&Idclien= t e2=3Dx> =20 <http://www.cusquena.com.pe/chopp/ch_recomendar.asp> =20 <http://www.cusquena.com.pe/chopp/ch_sugerencia.asp> =20 Como hacer el pedido?=20 Solo necesitas llenar tus datos en el=20 formulario de pedidos de CHOPP...=20 y LISTO!!!=20 RD: 152-2001-IN-1501=20 Visita el Web site de Cerveza Cusque=F1a en:=20 http://www.cusquena.com.pe=20 Si quieres entrar al Chat Cusque=F1a haz click Aqu=ED <http://www.cusquena.com.pe/chat.asp>=20 Recibes este e-mail porque estas suscrito al CLUB CUSQUE=D1A o un amigo tuyo te ha recomendado. Para cancelar el env=EDo de este email, reenv=EDanos este email con el t=EDtulo: QUITARME DE LA LISTA=20 ------=_NextPart_000_15798_01C0D55C.3487DAC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> <head><title>www.cusquena.com.pe - Chopp</title></head> <body bgcolor=3D#808080 marginheight=3D0 topmargin=3D0 vlink=3Dffffff = alink=3Dffffff, link=3Dffffff> <table WIDTH=3D642 BORDER=3D0 CELLSPACING=3D0 CELLPADDING=3D0 = ALIGN=3DCENTER> <tr BGCOLOR=3D#000000 ALIGN=3DCENTER VALIGN=3DMIDDLE> <td HEIGHT=3D610> <table WIDTH=3D680 BORDER=3D0 CELLPADDING=3D0 CELLSPACING=3D0 = ALIGN=3DCENTER> <tr> <td BGCOLOR=3D#FFFFFF ALIGN=3DRIGHT VALIGN=3DBOTTOM WIDTH=3D191><p = align=3Dcenter> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/logo1.GIF width=3D112 = height=3D47 vspace=3D3></td> <td WIDTH=3D445 VALIGN=3DMIDDLE ALIGN=3DCENTER BGCOLOR=3D#000000> <a = href=3Dhttp://www.cusquena.com.pe/chopp/CH_pedido.asp?IdCliente=3Dx&Idcli= ente2=3Dx> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/bannerchopp1.gif = width=3D468 height=3D60> </a> </td> </tr> <tr> <td WIDTH=3D193 BGCOLOR=3D#FECD0A VALIGN=3Dtop> <table border=3D0 width=3D100% height=3D187> <tr> <td width=3D190 height=3D250 valign=3Dmiddle> <img src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/animchopp.gif = width=3D190 height=3D181 hspace=3D7></td> </tr> <tr> <td width=3D190 height=3D100> <p align=3Dright><b><font size=3D7><font face=3DArial = Color=3DBlack>...P=EDdelo</font> <font face=3DArial><br> </font><font face=3DArial = Color=3DBlack>AQU=CD<br> </font></font></b> </td> </tr> <tr> <td width=3D190 height=3D50 valign=3Dmiddle> <p align=3Dcenter> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/flechitaroja.gif = width=3D35 height=3D25><br> </td> </tr> <tr> <td bgcolor=3D#FF0000> <p align=3Dcenter> <a = href=3Dhttp://www.cusquena.com.pe/chopp/CH_ordenchopp.asp?IdCliente=3Dx&I= dcliente2=3Dx> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/pedido.gif> </a> </td> </tr> <tr> <td height=3D180 bgcolor=3D#FECD0A> <p align=3Dcenter> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/cano.gif = align=3Dright> </td> </tr> <tr> <td bgcolor=3D#FF0000> <p align=3Dcenter> <a href=3Dhttp://www.cusquena.com.pe/chopp/ch_recomendar.asp> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/recomienda.gif></a></t= d> </tr> <tr> <td bgcolor=3D#FF0000> <p align=3Dcenter> <a href=3Dhttp://www.cusquena.com.pe/chopp/ch_sugerencia.asp> <img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/sugerencias.gif></a></= td> </tr> </table> </td> <td WIDTH=3D445 VALIGN=3DTOP ALIGN=3DLEFT><table WIDTH=3D406% = BORDER=3D0 CELLSPACING=3D0 CELLPADDING=3D0> <tr VALIGN=3DTOP> <td WIDTH=3D445 BGCOLOR=3D#000000 align=3Dcenter height=3D52> <table border=3D0 width=3D468> <tr> <td width=3D20%></td> <td width=3D220% height=3D250> <p style=3Dline-height: 200%><b> <font color=3D#FFFFFF face=3DArial size=3D6>Como hacer el pedido?</font> <font color=3D#FFFFFF face=3DArial size=3D5><br></font></b> <font color=3D#FFFFFF face=3DArial size=3D5>Solo necesitas llenar tus = datos en el <br> formulario de pedidos de CHOPP... <br> y LISTO!!!</font></td> <td width=3D5%></td> </tr><tr> <td width=3D230% bgcolor=3D#FF8000 colspan=3D3><img border=3D0 = src=3Dhttp://www.cusquena.com.pe/chopp/mail/images/sol.gif width=3D453 = height=3D416></td> </tr></table><font face=3Dverdana size=3D2 color=3Dffffff> <br><b>RD: 152-2001-IN-1501</b> </font></td></tr></table></td></tr> </table></td></tr> </table> <br><br><font face=3Darial size=3D2 color=3D000000> <b>Visita el Web site de Cerveza Cusque=F1a en: </b><br> <a href=3Dhttp://www.cusquena.com.pe = target=3D_blank>http://www.cusquena.com.pe</a><br> <br><br> <b>Si quieres entrar al Chat Cusque=F1a haz click </b> <a href=3Dhttp://www.cusquena.com.pe/chat.asp = target=3D_blank>Aqu=ED</a><br> <br><br> <b>Recibes este e-mail porque estas suscrito al CLUB CUSQUE=D1A o un amigo tuyo te ha recomendado.<br> Para cancelar el env=EDo de este email, reenv=EDanos este email con el t=EDtulo: QUITARME DE LA LISTA</b> </font></body></html> ------=_NextPart_000_15798_01C0D55C.3487DAC0-- Received: from femail19.sdc1.sfba.home.com (femail19.sdc1.sfba.home.com [24.0.95.128]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA07068 for <ietf-pkix@imc.org>; Sat, 5 May 2001 09:29:09 -0700 (PDT) From: tkfisher3@home.com Received: from [192.168.0.2] ([24.19.110.53]) by femail19.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010505162905.WMYC98.femail19.sdc1.sfba.home.com@[192.168.0.2]>; Sat, 5 May 2001 09:29:05 -0700 Reply-To: Timothy Fisher <tkfisher3@home.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> CC: ietf-pkix@imc.org Subject: Date: 05 May 2001 12:30:10 -0500 X-Mailer: NeoPlanet Version: 5.2.0.1603 X-ID: 93E8EAD00D1711D58181005004D47171 X-Brand: NeoPlanet X-Build: 1603 Message-Id: <20010505162905.WMYC98.femail19.sdc1.sfba.home.com@[192.168.0.2]> unsubscribe Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA16396 for <ietf-pkix@imc.org>; Sat, 5 May 2001 05:07:55 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KKT631AP>; Sat, 5 May 2001 08:07:25 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE733@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Trevor Freeman <trevorf@windows.microsoft.com>, "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Sat, 5 May 2001 07:58:18 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D55A.AC5EA2B0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D55A.AC5EA2B0 Content-Type: text/plain; charset="iso-8859-1" Trevor: The 2000 version of X.509 is very clear on this. For a given CRL stream identifier, the CRL number is unique whether it is base or delta. That is why delta number has to be greater than the base. However, since the CRL number is not a mandatory extension (although PKIX profile requires it), a check based on thisUpdate is more general and preferred. As for rule 3, I did not mention it, but this is a CRL generation rule and applicable to the CA, where as first two rules are CRL processing rule and hence applicable to relying parties. I hope the revision will put these rules in different places for processing and generation. The processing rule should be that if the removeFromCRL is on delta, then the entry (if present in the base) should be deleted. -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] Sent: Friday, May 04, 2001 7:01 PM To: Housley, Russ; Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs I am not sure about rule 2. Surly the CRL number of the base and delta are orthogonal. The delta indicator binds the delta to a specific base in the base CRL sequence, but the absolute value of the two sequences are independent. A CA may have been issuing base CRLs for some time, before it gets into the business of using delta CRLs and it does not really matter it the delta CRL number starts at 1 or the current number of the base. To clarify point three, the delta CRL must include "remove from" entries until the nextupdate time in the referenced base. A CA does not know if clients have picked up the base or knot, and to assume they have would introduce an error. Trevor -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, May 04, 2001 1:32 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: I see your point. There are three rules that interact to make it all work, and I think that we are only clear about two of the rules. 1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied. 2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base). 3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary. Russ ------_=_NextPart_001_01C0D55A.AC5EA2B0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Trevor:</FONT> </P> <P><FONT SIZE=3D2>The 2000 version of X.509 is very clear on = this. For a given CRL stream identifier, the CRL number is unique = whether it is base or delta. That is why delta number has to be = greater than the base.</FONT></P> <P><FONT SIZE=3D2>However, since the CRL number is not a mandatory = extension (although PKIX profile requires it), a check based on = thisUpdate is more general and preferred.</FONT></P> <P><FONT SIZE=3D2>As for rule 3, I did not mention it, but this is a = CRL generation rule and applicable to the CA, where as first two rules = are CRL processing rule and hence applicable to relying parties. = I hope the revision will put these rules in different places for = processing and generation.</FONT></P> <P><FONT SIZE=3D2>The processing rule should be that if the = removeFromCRL is on delta, then the entry (if present in the base) = should be deleted.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Trevor Freeman [<A = HREF=3D"mailto:trevorf@windows.microsoft.com">mailto:trevorf@windows.mic= rosoft.com</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, May 04, 2001 7:01 PM</FONT> <BR><FONT SIZE=3D2>To: Housley, Russ; Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>I am not sure about rule 2. Surly the CRL number of = the base and delta</FONT> <BR><FONT SIZE=3D2>are orthogonal. The delta indicator binds the delta = to a specific base</FONT> <BR><FONT SIZE=3D2>in the base CRL sequence, but the absolute value of = the two sequences</FONT> <BR><FONT SIZE=3D2>are independent. A CA may have been issuing base = CRLs for some time,</FONT> <BR><FONT SIZE=3D2>before it gets into the business of using delta CRLs = and it does not</FONT> <BR><FONT SIZE=3D2>really matter it the delta CRL number starts at 1 or = the current number</FONT> <BR><FONT SIZE=3D2>of the base.</FONT> <BR><FONT SIZE=3D2>To clarify point three, the delta CRL must include = "remove from" entries</FONT> <BR><FONT SIZE=3D2>until the nextupdate time in the referenced base. A = CA does not know if</FONT> <BR><FONT SIZE=3D2>clients have picked up the base or knot, and to = assume they have would</FONT> <BR><FONT SIZE=3D2>introduce an error.</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Trevor </FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>] </FONT> <BR><FONT SIZE=3D2>Sent: Friday, May 04, 2001 1:32 PM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: delta CRLs</FONT> <BR><FONT SIZE=3D2> </FONT> <BR><FONT SIZE=3D2>Santosh:</FONT> </P> <P><FONT SIZE=3D2>I see your point.</FONT> </P> <P><FONT SIZE=3D2>There are three rules that interact to make it all = work, and I think</FONT> <BR><FONT SIZE=3D2>that we are only clear about two of the = rules.</FONT> </P> <P><FONT SIZE=3D2>1. The base CRL referenced by the delta CRL = MUST be less than or equal</FONT> <BR><FONT SIZE=3D2>to the base CRL to which the updates will be = applied.</FONT> </P> <P><FONT SIZE=3D2>2. The CRL number in the delta CRL MUST be = greater than or equal to the</FONT> <BR><FONT SIZE=3D2>CRL number of the base (otherwise the entries are = already accommodated</FONT> <BR><FONT SIZE=3D2>by the base).</FONT> </P> <P><FONT SIZE=3D2>3. Delta CRLs MUST continue to include = removeFromCRL entries even if</FONT> <BR><FONT SIZE=3D2>they are not otherwise needed to update the = referenced base. David's</FONT> <BR><FONT SIZE=3D2>posting provided the rules to describe when they are = not longer</FONT> <BR><FONT SIZE=3D2>necessary.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D55A.AC5EA2B0-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA16371 for <ietf-pkix@imc.org>; Sat, 5 May 2001 05:07:45 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KKT631AN>; Sat, 5 May 2001 08:07:15 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE731@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Tom Gindin <tgindin@us.ibm.com>, Stephen Kent <kent@bbn.com> Cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Sat, 5 May 2001 07:58:09 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D55A.A7015830" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D55A.A7015830 Content-Type: text/plain; charset="iso-8859-1" Tom: I also am not a fan of "hold: feature. But, I fail to see why "removeFromHold" is in delta CRL is unduly complex. I would say either not have the "hold" feature or require "hold' and "release" irrespective of delta. -----Original Message----- From: Tom Gindin [mailto:tgindin@us.ibm.com] Sent: Friday, May 04, 2001 6:50 PM To: Stephen Kent Cc: Housley, Russ; ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) I don't know why this particular feature is so unpopular. I can understand why handling "removeFromCRL" in deltas could be an extra load on clients, but wouldn't the maximum remedy for that be to say that CA's which issue delta CRL's SHOULD NOT use hold, while RP's MAY process removeFromCRL? What extra complexity does hold add to an RP for a CA which doesn't issue deltas but issues full CRL's (perhaps full distribution point CRL's) instead? Tom Gindin Stephen Kent <kent@bbn.com> on 05/04/2001 02:42:33 PM To: "Housley, Russ" <rhousley@rsasecurity.com> cc: ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) At 1:30 PM -0400 5/4/01, Housley, Russ wrote: >Carlin: > >>Russ, it appears from your comment: >>"Fair reply. And, unless there is a ground swell of >>support, I will drop it." >>that you have interpreted Denis as meaning >>"I have withdrawn my support for 'hold'." >> >>Russ, is that correct? >> >>And Russ, I am further confused by "... I will drop it." >> >>Did you mean that you will add text to prohibit compliant >>CA's from issuing delta CRL's that include "hold" and >>"removeFromCRL" reason codes or text that will prohibit >>this for full CRL's as well as delta-CRLs, or did you >>mean something else entirely? > >I have NEVER liked the on-hold feature. I still do not like the >on-hold feature. > >I will not delay the Last Call process on son-of-rfc 2459 to debate >the issue unless I see that there are others that support my view. I feel the same as Russ, i.e., have never liked it and still think it's a bad idea. Since we deprecated the hold instruction (vis our comments on the hold instruction code entry extension) last time, is there are basis for change this time around? Steve ------_=_NextPart_001_01C0D55A.A7015830 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Certificate Hold (was RE: delta CRLs)</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Tom:</FONT> </P> <P><FONT SIZE=3D2>I also am not a fan of "hold: feature. = But, I fail to see why "removeFromHold" is in delta CRL is = unduly complex. I would say either not have the "hold" = feature or require "hold' and "release" irrespective of = delta.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Tom Gindin [<A = HREF=3D"mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT>= <BR><FONT SIZE=3D2>Sent: Friday, May 04, 2001 6:50 PM</FONT> <BR><FONT SIZE=3D2>To: Stephen Kent</FONT> <BR><FONT SIZE=3D2>Cc: Housley, Russ; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Certificate Hold (was RE: delta = CRLs)</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2> I don't know why this = particular feature is so unpopular. I can</FONT> <BR><FONT SIZE=3D2>understand why handling "removeFromCRL" in = deltas could be an extra load on</FONT> <BR><FONT SIZE=3D2>clients, but wouldn't the maximum remedy for that be = to say that CA's which</FONT> <BR><FONT SIZE=3D2>issue delta CRL's SHOULD NOT use hold, while RP's = MAY process</FONT> <BR><FONT SIZE=3D2>removeFromCRL? What extra complexity does hold = add to an RP for a CA which</FONT> <BR><FONT SIZE=3D2>doesn't issue deltas but issues full CRL's (perhaps = full distribution point</FONT> <BR><FONT SIZE=3D2>CRL's) instead?</FONT> </P> <P><FONT = SIZE=3D2> Tom = Gindin</FONT> </P> <BR> <P><FONT SIZE=3D2>Stephen Kent <kent@bbn.com> on 05/04/2001 = 02:42:33 PM</FONT> </P> <P><FONT SIZE=3D2>To: "Housley, Russ" = <rhousley@rsasecurity.com></FONT> <BR><FONT SIZE=3D2>cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: RE: Certificate Hold (was RE: = delta CRLs)</FONT> </P> <BR> <P><FONT SIZE=3D2>At 1:30 PM -0400 5/4/01, Housley, Russ wrote:</FONT> <BR><FONT SIZE=3D2>>Carlin:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>>Russ, it appears from your comment:</FONT> <BR><FONT SIZE=3D2>>>"Fair reply. And, unless there is = a ground swell of</FONT> <BR><FONT SIZE=3D2>>>support, I will drop it."</FONT> <BR><FONT SIZE=3D2>>>that you have interpreted Denis as = meaning</FONT> <BR><FONT SIZE=3D2>>>"I have withdrawn my support for = 'hold'."</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>>Russ, is that correct?</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>>And Russ, I am further confused by "... = I will drop it."</FONT> <BR><FONT SIZE=3D2>>></FONT> <BR><FONT SIZE=3D2>>>Did you mean that you will add text to = prohibit compliant</FONT> <BR><FONT SIZE=3D2>>>CA's from issuing delta CRL's that include = "hold" and</FONT> <BR><FONT SIZE=3D2>>>"removeFromCRL" reason codes or = text that will prohibit</FONT> <BR><FONT SIZE=3D2>>>this for full CRL's as well as delta-CRLs, = or did you</FONT> <BR><FONT SIZE=3D2>>>mean something else entirely?</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I have NEVER liked the on-hold feature. I = still do not like the</FONT> <BR><FONT SIZE=3D2>>on-hold feature.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>I will not delay the Last Call process on = son-of-rfc 2459 to debate</FONT> <BR><FONT SIZE=3D2>>the issue unless I see that there are others = that support my view.</FONT> </P> <P><FONT SIZE=3D2>I feel the same as Russ, i.e., have never liked it = and still think</FONT> <BR><FONT SIZE=3D2>it's a bad idea. Since we deprecated the hold = instruction (vis our</FONT> <BR><FONT SIZE=3D2>comments on the hold instruction code entry = extension) last time, is</FONT> <BR><FONT SIZE=3D2>there are basis for change this time around?</FONT> </P> <P><FONT SIZE=3D2>Steve</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D55A.A7015830-- Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.123]) by above.proper.com (8.9.3/8.9.3) with SMTP id RAA06638 for <ietf-pkix@imc.org>; Fri, 4 May 2001 17:48:07 -0700 (PDT) Received: from 157.54.1.52 by mail3.microsoft.com (InterScan E-Mail VirusWall NT); Fri, 04 May 2001 16:00:01 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-06.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Fri, 4 May 2001 16:01:11 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Fri, 4 May 2001 16:01:10 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Fri, 4 May 2001 16:00:58 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: delta CRLs Date: Fri, 4 May 2001 16:00:57 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD689523@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: delta CRLs Thread-Index: AcDU2j10YP9yZkGkTyKgECKYwysatwAEyCjw From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, "Santosh Chokhani" <chokhani@cygnacom.com> Cc: <ietf-pkix@imc.org> X-OriginalArrivalTime: 04 May 2001 23:00:58.0059 (UTC) FILETIME=[14AD71B0:01C0D4EE] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id RAA06639 I am not sure about rule 2. Surly the CRL number of the base and delta are orthogonal. The delta indicator binds the delta to a specific base in the base CRL sequence, but the absolute value of the two sequences are independent. A CA may have been issuing base CRLs for some time, before it gets into the business of using delta CRLs and it does not really matter it the delta CRL number starts at 1 or the current number of the base. To clarify point three, the delta CRL must include "remove from" entries until the nextupdate time in the referenced base. A CA does not know if clients have picked up the base or knot, and to assume they have would introduce an error. Trevor -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, May 04, 2001 1:32 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: I see your point. There are three rules that interact to make it all work, and I think that we are only clear about two of the rules. 1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied. 2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base). 3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary. Russ Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA29618 for <ietf-pkix@imc.org>; Fri, 4 May 2001 15:51:14 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id SAA261576; Fri, 4 May 2001 18:48:40 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id SAA49046; Fri, 4 May 2001 18:44:57 -0400 Importance: Normal Subject: RE: Certificate Hold (was RE: delta CRLs) To: Stephen Kent <kent@bbn.com> Cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF4FA48C18.3ABD782E-ON85256A42.006D4335@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Fri, 4 May 2001 18:50:08 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/04/2001 06:50:11 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii I don't know why this particular feature is so unpopular. I can understand why handling "removeFromCRL" in deltas could be an extra load on clients, but wouldn't the maximum remedy for that be to say that CA's which issue delta CRL's SHOULD NOT use hold, while RP's MAY process removeFromCRL? What extra complexity does hold add to an RP for a CA which doesn't issue deltas but issues full CRL's (perhaps full distribution point CRL's) instead? Tom Gindin Stephen Kent <kent@bbn.com> on 05/04/2001 02:42:33 PM To: "Housley, Russ" <rhousley@rsasecurity.com> cc: ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) At 1:30 PM -0400 5/4/01, Housley, Russ wrote: >Carlin: > >>Russ, it appears from your comment: >>"Fair reply. And, unless there is a ground swell of >>support, I will drop it." >>that you have interpreted Denis as meaning >>"I have withdrawn my support for 'hold'." >> >>Russ, is that correct? >> >>And Russ, I am further confused by "... I will drop it." >> >>Did you mean that you will add text to prohibit compliant >>CA's from issuing delta CRL's that include "hold" and >>"removeFromCRL" reason codes or text that will prohibit >>this for full CRL's as well as delta-CRLs, or did you >>mean something else entirely? > >I have NEVER liked the on-hold feature. I still do not like the >on-hold feature. > >I will not delay the Last Call process on son-of-rfc 2459 to debate >the issue unless I see that there are others that support my view. I feel the same as Russ, i.e., have never liked it and still think it's a bad idea. Since we deprecated the hold instruction (vis our comments on the hold instruction code entry extension) last time, is there are basis for change this time around? Steve Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA24517 for <ietf-pkix@imc.org>; Fri, 4 May 2001 14:31:21 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 21:31:11 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA21587 for <ietf-pkix@imc.org>; Fri, 4 May 2001 17:31:24 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N4WRM>; Fri, 4 May 2001 17:31:23 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.41]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N4WRK; Fri, 4 May 2001 17:31:14 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010504172919.01c95450@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 17:30:56 -0400 Subject: RE: delta CRLs In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE71D@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: You are correct, there are two equivalent checks for rule 2. I do not think that the proposed text makes all three rules clear. Obviously, this thread will lead to better text. Russ At 04:43 PM 5/4/2001 -0400, Santosh Chokhani wrote: >Russ: > >In lieu of 2, you can also compare thisUpdate field of the base and delta >and make sure that a delta is applied to only an earlier (and not the same >time issued or later issued base). > >I did not understand from your message, which of the three rules was not >clear to you. Or may be you meant the PKIX RFC is not clear on the three >rules. > >-----Original Message----- >From: Housley, Russ [mailto:rhousley@rsasecurity.com] >Sent: Friday, May 04, 2001 4:32 PM >To: Santosh Chokhani >Cc: ietf-pkix@imc.org >Subject: RE: delta CRLs > >Santosh: > >I see your point. > >There are three rules that interact to make it all work, and I think that >we are only clear about two of the rules. > >1. The base CRL referenced by the delta CRL MUST be less than or equal to >the base CRL to which the updates will be applied. > >2. The CRL number in the delta CRL MUST be greater than or equal to the >CRL number of the base (otherwise the entries are already accommodated by >the base). > >3. Delta CRLs MUST continue to include removeFromCRL entries even if they >are not otherwise needed to update the referenced base. David's posting >provided the rules to describe when they are not longer necessary. > >Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA20610 for <ietf-pkix@imc.org>; Fri, 4 May 2001 13:52:54 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K2M3JJ9N>; Fri, 4 May 2001 16:52:26 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE71D@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Fri, 4 May 2001 16:43:21 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D4DA.DB3EAA10" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D4DA.DB3EAA10 Content-Type: text/plain; charset="iso-8859-1" Russ: In lieu of 2, you can also compare thisUpdate field of the base and delta and make sure that a delta is applied to only an earlier (and not the same time issued or later issued base). I did not understand from your message, which of the three rules was not clear to you. Or may be you meant the PKIX RFC is not clear on the three rules. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, May 04, 2001 4:32 PM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh: I see your point. There are three rules that interact to make it all work, and I think that we are only clear about two of the rules. 1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied. 2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base). 3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary. Russ ------_=_NextPart_001_01C0D4DA.DB3EAA10 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=866045020-04052001>Russ:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=866045020-04052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=866045020-04052001>In lieu of 2, you can also compare thisUpdate field of the base and delta and make sure that a delta is applied to only an earlier (and not the same time issued or later issued base).</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=866045020-04052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=866045020-04052001>I did not understand from your message, which of the three rules was not clear to you. Or may be you meant the PKIX RFC is not clear on the three rules.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=866045020-04052001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Housley, Russ [mailto:rhousley@rsasecurity.com]<BR><B>Sent:</B> Friday, May 04, 2001 4:32 PM<BR><B>To:</B> Santosh Chokhani<BR><B>Cc:</B> ietf-pkix@imc.org<BR><B>Subject:</B> RE: delta CRLs<BR><BR></FONT></DIV><FONT size=2>Santosh:<BR><BR>I see your point.<BR><BR>There are three rules that interact to make it all work, and I think that we are only clear about two of the rules.<BR><BR>1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied.<BR><BR>2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base).<BR><BR>3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary.<BR><BR>Russ<BR></FONT></BODY></HTML> ------_=_NextPart_001_01C0D4DA.DB3EAA10-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA19404 for <ietf-pkix@imc.org>; Fri, 4 May 2001 13:39:19 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K2M3JJXH>; Fri, 4 May 2001 16:38:51 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE719@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Subject: RE: delta-CRLs Date: Fri, 4 May 2001 16:29:46 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D4D8.F5A01F30" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D4D8.F5A01F30 Content-Type: text/plain; charset="iso-8859-1" Russ and Denis: With all due respect, that is a limited view of delta CRL (forcing to use the base CRL that is referenced). I am very disappointed with the PKIX process of writing these profiles and rewording and mutating the concepts from X.509 to the point that introduce limitations and errors. Recall the buggy path validation procedure in 2459. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, May 04, 2001 2:16 PM To: Denis Pinkas Cc: ietf-pkix@imc.org Subject: Re: delta-CRLs Denis: I can live with these. >Taking into account the last proposal from Russ, this would >lead to the two following paragraphs: > > An application can construct an updated CRL, for a specific time T, > by retrieving the appropriate base CRL for that scope, and combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on a given base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. Russ ------_=_NextPart_001_01C0D4D8.F5A01F30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ and Denis:</FONT> </P> <P><FONT SIZE=3D2>With all due respect, that is a limited view of delta = CRL (forcing to use the base CRL that is referenced).</FONT> </P> <P><FONT SIZE=3D2>I am very disappointed with the PKIX process of = writing these profiles and rewording and mutating the concepts from = X.509 to the point that introduce limitations and errors. Recall = the buggy path validation procedure in 2459.</FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, May 04, 2001 2:16 PM</FONT> <BR><FONT SIZE=3D2>To: Denis Pinkas</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta-CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Denis:</FONT> </P> <P><FONT SIZE=3D2>I can live with these.</FONT> </P> <P><FONT SIZE=3D2>>Taking into account the last proposal from Russ, = this would</FONT> <BR><FONT SIZE=3D2>>lead to the two following paragraphs:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> An application can construct = an updated CRL, for a specific time T,</FONT> <BR><FONT SIZE=3D2>> by retrieving the appropriate = base CRL for that scope, and combining</FONT> <BR><FONT SIZE=3D2>> it with a delta CRL which = contains a delta CRL indicator extension</FONT> <BR><FONT SIZE=3D2>> with the same CRL number as = the base CRL. Applications that support</FONT> <BR><FONT SIZE=3D2>> delta CRLs MUST ensure that = time T falls between thisUpdate and</FONT> <BR><FONT SIZE=3D2>> nextUpdate for both the base = CRL and the delta CRL.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Note: An application could = also reconstruct an updated CRL, for</FONT> <BR><FONT SIZE=3D2>> a specific time T, by using a = previously locally reconstructed CRL</FONT> <BR><FONT SIZE=3D2>> based on a given base CRL, = and combining it with a delta CRL which</FONT> <BR><FONT SIZE=3D2>> contains a delta CRL = indicator extension with the same CRL number as</FONT> <BR><FONT SIZE=3D2>> the base CRL.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D4D8.F5A01F30-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id NAA18731 for <ietf-pkix@imc.org>; Fri, 4 May 2001 13:33:24 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 20:33:13 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id QAA18535 for <ietf-pkix@imc.org>; Fri, 4 May 2001 16:33:26 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N4V79>; Fri, 4 May 2001 16:33:25 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.119]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N4V7Z; Fri, 4 May 2001 16:33:18 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010504162450.01c71068@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 16:31:51 -0400 Subject: RE: delta CRLs In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE630@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> <font size=2>Santosh:<br> <br> I see your point.<br> <br> There are three rules that interact to make it all work, and I think that we are only clear about two of the rules.<br> <br> 1. The base CRL referenced by the delta CRL MUST be less than or equal to the base CRL to which the updates will be applied.<br> <br> 2. The CRL number in the delta CRL MUST be greater than or equal to the CRL number of the base (otherwise the entries are already accommodated by the base).<br> <br> 3. Delta CRLs MUST continue to include removeFromCRL entries even if they are not otherwise needed to update the referenced base. David's posting provided the rules to describe when they are not longer necessary.<br> <br> Russ<br> </font></html> Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA15663 for <ietf-pkix@imc.org>; Fri, 4 May 2001 12:56:10 -0700 (PDT) Received: from sunlabs.East.Sun.COM ([129.148.75.250]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id MAA28819; Fri, 4 May 2001 12:56:11 -0700 (PDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id PAA09947; Fri, 4 May 2001 15:56:08 -0400 (EDT) Message-ID: <3AF30857.6B86A604@sun.com> Date: Fri, 04 May 2001 15:51:51 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Sharon Boeyen <sharon.boeyen@entrust.com> CC: "'Tim Polk'" <tim.polk@nist.gov>, PKIX List <ietf-pkix@imc.org> Subject: Re: Ignoring name constraints with self-issued certs References: <DD62792EA182FF4E99C2FBC07E3053BD01DA4034@sottmxs09.entrust.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sharon Boeyen wrote: > Yep, I see that. Now would name constraints actually be a problem in > that type of environment. With name chaining the subject of the > previous cert would have the same value as the issuer and subject of > the self-issued cert. As long as name-constraints on that previous > cert succeeded, there isn't a problem is there? It's only in the case > where the cert that contains the name constraint is the one that is > the direct neighbour to the self issued cert. I guess I agree with > Steve then, (at least this time I don't need to make any changes to > 509 right??) A more serious problem is that a self-issued cert might have subject alternative names. These names will not be constrained by any name constraints or by name chaining. If the cert is not the last cert in the path, these subject alternative names are not dangerous. If the cert is the last cert in the path, they may cause client software to establish an incorrect <name,key> binding. That's why we need to apply name constraints to a self-issued certificate if it is the last cert in the path. -Steve Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA14075 for <ietf-pkix@imc.org>; Fri, 4 May 2001 12:06:48 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 19:06:37 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA13641 for <ietf-pkix@imc.org>; Fri, 4 May 2001 15:06:50 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N44WC>; Fri, 4 May 2001 15:06:49 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.29]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N44V0; Fri, 4 May 2001 15:06:34 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: aslam@funk.com Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010504150523.01dda258@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 15:06:18 -0400 Subject: Fwd: Re: How to get Base and Delta CRLs for a particular end entity certif icate... Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Opps. I should have said: "See draft-ietf-pkix-new-part1-06.txt." Excuse the typo. >Date: Fri, 04 May 2001 14:06:31 -0400 >To: Aslam <aslam@funk.com> >From: "Housley, Russ" <rhousley@rsasecurity.com> >Subject: Re: How to get Base and Delta CRLs for a particular end entity >certif icate... >Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> > >Aslam: > >See draft-ietf-pkix-new-part1-07.txt. > >Section 4.2.1.16 describes an extension in the certificate that points to >the delta CRL, and section 5.2.6 describes an extension in the base CRL >that points to the delta CRL. CAs may use either technique. > >Russ > >At 05:27 PM 5/3/2001 -0400, Aslam wrote: >>Hi, >> >> I'm working on CRL stuff, I have a question regarding Delta CRL, in >> following senario: >> I get a certificate from somewhere, whose validity I have to >> check against the CRL mechanism. For this I obtain the CRL Distribution >>Point extension from >> the cert and download the CRL from that location, then I check for >> extension and finds that its a base crl, so every thing work good. Now from >>where >> I should get the Delta CRL, if the answer is that these can be obtained >> fron the same CRL distribution point then if my first is a delta crl then >>how >> to get the base crl corresponding to a delta crl. >> >> Any help is much more appriciated.. >> >> Thanks >> Aslam Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id MAA13654 for <ietf-pkix@imc.org>; Fri, 4 May 2001 12:02:16 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 19:02:05 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id PAA13235 for <ietf-pkix@imc.org>; Fri, 4 May 2001 15:02:17 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N44T2>; Fri, 4 May 2001 15:02:17 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.29]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N44TG; Fri, 4 May 2001 15:02:11 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010504145822.01dd2ad0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 14:58:58 -0400 Subject: RE: Certificate Hold (was RE: delta CRLs) In-Reply-To: <FLEELNBJKAIIGDJJKPDGOEEDCEAA.ccovey@cylink.com> References: <5.0.1.4.2.20010504132804.01d70788@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Carlin: >Russ, your feelings on the hold feature were, and are, quite clear. >I am not advocating inclusion of the hold feature in son-of-rec-2459, >nor am I proposing that we should delay progress by debating the issue. >But given that son-of-rfc-2459 contains language related to the hold >feature, I was wondering what your words "... I will drop it." meant >with respect to this existing language. Or perhaps I have not applied >the "delta emails" correctly and this text has already been dropped? My "drop it" referred to the discussion on the mail list. Russ Received: from netgate.csoft.bg (root@netgate.csoft.bg [193.68.210.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA13307 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:53:22 -0700 (PDT) Received: from darkstar (darkstar.csoft.bg [193.68.210.11]) by netgate.csoft.bg (8.12.0.Beta7/8.10.0) with SMTP id f44IrKNA014513 for <ietf-pkix@imc.org>; Fri, 4 May 2001 21:53:20 +0300 Message-ID: <0d8801c0d4cb$9f01d180$0bd244c1@csoft.bg> From: "Nedelcho Stanev" <nstanev@csoft.bg> To: <ietf-pkix@imc.org> References: <5.0.1.4.2.20010503123633.01ca5338@exna07.securitydynamics.com> <5.0.1.4.2.20010504132804.01d70788@exna07.securitydynamics.com> <p05010410b718a7bb95c8@[128.33.4.39]> Subject: unsubscribe Date: Fri, 4 May 2001 21:54:17 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 unsubscribe Received: from netgate.csoft.bg (root@netgate.csoft.bg [193.68.210.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA13260 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:52:54 -0700 (PDT) Received: from darkstar (darkstar.csoft.bg [193.68.210.11]) by netgate.csoft.bg (8.12.0.Beta7/8.10.0) with SMTP id f44IqoNA014501 for <ietf-pkix@imc.org>; Fri, 4 May 2001 21:52:50 +0300 Message-ID: <0d8201c0d4cb$8d45def0$0bd244c1@csoft.bg> From: "Nedelcho Stanev" <nstanev@csoft.bg> To: "PKIX List" <ietf-pkix@imc.org> References: <DD62792EA182FF4E99C2FBC07E3053BD01DA4034@sottmxs09.entrust.com> Subject: unsubscribe Date: Fri, 4 May 2001 21:53:47 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 unsubscribe Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA12660 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:48:33 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id OAA08202; Fri, 4 May 2001 14:48:17 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010410b718a7bb95c8@[128.33.4.39]> In-Reply-To: <5.0.1.4.2.20010504132804.01d70788@exna07.securitydynamics.com> References: <5.0.1.4.2.20010503123633.01ca5338@exna07.securitydynamics.com> <5.0.1.4.2.20010504132804.01d70788@exna07.securitydynamics.com> Date: Fri, 4 May 2001 14:42:33 -0400 To: "Housley, Russ" <rhousley@rsasecurity.com> From: Stephen Kent <kent@bbn.com> Subject: RE: Certificate Hold (was RE: delta CRLs) Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" At 1:30 PM -0400 5/4/01, Housley, Russ wrote: >Carlin: > >>Russ, it appears from your comment: >>"Fair reply. And, unless there is a ground swell of >>support, I will drop it." >>that you have interpreted Denis as meaning >>"I have withdrawn my support for 'hold'." >> >>Russ, is that correct? >> >>And Russ, I am further confused by "... I will drop it." >> >>Did you mean that you will add text to prohibit compliant >>CA's from issuing delta CRL's that include "hold" and >>"removeFromCRL" reason codes or text that will prohibit >>this for full CRL's as well as delta-CRLs, or did you >>mean something else entirely? > >I have NEVER liked the on-hold feature. I still do not like the >on-hold feature. > >I will not delay the Last Call process on son-of-rfc 2459 to debate >the issue unless I see that there are others that support my view. I feel the same as Russ, i.e., have never liked it and still think it's a bad idea. Since we deprecated the hold instruction (vis our comments on the hold instruction code entry extension) last time, is there are basis for change this time around? Steve Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA12505 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:48:01 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432YLB8>; Fri, 4 May 2001 14:47:32 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4034@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tim Polk'" <tim.polk@nist.gov>, "'Steve Hanna'" <steve.hanna@sun.com>, PKIX List <ietf-pkix@imc.org> Subject: RE: Ignoring name constraints with self-issued certs Date: Fri, 4 May 2001 14:41:05 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D4C9.C6AD1200" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D4C9.C6AD1200 Content-Type: text/plain Yep, I see that. Now would name constraints actually be a problem in that type of environment. With name chaining the subject of the previous cert would have the same value as the issuer and subject of the self-issued cert. As long as name-constraints on that previous cert succeeded, there isn't a problem is there? It's only in the case where the cert that contains the name constraint is the one that is the direct neighbour to the self issued cert. I guess I agree with Steve then, (at least this time I don't need to make any changes to 509 right??) Sharon From: Tim Polk [mailto:tim.polk@nist.gov] Sent: Friday, May 04, 2001 2:35 PM To: Sharon Boeyen; 'Steve Hanna'; PKIX List Subject: RE: Ignoring name constraints with self-issued certs Sharon, I can think of one scenario where the end certificate is legitimately self-issued. (There may be others.) Consider a CA that uses separate keys for CRL signing or certificate management operations. If that CA issues certificates to itself for those keys, a PKI client that verifies a signature on a CRL or a message needs to validate the certificate containing that public key. In that case, the end certificate will be self-issued. Thanks, Tim At 02:08 PM 5/4/01 -0400, Sharon Boeyen wrote: Hi Steve, In discussion with PKIX folks when we were working on the defect report for name constraints, I don't recall any specific discussion of that type of a path (with a self issued cert at the end). The defect report doesn't change that particular text that you mention, but I suspect that the fact that it catches this 'hole' is probably more coincidental that deliberate. I'm curious whether you think there are legitimate situations where the final cert would be a self issued one, or whether you are suggesting that the fact that it could happen is a threat. Not that it would change the outcome, I'm just wondering which perspective you're coming from so that I can understand the issue better. Thanks Sharon ------_=_NextPart_001_01C0D4C9.C6AD1200 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=645123918-04052001><FONT face=Arial color=#0000ff size=2>Yep, I see that. Now would name constraints actually be a problem in that type of environment. With name chaining the subject of the previous cert would have the same value as the issuer and subject of the self-issued cert. As long as name-constraints on that previous cert succeeded, there isn't a problem is there? It's only in the case where the cert that contains the name constraint is the one that is the direct neighbour to the self issued cert. I guess I agree with </FONT></SPAN></DIV> <DIV><SPAN class=645123918-04052001><FONT face=Arial color=#0000ff size=2>Steve then, (at least this time I don't need to make any changes to 509 right??)</FONT></SPAN></DIV> <DIV><SPAN class=645123918-04052001><FONT face=Arial color=#0000ff size=2></FONT></SPAN> </DIV> <DIV><SPAN class=645123918-04052001><FONT face=Arial color=#0000ff size=2>Sharon</FONT></SPAN></DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=645123918-04052001><FONT face=Arial color=#0000ff></FONT></SPAN></FONT></FONT> </DIV> <DIV><FONT face=Tahoma><FONT size=2><SPAN class=645123918-04052001> </SPAN><STRONG>From:</STRONG> Tim Polk [mailto:tim.polk@nist.gov]<BR><B>Sent:</B> Friday, May 04, 2001 2:35 PM<BR><B>To:</B> Sharon Boeyen; 'Steve Hanna'; PKIX List<BR><B>Subject:</B> RE: Ignoring name constraints with self-issued certs<BR><BR></DIV></FONT></FONT> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">Sharon,<BR><BR>I can think of one scenario where the end certificate is legitimately self-issued. (There may be others.)<BR><BR>Consider a CA that uses separate keys for CRL signing or certificate management operations. If that CA issues certificates to itself for those keys, a PKI client that verifies a signature on a CRL or a message needs to validate the certificate containing that public key. In that case, the end certificate will be self-issued.<BR><BR>Thanks,<BR><BR>Tim<BR><BR>At 02:08 PM 5/4/01 -0400, Sharon Boeyen wrote:<BR><BR><FONT size=2> <BLOCKQUOTE cite type="cite">Hi Steve, <BR></FONT><BR>In discussion with PKIX folks when we were working on the defect report <BR>for name constraints, I don't recall any specific discussion of that type <BR>of a path (with a self issued cert at the end). The defect report doesn't <BR>change that particular text that you mention, but I suspect that the fact <BR>that it catches this 'hole' is probably more coincidental that deliberate. <BR><BR><FONT size=2>I'm curious whether you think there are legitimate situations where the </FONT><BR>final cert would be a self issued one, or whether you are suggesting that <BR>the fact that it could happen is a threat. Not that it would change the <BR>outcome, I'm just wondering which perspective you're coming from so that <BR>I can understand the issue better. <BR><BR><FONT size=2>Thanks</FONT> <BR><FONT size=2>Sharon <BR></FONT></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0D4C9.C6AD1200-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA11559 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:37:39 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id OAA12446; Fri, 4 May 2001 14:37:31 -0400 (EDT) Message-Id: <4.2.0.58.20010504143139.017fd250@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 04 May 2001 14:35:23 -0400 To: Sharon Boeyen <sharon.boeyen@entrust.com>, "'Steve Hanna'" <steve.hanna@sun.com>, PKIX List <ietf-pkix@imc.org> From: Tim Polk <tim.polk@nist.gov> Subject: RE: Ignoring name constraints with self-issued certs In-Reply-To: <DD62792EA182FF4E99C2FBC07E3053BD01DA4033@sottmxs09.entrust .com> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Sharon,<br> <br> I can think of one scenario where the end certificate is legitimately self-issued. (There may be others.)<br> <br> Consider a CA that uses separate keys for CRL signing or certificate management operations. If that CA issues certificates to itself for those keys, a PKI client that verifies a signature on a CRL or a message needs to validate the certificate containing that public key. In that case, the end certificate will be self-issued.<br> <br> Thanks,<br> <br> Tim<br> <br> At 02:08 PM 5/4/01 -0400, Sharon Boeyen wrote:<br> <br> <font size=2><blockquote type=cite cite>Hi Steve, <br> </font><br> In discussion with PKIX folks when we were working on the defect report <br> for name constraints, I don't recall any specific discussion of that type <br> of a path (with a self issued cert at the end). The defect report doesn't <br> change that particular text that you mention, but I suspect that the fact <br> that it catches this 'hole' is probably more coincidental that deliberate. <br> <br> <font size=2>I'm curious whether you think there are legitimate situations where the </font><br> final cert would be a self issued one, or whether you are suggesting that <br> the fact that it could happen is a threat. Not that it would change the <br> outcome, I'm just wondering which perspective you're coming from so that <br> I can understand the issue better. <br> <br> <font size=2>Thanks</font> <br> <font size=2>Sharon <br> </font></blockquote></html> Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA11124 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:34:47 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR52QM; Fri, 4 May 2001 11:29:25 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Housley, Russ" <rhousley@rsasecurity.com> Cc: <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Fri, 4 May 2001 11:34:31 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGOEEDCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <5.0.1.4.2.20010504132804.01d70788@exna07.securitydynamics.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Russ, your feelings on the hold feature were, and are, quite clear. I am not advocating inclusion of the hold feature in son-of-rec-2459, nor am I proposing that we should delay progress by debating the issue. But given that son-of-rfc-2459 contains language related to the hold feature, I was wondering what your words "... I will drop it." meant with respect to this existing language. Or perhaps I have not applied the "delta emails" correctly and this text has already been dropped? >From draft-ietf-pkix-new-part1-05.txt, section 5.2.4 : If a CA supports the certificateHold revocation reason the following rules must be applied when generating delta CRLs: (a) If a certificate was listed as revoked with revocation reason certificateHold on a CRL (either a delta CRL or a CRL that is complete for a given scope), whose cRLNumber is n, and the hold is subsequently released, the certificate must be included in all delta CRLs issued after the hold is released where the cRLNumber of the referenced base CRL is less than or equal to n. The certificate must be listed with revocation reason removeFromCRL unless the certificate is subsequently revoked again for one of the revocation reasons covered by the delta CRL, in which case the certificate must be listed with the revocation reason appropriate for the subsequent revocation. (b) If the certificate was not removed from hold, but was permanently revoked, then it must be listed on all subsequent delta CRLs where the cRLNumber of the referenced base CRL is less than the cRLNumber of the CRL (either a delta CRL or a CRL that is complete for the given scope) on which the permanent revocation notice first appeared. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Friday, May 04, 2001 10:30 AM To: Carlin Covey Cc: ietf-pkix@imc.org Subject: RE: Certificate Hold (was RE: delta CRLs) Carlin: >Russ, it appears from your comment: >"Fair reply. And, unless there is a ground swell of >support, I will drop it." >that you have interpreted Denis as meaning >"I have withdrawn my support for 'hold'." > >Russ, is that correct? > >And Russ, I am further confused by "... I will drop it." > >Did you mean that you will add text to prohibit compliant >CA's from issuing delta CRL's that include "hold" and >"removeFromCRL" reason codes or text that will prohibit >this for full CRL's as well as delta-CRLs, or did you >mean something else entirely? I have NEVER liked the on-hold feature. I still do not like the on-hold feature. I will not delay the Last Call process on son-of-rfc 2459 to debate the issue unless I see that there are others that support my view. Clear? Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA09825 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:17:53 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 18:17:42 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA09895 for <ietf-pkix@imc.org>; Fri, 4 May 2001 14:17:51 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N4TX8>; Fri, 4 May 2001 14:17:50 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.116]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N4TXZ; Fri, 4 May 2001 14:17:36 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010504141554.01db1838@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 14:16:22 -0400 Subject: Re: delta-CRLs In-Reply-To: <3AF29A0D.4FFA89B2@bull.net> References: <4.2.0.58.20010503134750.015d0f00@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: I can live with these. >Taking into account the last proposal from Russ, this would >lead to the two following paragraphs: > > An application can construct an updated CRL, for a specific time T, > by retrieving the appropriate base CRL for that scope, and combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Applications that support > delta CRLs MUST ensure that time T falls between thisUpdate and > nextUpdate for both the base CRL and the delta CRL. > > Note: An application could also reconstruct an updated CRL, for > a specific time T, by using a previously locally reconstructed CRL > based on a given base CRL, and combining it with a delta CRL which > contains a delta CRL indicator extension with the same CRL number as > the base CRL. Russ Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA09423 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:15:37 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432YK9W>; Fri, 4 May 2001 14:15:07 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4033@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Steve Hanna'" <steve.hanna@sun.com>, PKIX List <ietf-pkix@imc.org> Subject: RE: Ignoring name constraints with self-issued certs Date: Fri, 4 May 2001 14:08:43 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D4C5.4105F850" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D4C5.4105F850 Content-Type: text/plain Hi Steve, In discussion with PKIX folks when we were working on the defect report for name constraints, I don't recall any specific discussion of that type of a path (with a self issued cert at the end). The defect report doesn't change that particular text that you mention, but I suspect that the fact that it catches this 'hole' is probably more coincidental that deliberate. I'm curious whether you think there are legitimate situations where the final cert would be a self issued one, or whether you are suggesting that the fact that it could happen is a threat. Not that it would change the outcome, I'm just wondering which perspective you're coming from so that I can understand the issue better. Thanks Sharon ------_=_NextPart_001_01C0D4C5.4105F850 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Ignoring name constraints with self-issued certs</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Hi Steve, </FONT> </P> <P><FONT SIZE=2>In discussion with PKIX folks when we were working on the defect report </FONT> <BR><FONT SIZE=2>for name constraints, I don't recall any specific discussion of that type </FONT> <BR><FONT SIZE=2>of a path (with a self issued cert at the end). The defect report doesn't </FONT> <BR><FONT SIZE=2>change that particular text that you mention, but I suspect that the fact </FONT> <BR><FONT SIZE=2>that it catches this 'hole' is probably more coincidental that deliberate.</FONT> </P> <P><FONT SIZE=2>I'm curious whether you think there are legitimate situations where the </FONT> <BR><FONT SIZE=2>final cert would be a self issued one, or whether you are suggesting that </FONT> <BR><FONT SIZE=2>the fact that it could happen is a threat. Not that it would change the </FONT> <BR><FONT SIZE=2>outcome, I'm just wondering which perspective you're coming from so that </FONT> <BR><FONT SIZE=2>I can understand the issue better.</FONT> </P> <P><FONT SIZE=2>Thanks</FONT> <BR><FONT SIZE=2>Sharon </FONT> </P> <BR> </BODY> </HTML> ------_=_NextPart_001_01C0D4C5.4105F850-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA08629 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:06:52 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 18:06:41 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA08900 for <ietf-pkix@imc.org>; Fri, 4 May 2001 14:06:53 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N4TQW>; Fri, 4 May 2001 14:06:53 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.116]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N4TQS; Fri, 4 May 2001 14:06:45 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Aslam <aslam@funk.com> Cc: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Message-Id: <5.0.1.4.2.20010504140419.01da3e98@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 14:06:31 -0400 Subject: Re: How to get Base and Delta CRLs for a particular end entity certif icate... In-Reply-To: <2D6D813F2AEBD411BC6C000103C42C9412AAEE@mail.funk.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Aslam: See draft-ietf-pkix-new-part1-07.txt. Section 4.2.1.16 describes an extension in the certificate that points to the delta CRL, and section 5.2.6 describes an extension in the base CRL that points to the delta CRL. CAs may use either technique. Russ At 05:27 PM 5/3/2001 -0400, Aslam wrote: >Hi, > > I'm working on CRL stuff, I have a question regarding Delta CRL, in > following senario: > I get a certificate from somewhere, whose validity I have to > check against the CRL mechanism. For this I obtain the CRL Distribution >Point extension from > the cert and download the CRL from that location, then I check for > extension and finds that its a base crl, so every thing work good. Now from >where > I should get the Delta CRL, if the answer is that these can be obtained > fron the same CRL distribution point then if my first is a delta crl then >how > to get the base crl corresponding to a delta crl. > > Any help is much more appriciated.. > > Thanks > Aslam Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA08141 for <ietf-pkix@imc.org>; Fri, 4 May 2001 11:03:58 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 4 May 2001 18:03:47 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA08694 for <ietf-pkix@imc.org>; Fri, 4 May 2001 14:04:00 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N4T36>; Fri, 4 May 2001 14:03:59 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (HOUSLEY-LAP [10.3.1.116]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N4T3W; Fri, 4 May 2001 14:03:48 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Carlin Covey <ccovey@cylink.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010504132804.01d70788@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Fri, 04 May 2001 13:30:14 -0400 Subject: RE: Certificate Hold (was RE: delta CRLs) In-Reply-To: <FLEELNBJKAIIGDJJKPDGIEDLCEAA.ccovey@cylink.com> References: <5.0.1.4.2.20010503123633.01ca5338@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Carlin: >Russ, it appears from your comment: >"Fair reply. And, unless there is a ground swell of >support, I will drop it." >that you have interpreted Denis as meaning >"I have withdrawn my support for 'hold'." > >Russ, is that correct? > >And Russ, I am further confused by "... I will drop it." > >Did you mean that you will add text to prohibit compliant >CA's from issuing delta CRL's that include "hold" and >"removeFromCRL" reason codes or text that will prohibit >this for full CRL's as well as delta-CRLs, or did you >mean something else entirely? I have NEVER liked the on-hold feature. I still do not like the on-hold feature. I will not delay the Last Call process on son-of-rfc 2459 to debate the issue unless I see that there are others that support my view. Clear? Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA05111 for <ietf-pkix@imc.org>; Fri, 4 May 2001 10:15:21 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K2M3JGPR>; Fri, 4 May 2001 13:14:49 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4030@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas <Denis.Pinkas@bull.net>, "David A. Cooper" <david.cooper@nist.gov> Cc: ietf-pkix@imc.org Subject: RE: delta-CRLs Date: Fri, 4 May 2001 13:08:31 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D4BC.D898DA10" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D4BC.D898DA10 Content-Type: text/plain Sorry to help 'drag out' this discussion, but a couple of points: 1) Denis, your comment about CRL numbers needing to be unique, regardless of the scope of the CRL is incorrect. Check the text in 509 clause 8.5.2.1 (CRL number extension) which says "This CRL extension field conveys a montonically increasing sequence number for each CRL issued by a given CRL issuer through a given authority directory attribute or CRL distribution point. ..." For that reason, another extension was added (see 8.5.2.7 of 509) called cRLStreamIdentifier. This is used to identify the context within which the CRL number is unique. Second, I want to make sure everyone understands that the quote from 97 509 12.6.3.3 by David is text that was replaced in the 4th edition because it was overly restrictive. As for the length of messages, I know I find myself constantly quoting 509. Others do the same and others quote 2459. I do believe the editors have worked closely together to ensure that what we end up with in PKIX is a profile of 509 (with changes being made to both documents as required). However, I can't help but wonder if we could cut down on the length of some of these messages if everyone who cares about the topic would first go and read both documents before submitting messages that purport to state what the standards say. This discussion is taking a lot of time on the part of many people and perhaps we could cut down on some of that by going back and reading what the standards say. (It's friday afternoon, what can I say :-) Sharon ------_=_NextPart_001_01C0D4BC.D898DA10 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta-CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Sorry to help 'drag out' this discussion, but a = couple of points:</FONT> </P> <P><FONT SIZE=3D2>1) Denis, your comment about CRL numbers needing to = be unique, regardless of the scope of the CRL is incorrect. Check the = text in 509 clause 8.5.2.1 (CRL number extension) which says "This = CRL extension field conveys a montonically increasing sequence number = for each CRL issued by a given CRL issuer through a given authority = directory attribute or CRL distribution point. ..." = </FONT></P> <P><FONT SIZE=3D2>For that reason, another extension was added (see = 8.5.2.7 of 509) called cRLStreamIdentifier. This is used to identify = the context within which the CRL number is unique. </FONT></P> <P><FONT SIZE=3D2>Second, I want to make sure everyone understands that = the quote from 97 509 12.6.3.3 by David is text that was replaced in = the 4th edition because it was overly restrictive. </FONT></P> <P><FONT SIZE=3D2>As for the length of messages, I know I find myself = constantly quoting 509. Others do the same and others quote 2459. I do = believe the editors have worked closely together to ensure that what we = end up with in PKIX is a profile of 509 (with changes being made to = both documents as required). However, I can't help but wonder if we = could cut down on the length of some of these messages if everyone who = cares about the topic would first go and read both documents before = submitting messages that purport to state what the standards say. This = discussion is taking a lot of time on the part of many people and = perhaps we could cut down on some of that by going back and reading = what the standards say. </FONT></P> <P><FONT SIZE=3D2>(It's friday afternoon, what can I say :-)</FONT> </P> <P><FONT SIZE=3D2>Sharon</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D4BC.D898DA10-- Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA03325 for <ietf-pkix@imc.org>; Fri, 4 May 2001 09:48:53 -0700 (PDT) Received: from sunlabs.East.Sun.COM ([129.148.75.250]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id JAA10131 for <ietf-pkix@imc.org>; Fri, 4 May 2001 09:48:54 -0700 (PDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id MAA28341 for <ietf-pkix@imc.org>; Fri, 4 May 2001 12:48:53 -0400 (EDT) Message-ID: <3AF2DC72.7B7BC0D5@sun.com> Date: Fri, 04 May 2001 12:44:34 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: PKIX List <ietf-pkix@imc.org> Subject: Ignoring name constraints with self-issued certs Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Regretfully, I must raise another issue with son-of-2459. In section 4.2.1.11 of draft-ietf-pkix-new-part1-06.txt, it says: Name constraints are not applied to certificates whose issuer and subject are identical. (This could prevent CAs that use name constraints from issuing self-signed certificates to implement key rollover.) This statement is consistent with the validation algorithm in section 6.1, which says: A certificate is termed self-issued if the DNs that appear in the subject and issuer fields are identical and are not empty. In general, the issuer and subject of the certificates that make up a path are different for each certificate. However, a CA may issue a certificate to itself to support key rollover or changes in certificate policies. These self-issued certificates are not counted when evaluating path length or name constraints. However, these statements (and the corresponding text in the validation algorithm, steps (b) and (c) of section 6.1.3) are not consistent with the text in X.509(2000), which says (in step g of section 10.5.1) "If the certificate is not an intermediate self-issued certificate, check that the subject name is within the name-space given by the value of permitted-subtrees and is not within the name-space given by the value of excluded-subtrees." Note the word *intermediate* in X.509(2000). If a self-issued certificate is the last certificate in the path, the name constraints check MUST be performed. Otherwise, a security hole is opened up. Consider the following chain of 2 certificates: Certificate 1: Issuer: o=trusty, c=us Subject: o=shady, c=us Basic Constraints: cA=true Name Constraints: Permitted: directoryName: o=shady, c=us rfc822Name: .shady.com Certificate 2: Issuer: o=shady, c=us Subject: o=shady, c=us SubjectAltNames: rfc822Name: joe@partner.com If o=trusty, c=us is one of the trust anchors (and the certificate signatures verify), this chain is valid according to son-of-2459. It is not valid according to X.509(2000). I think you will agree that the behavior described in X.509(2000) is correct. Otherwise, self-issued certificates can be used to completely bypass the effects of name constraints. Therefore, I suggest that section 4.2.1.11 of draft-ietf-pkix-new-part1-06.txt be modified to say: Name constraints are not applied to certificates whose issuer and subject are identical (unless the certificate is the final certificate in the path). (This could prevent CAs that use name constraints from issuing self-signed certificates to implement key rollover.) We should also modify the last sentence of the paragraph in section 6.1 that begins "A certificate is termed self-issued ..." (listed in full above) to "These self-issued certificates are not counted when evaluating path length. Name constraints are only applied to a self-issued certificate if it is the final certificate in the path." I also suggest that the start of steps (b) and (c) in section 6.1.3 be changed to read: (b) If certificate i is self-issued and it is not the final certificate in the path, skip this step for certificate i. Otherwise, verify that the subject name is within one of the permitted_subtrees for X.500 distinguished names, and verify that each of the alternative names in the subjectAltName extension (critical or non-critical) is within one of the permitted_subtrees for that name type. (c) If certificate i is self-issued and it is not the final certificate in the path, skip this step for certificate i. Otherwise, verify that the subject name is not within one of the excluded_subtrees for X.500 distinguished names, and verify that each of the alternative names in the subjectAltName extension (critical or non-critical) is not within one of the excluded_subtrees for that name type. Comments? Steve Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA29997 for <ietf-pkix@imc.org>; Fri, 4 May 2001 08:58:33 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA13642; Fri, 4 May 2001 17:58:27 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA09178; Fri, 4 May 2001 17:57:59 +0200 Message-ID: <3AF2D186.438853C5@bull.net> Date: Fri, 04 May 2001 17:57:58 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David A. Cooper" <david.cooper@nist.gov> CC: ietf-pkix@imc.org Subject: Re: delta-CRLs References: <4.2.2.20010503153844.00b0ae40@email.nist.gov> <4.2.2.20010504094916.00a61e10@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, As I just said in the e-mail I sent to Tim, I would appreciate that you coordinate your responses with Tim. I cannot sustain any more so long e-mails. I believe that we have now a private conference call on next Wednesday on this topic. Please read carefully the e-mails sent to Tim. Regards, Denis > At 02:22 PM 5/4/01 +0200, Denis Pinkas wrote: > > > David, > > > > This thread is now taking me (too) much time for my processing power. > > :-( > > > > > At 06:05 PM 5/2/01 +0200, Denis Pinkas wrote: > > > > > > >> The current is wrong on two major aspects: > > > >> > > > >> a) the numbering of the delta CRLs > > > > > > > > > > Since you claim to want to support "traditional" delta-CRLs, I will > > quote > > > the text on delta-CRLs from section 12.6.3.3 of X.509 3rd edition > > (1997): > > > > > > a delta-CRL shall not be issued without a corresponding complete > > > CRL being issued at the same time. The value of the CRL number, > > > as conveyed in the CRL number extension field (if present), shall > > > be identical for both the delta-CRL and the corresponding complete CRL > > > > > > Similar text was included in one of the old proposed draft amendments > > to > > > the 1997 standard: > > > > > > At reset time, concurrent with publication of a new base CRL is > > > publication of the final delta-CRL for the old base CRL. Both CRLs > > > published concurrently (new base and final delta for old base) shall > > > contain identical values of the cRLNumber extension as well as > > > identical values of thisUpdate time. The values of nextUpdate time > > > will be different in each. > > > > > > Both texts are quite clear that when a complete CRL and a delta-CRL > > are > > > issued at the same time, and the two CRLs provide the same > > information, > > > they must have the same cRLnumber. This is because the are effectively > > two > > > instantiations of the same CRL. > > > > The ISO text has two major problems: > > > > 1) It makes a major assumption, ... which is wrong: once a CA has > > started to > > issue a base CRL (and hence it will issue delta-CRLs) then it must do it > > for > > ever. A CA can issue a base CRL and then delta CRLs but then simply > > issue > > complete CRL (i.e. full CRLs that do not support the delta mechanism) > > and > > later one can start to issue a base a delta CRLs again. > > I not sure why you think the text is making an assumption, but there seems > to be a misunderstanding here. There is nothing special about a base CRL. > There are no flags that are placed in a CRL to indicate that it is a base > CRL. A base CRL is simply "[a] CRL that is used as the foundation in the > generation of a dCRL" [X.509 4th ed.] Thus, any CRL that is referenced in > the BaseCRLNumber field of a delta-CRL is a base CRL. The > deltaCRLIndicator extension imposes a requirement that only CRLs that were > issued as complete for scope CRLs can be used as base CRLs, but this is > beside the point. One does not issue a "base CRL" to advertise that > delta-CRLs will be issued in the future. One issues full CRLs. If, at some > point in the future, a delta-CRL species a full CRL as its base, then that > full CRL is a base CRL. > > > 2) RFC 2459 in section 5.2.3 (CRL Number) says: > > > > The CRL number is a non-critical CRL extension which conveys a > > monotonically increasing sequence number for each CRL issued by a CA. > > > > Since two CRLs (whether they are base, delta, complete, whatever) cannot > > have the same number, this means that the following sentence extracted > > from > > the ISO text is wrong: "The value of the CRL number, as conveyed in the > > CRL > > number extension field (if present), shall be identical for both the > > delta-CRL and the corresponding complete CRL". > > > Again, you are misinterpreting this text. If a full CRL and a delta-CRL > cover the set of certificates and revocation reasons (i.e., scope) and are > issued at the same time, then they are effectively two instantiations of > the same CRL. They must then (as the standard requires) have the same > cRLNumber. > > > > Notice also that the requirement is that when a new base is issued, > > the > > > delta that is issued at the same time provides changes since the > > previous > > > base. > > > > This is wrong as well because there is not necessarilly this previous > > base > > (see the first major problem). > > > > > One does not issue an empty delta. If one did, then every relying > > > party would be forced to download every base CRL. > > > > This is the intent, otherwise delta CRLs would grow for ever. > > This is not true. I have constructed an example below (hopefully it is > well formatted so that it is readable). The example below shows the > "traditional" method of issuing delta-CRLs. In this example, full CRLs are > issued once every 3 hours and deltas are issued once an hour. As you have > stated, if one wishes to begin issuing deltas at the same time that the > very first full CRL, the delta must use the concurrently issued full CRL > as its base. After that, however, a delta can always use a previously > issued full CRL as its base. Notice that starting with cRLNumber 4, the > delta CRL issued at the same time as a full CRL uses the previously issued > full CRL as its base. However, the delta-CRLs never provide more than 3 > hours of history. They do not grow forever. > > current revoked > time certificates full CRL delta-CRL > ------------------------------------------------------------ > 12:00 {14} cRLNumber = 1 cRLNumber > = 1 > thisUpdate = 12:00 thisUpdate > = 12:00 > nextUpdate = 15:00 nextUpdate > = 13:00 > BaseCRLNumber > = 1 > CertificateList = > {14} CertificateList = {} > > 13:00 {14, 124} cRLNumber > = 2 > thisUpdate > = 13:00 > nextUpdate > = 14:00 > BaseCRLNumber > = 1 > CertificateList > = {124} > > 14:00 {14, 124} cRLNumber > = 3 > thisUpdate > = 14:00 > nextUpdate > = 15:00 > BaseCRLNumber > = 1 > CertificateList > = {124} > > 15:00 {14, 124, 39} cRLNumber = 4 cRLNumber > = 4 > thisUpdate = 15:00 thisUpdate > = 15:00 > nextUpdate = 18:00 nextUpdate > = 16:00 > BaseCRLNumber > = 1 > CertificateList = {14, 124, > 39} CertificateList = {124, 39} > > 16:00 {14, 124, 39, cRLNumber > = 5 > 67} thisUpdate > = 16:00 > nextUpdate > = 17:00 > BaseCRLNumber > = 4 > CertificateList > = {67} > > 17:00 {14, 124, 39, cRLNumber > = 6 > 67} thisUpdate > = 17:00 > nextUpdate > = 18:00 > BaseCRLNumber > = 4 > CertificateList > = {67} > > 18:00 {14, 124, 39, cRLNumber = 7 cRLNumber > = 7 > 67} thisUpdate = 18:00 thisUpdate > = 18:00 > nextUpdate = 21:00 nextUpdate > = 19:00 > BaseCRLNumber > = 4 > CertificateList = {14, 124, > 39, CertificateList = {67} > 21} > > 19:00 {14, 124, 39, cRLNumber > = 8 > 67} thisUpdate > = 19:00 > nextUpdate > = 20:00 > BaseCRLNumber > = 7 > CertificateList > = {} > > > > >> b) the lack of use of the fields thisUpdate and nextUpdate in the > > > >> delta-CRLs. > > > > > As I stated before, the thisUpdate field specifies the time at which > > the > > > CRL was issued. There is absolutely no reason to check that the > > current > > > time is after thisUpdate. > > > > There is no notion of current time. The evaluation is made at time T, > > which > > may be the current time or a time in the past. > > In the note to which I was responding, you had proposed the following > text: > > > > > > An application can construct a CRL that is the most current for > > > > > a given scope, at the current time, by retrieving the current > > > > > base CRL for that scope, and combining it with a delta-CRL which > > > > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > > > > CRL and where the current date from that delta-CRL is between > > > > > thisUpdate and nextUpdate; > > In the proposed text, you specifically stated that the goal was to > construct a CRL that is most current *at the current time*. If the text is > changed to also describe how to determine the status of a certificate at > some point in the past, then the situation becomes more complicated. > > > > The nextUpdate field in a delta-CRL has the same meaning an in any > > other > > > type of CRL, so there is no reason to discuss it here. As I said > > before, > > > though, one can not say that any CRL whose nextUpdate time has not > > passed > > > is the most current. There may have been an "emergency" CRL issued > > since > > > that one was issued. If nextUpdate has passed, then you know the CRL > > is > > > not the most current. If nextUpdate has not passed, then the CRL MAY > > be > > > the most current, but there is no way to know for certain. > > > > See my response to Tim on that topic. > > I saw your response. X.509 states: "nextUpdate, if present, indicates the > date/time by which the next revocation list in this series will be issued. > The next revocation list could be issued before the indicated date, but it > will not be issued any later than the indicated time." While the term > "emergency CRL" is not in the text, it does state that a new CRL may be > issued before the date indicated in nextUpdate. Can you find anywhere in > the text that suggests that this does not apply to delta-CRLs? > > > > >> > They seem to depart from the traditional > > > >> > deltas in certain details, > > > >> > > > >> They certainly do not. > > > > > As I stated above, you state that whenever a base CRL is issued, an > > empty > > > delta-CRL should be issued at the same time, with the delta-CRL using > > the > > > concurrently issued base CRL as its base. This is not how traditional > > > delta-CRLs work. > > > > Think about it. To do that you have to take an example: a *first* base > > CRL > > is issued at midnight (no base CRL *ever* exists before). A delta is > > supposed to be issued every hour. Think first about the processing done > > by a > > relying party at 3:30 a.m. Then think about the processing that will be > > done > > at 0:30 a.m. You will then come to the same conclusion. Now if a base > > existed before, then the proposal would not be consistant with the > > definition of the construction of the updated CRL which is: > > > > An application can construct an updated CRL, for a specific time T, > > by retrieving the appropriate base CRL for that scope, and combining > > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. > > > > Futhermore, the size of the delta CRLs would grow for ever. > > Not true. See the example above. > > > > >> > but prevent use of sliding window deltas. > > > >> > > > >> Maybe. However, if you really want them to be part of this > > document, > > > >> then > > > >> they MUST *not* be mandatory. So the only way would be to add > > > >> additional > > > >> text that would explain how this can be done as an option. However > > I > > > >> got the > > > >> fealing that the traditional method may be in some way incompatible > > > >> with the > > > >> sliding window deltas, i.e. if the sliding method is chosen by the > > CRL > > > >> Issuer relying parties may have difficulties to use the traditional > > > >> method. > > > >> But, maybe, you have the right text just ready to explain how this > > can > > > >> be > > > >> done. :-) > > > > > When I referred to the "traditional" method in my paper, I was > > referring > > > to the way delta-CRLs are issued, not how they are processed by > > relying > > > parties. Notice, however, that the deltaCRLIndicator requires that > > "[t]he > > > base CRL referenced by a deltaCRLIndicator extension shall be a CRL > > that > > > is issued as complete for its scope (i.e. it is not itself a dCRL)." > > If by > > > "relying parties using the traditional method" you mean always > > applying > > > the delta-CRL to a full CRL whose cRLNumber is equal to the value in > > > BaseCRLNumber, this requirement on the deltaCRLIndicator extension > > ensures > > > that this can be done no matter how delta-CRLs are issued (traditional > > > method, sliding window, or other). I don't think that anyone ever > > intended > > > for this to be way that delta-CRLs are processed, but you can do it if > > you > > > want. > > > > I undersand clearly that you would like relying parties to take > > advantage of > > sliding windows, by the "algorithm" that you proposed, which is based on > > the > > ISO text, has flaws in it. See above. > > Your belief that there are flaws in the ISO text is based on a > misinterpretation of the cRLNumber field. Since this field is vital to the > efficient use of delta-CRLs, this misinterpretation may be the reason for > your confusion. > > > > Even if delta-CRLs are issued using the "traditional" method, relying > > > parties may choose to maintain a locally generated revocation list > > which > > > they update which each successive delta-CRL that they download. > > > > I have addressed that point in details in my response to Tim. I think we > > agree on this point. > > The text on delta-CRLs has two basic parts. One part, which is normative, > describes what information a CRL issuer needs to place in a delta-CRL. The > other part, which is informative, describes what information relying > parties need to make use of delta-CRLs. If we use your text (below), then > we are being less informative than we could be. > > An application can construct an updated CRL, for a specific time > T, > by retrieving the appropriate base CRL for that scope, and > combining > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. > > The text hides from implementers the fact that a delta-CRL may be used in > conjunction with a full CRL that was issued after the referenced base CRL > was issued. The follow-up text ("Conforming implementations of this > specification are not required to implement the above algorithm, but MUST > provide functionality equivalent to the external behavior resulting from > this procedure.") is only a source of confusion. The text above does not > describe an algorithm, it merely states what information is required to > construct an updated CRL using base CRLs and delta-CRLs. An algorithm > would state how to construct an updated CRL. > > > > >> > >[David] A delta-CRL is nearly the same as a full CRL. It has a > > > >> thisUpdate, > > > >> > >nextUpdate, cRLNumber, etc. just as a full CRL. It just has an > > > >> incomplete > > > >> > >list of revoked certificates. > > > >> > > > > > >> > >[Denis] Yes, but you have to explain detail how a relying party > > > >> will use > > > >> > >thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate > > > >> for a delta > > > >> > >to make sure that in both cases he got the freshest information. > > > > > > > > > There is no way, using CRLs, to ensure that you have the freshest > > > information. > > > > True. But if you are using both base CRLs and delta-CRLs then you have > > that > > guaranty up to the period of refresh of the delta-CRL (which is of > > course > > much better than the period of refresh from the base CRL). > > At time T, you know that the information in a CRL (any type of CRL) is no > older than T - thisUpdate. There is no guarantee that another CRL was not > issued after thisUpdate, even if T < nextUpdate (see above). > > > > >> > >[Denis] > > > >> > > > > > >> > >As said later, your paper provides the right answer (on page 1): > > "A > > > >> > >delta-CRL is a CRL that only provides information about > > certificates who > > > >> > >statuses have changed since the issuance of a specific, > > previously issued > > > >> > >CRL". The text says " *a* specific, previously issued CRL", it > > does NOT say > > > >> > >"or any, more recently, issued CRL". > > > > > You are misinterpreting the quote. The sentence states what > > information is > > > provided in a delta-CRL. It does not say anything about how the > > delta-CRL > > > can be used. A delta-CRL provides information about certificates whose > > > statuses have changed since the issuance of a specific, previously > > issued > > > CRL. The delta-CRL may, however, be applied to more recently issued > > CRLs. > > > > In the same spirit as you did, I could say that we would need a machine > > that > > allows people to travel in the future. However, delta-CRLs cannot be > > applied > > to more recently issued CRLs, unless you provide a clear example of how > > this > > can be done. > > OK. Here is an example. Suppose that you have a delta-CRL with a cRLNumber > of 8 and a BaseCRLNumber of 5. You also have a full CRL with a cRLNumber > of 6. The following algorithm can then be used to determine the status of > a certificate that is covered by the CRL at the time that the delta-CRL > was issued (assume the certificate in question has serial number 153): > > 1) If 153 is listed on full CRL number 6, but not the delta-CRL, then it > is revoked with the revocation reason stated in full CRL number 6. > > 2) If 153 is listed on the delta-CRL with a revocation reason of > removeFromCRL, then it would not be found on a full CRL issued at the time > the delta-CRL was issued. In this case it does not matter whether 153 was > listed on full CRL number 6. The reason that it would not be on the full > CRL (number 8) is unknown. It could either be that the certificate was > removed from hold or that the certificate expired. > > 3) If 153 is listed on the delta-CRL with a revocation reason other than > removeFromCRL, then it is revoked with the revocation reason stated in the > delta-CRL. Again, in this case, it does not matter whether 153 was listed > on full CRL number 6. > > 4) If 153 is not listed on either full CRL number 6 or the delta-CRL, then > it is not revoked (or it expired before CRL number 6 was issued). > > I created this algorithm on the fly, so it may not be perfect, but it > should be sufficiently close to correct to be understandable. Notice, > however, that the cRLNumber field is very important here. In order for > this algorithm to work you must ensure that cRLNumber of the full CRL you > use is greater than or equal to the BaseCRLNumber in the delta-CRL and > less than the cRLNumber in the delta-CRL. One must be able to compare the > CRL numbers in order to check that the delta-CRL and full CRL can be > combined. > > > > >> > > > >This paper is proposing a method for over-issuing the CRLs. > > It omits to take > > > >> > > > >into consideration that in PKIX-1 we mandate the CRL number > > extension > > > >> > > > >(section 5.2.3) so we need to advertise the nextUpdate. If > > you issue a CRL > > > >> > > > >before the next update you have no more way to know which > > base CRL is the > > > >> > > > >freshest CRL. I believe this is a major security weakness > > and for that > > > >> > > > >reason this mechanism should be deprecated. > > > > > Over-issuing is really out-of-scope for this discussion. However, > > > over-issuing is merely one way to distribute revocation information > > more > > > efficiently. If you issue CRLs once every 4 hours and I issue CRLs > > once an > > > hour, but with a nextUpdate time 4 hours in the future, the > > information > > > relying parties get from me will be no more stale than the information > > > they get from you. If there is any "security weakness" it is from the > > > delay in distributing revocation information, not from over-issuing. > > > > Over-issuing of full CRLs provides a guaranty up to (usually less than) > > the > > period of validity of the full CRL. A base CRL followed by delta-CRLs > > provides a guaranty up to the period of validity of the delta CRLs > > (which is > > indeed better). If mis-used, over-issuing of full CRLs provides could > > provide a guaranty *equal* to the period of validity of the full CRL > > (which > > is indeed worse). > > What guaranty are you talking about? You can compare the current time (or > some other time T) to the time in thisUpdate to determine how fresh the > revocation information is. What other guarantees do you think are > provided? > > > > You replace this with: > > > > > > CAs must ensure that application of a delta CRL to the referenced > > > base revocation information accurately reflects the current status of > > > revocation. If a CA supports the certificateHold revocation reason > > > the following rules must be applied when generating delta CRLs: > > > > > > (a) If a certificate was listed as revoked with revocation reason > > > certificateHold on a CRL (either a delta CRL or a CRL that is > > > complete for a given scope), and the hold is subsequently > > > released, the certificate must be listed with revocation reason > > > removeFromCRL until the next base CRL is issued. > > > > > > Note: Should the certificate be subsequently revoked again for > > > one of the revocation reasons covered by the delta CRL, > > > then the certificate must be listed with the revocation > > > reason appropriate for the subsequent revocation. > > > > > > (b) If the certificate was not removed from hold, but was > > > permanently revoked, then it must be listed as such on all > > subsequent delta CRLs until the next base CRL is issued . > > > > > > This text presents the biggest problems of all. The text describes > *what* > > > needs to be listed on *which* delta CRLs. By limiting this text to one > > > > very narrow scenario, you increase the likeliehood that delta CRL > issuers > > > that wish to do something efficient will get it wrong. That will > result > > > in bad information from the relying party. > > > > This text has be simply adapted to remove the semantics that existed on > the > > CRL number from delta-CRLs. It describes what a CA does, not what a > relying > > party does. I do not believe that there is the limitation as you > mention. If > > you really think that the text needs to be changed, please make a > proposal > > on it, but without adding any new seamntics to the CRL number. :-) > > It may have been your intention to simply re-word the text without > changing the semantics, but this was not the result. The new text > describes a different set of semantics and these new semantics prevent CRL > issuers from issuing delta-CRLs in any way except one very inefficient > manner. Without reference to CRL numbers, it is not possible to properly > describe the rules for constructing delta-CRLs. > > Dave Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA22787 for <ietf-pkix@imc.org>; Fri, 4 May 2001 08:29:10 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id RAA16168; Fri, 4 May 2001 17:28:59 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id RAA16940; Fri, 4 May 2001 17:28:31 +0200 Message-ID: <3AF2CA9F.32B27234@bull.net> Date: Fri, 04 May 2001 17:28:31 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Tim Polk <tim.polk@nist.gov> CC: "David A. Cooper" <david.cooper@nist.gov>, ietf-pkix@imc.org Subject: Re: delta-CRLs References: <4.2.2.20010503153844.00b0ae40@email.nist.gov> <4.2.0.58.20010504095234.01794f00@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim, I would have no problem to continue the discussion with one of you and this would have the benefit to cut down the number of exchanges by a factor of two. I sent an e-mail to *you* and you answer to the e-mail sent to David. :-( I did answer the main point of your e-mail. I would appreciate your feeback. I will nevertheless answer to the two comments you made on the e-mail sent to David and delete the rest of the e-mail for readability for the moment. I guess you hit the "send" key too early since your third comment is incomplete. > >The ISO text has two major problems: > >1) It makes a major assumption, ... which is wrong: once a CA has started to > >issue a base CRL (and hence it will issue delta-CRLs) then it must do it for > >ever. A CA can issue a base CRL and then delta CRLs but then simply issue > >complete CRL (i.e. full CRLs that do not support the delta mechanism) and > >later one can start to issue a base a delta CRLs again. > I would agree that a CA is not required to issue deltas forever. A CA > could issue a complete CRL (call it CRL-1), a series of deltas fusing CRL-1 > as a base base, then a new complete CRL (CRL-2), then more deltas using > CRL-2 as a base. I do not believe the ISO text precludes this scenario. The ISO text is implicitly saying that using a base CRL issued on January 1, 2001, and by applying all issued delta CRLs since then, you can get the current CRL from May 4, 2001. The first problem is that base CRLs are not necessarilly continously issued. The second problem is that all delta CRLs would have to be obtained. The third problem is the way the cross the border: when the new base CRL is issued the delta shall refer to the new base CRL, not the previous base CRL (which does not necessarily exist). > >2) RFC 2459 in section 5.2.3 (CRL Number) says: > > The CRL number is a non-critical CRL extension which conveys a > > monotonically increasing sequence number for each CRL issued by a CA. > >Since two CRLs (whether they are base, delta, complete, whatever) cannot > >have the same number, this means that the following sentence extracted from > >the ISO text is wrong: "The value of the CRL number, as conveyed in the CRL > >number extension field (if present), shall be identical for both the > >delta-CRL and the corresponding complete CRL". > Denis, a delta CRL may only be used in combination with a base CRL, > right? Yes. More precisely *ONE* base CRL. Right ? > The CRL number in the delta is the CRL number of the *constructed* > CRL. No. The *constructed* CRL is local one, which has no number assigned by the CA. You can locally give it a reference, but this is a local matter. > When the delta and base combine to form *the same* CRL as a complete > CRL, the complete CRL will have the same CRL number. Do you mean that the complete CRL is issued by the CA or is it a locally reconstructed one ? Is, what you call, a "complete CRL", a new base CRL or the locally reconstructed one ? > Since the delta and *any legal base CRL* will combine to form > *the same* CRL, the complete CRL and the delta MUST have the same > CRL number. Certainly not. Either this would infringe the text from RFC 2459: The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. or this numbering is a local matter, and thus that is a local implementation detail. > Note that this is *crucial* if we intend to use the constructed CRL as a > base CRL in the future. If you cannot assign a CRL number to the > constructed CRL you cannot use it as a base. Of course you can without using this numbering. You only need to know, as I already said, that this is the CRL consructed from the base CRL numbered XXXX, by adding the delta CRL which has the next update scheduled at YY:YY. Regards, Denis Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA21735 for <ietf-pkix@imc.org>; Fri, 4 May 2001 08:23:36 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id LAA11375; Fri, 4 May 2001 11:23:27 -0400 (EDT) Message-Id: <4.2.2.20010504094916.00a61e10@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 04 May 2001 11:23:02 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net> From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: delta-CRLs Cc: ietf-pkix@imc.org In-Reply-To: <3AF29EEA.17062674@bull.net> References: <4.2.2.20010503153844.00b0ae40@email.nist.gov> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> <br> At 02:22 PM 5/4/01 +0200, Denis Pinkas wrote:<br> <blockquote type=cite cite>David,<br> <br> This thread is now taking me (too) much time for my processing power. :-(<br> <br> > At 06:05 PM 5/2/01 +0200, Denis Pinkas wrote:<br> > <br> > >> The current is wrong on two major aspects:<br> > >><br> > >> a) the numbering of the delta CRLs<br> > ><br> > <br> > Since you claim to want to support "traditional" delta-CRLs, I will quote<br> > the text on delta-CRLs from section 12.6.3.3 of X.509 3rd edition (1997):<br> > <br> > a delta-CRL shall not be issued without a corresponding complete<br> > CRL being issued at the same time. The value of the CRL number, <br> > as conveyed in the CRL number extension field (if present), shall <br> > be identical for both the delta-CRL and the corresponding complete CRL<br> > <br> > Similar text was included in one of the old proposed draft amendments to<br> > the 1997 standard:<br> > <br> > At reset time, concurrent with publication of a new base CRL is<br> > publication of the final delta-CRL for the old base CRL. Both CRLs <br> > published concurrently (new base and final delta for old base) shall <br> > contain identical values of the cRLNumber extension as well as<br> > identical values of thisUpdate time. The values of nextUpdate time<br> > will be different in each.<br> > <br> > Both texts are quite clear that when a complete CRL and a delta-CRL are<br> > issued at the same time, and the two CRLs provide the same information,<br> > they must have the same cRLnumber. This is because the are effectively two<br> > instantiations of the same CRL.<br> <br> The ISO text has two major problems:<br> <br> 1) It makes a major assumption, ... which is wrong: once a CA has started to<br> issue a base CRL (and hence it will issue delta-CRLs) then it must do it for<br> ever. A CA can issue a base CRL and then delta CRLs but then simply issue<br> complete CRL (i.e. full CRLs that do not support the delta mechanism) and<br> later one can start to issue a base a delta CRLs again.</blockquote><br> I not sure why you think the text is making an assumption, but there seems to be a misunderstanding here. There is nothing special about a base CRL. There are no flags that are placed in a CRL to indicate that it is a base CRL. A base CRL is simply "[a] CRL that is used as the foundation in the generation of a dCRL" [X.509 4th ed.] Thus, any CRL that is referenced in the BaseCRLNumber field of a delta-CRL is a base CRL. The deltaCRLIndicator extension imposes a requirement that only CRLs that were issued as complete for scope CRLs can be used as base CRLs, but this is beside the point. One does not issue a "base CRL" to advertise that delta-CRLs will be issued in the future. One issues full CRLs. If, at some point in the future, a delta-CRL species a full CRL as its base, then that full CRL is a base CRL.<br> <br> <blockquote type=cite cite>2) RFC 2459 in section 5.2.3 (CRL Number) says: <br> <br> The CRL number is a non-critical CRL extension which conveys a<br> monotonically increasing sequence number for each CRL issued by a CA.<br> <br> Since two CRLs (whether they are base, delta, complete, whatever) cannot<br> have the same number, this means that the following sentence extracted from<br> the ISO text is wrong: "The value of the CRL number, as conveyed in the CRL<br> number extension field (if present), shall be identical for both the<br> delta-CRL and the corresponding complete CRL". </blockquote> <br> Again, you are misinterpreting this text. If a full CRL and a delta-CRL cover the set of certificates and revocation reasons (i.e., scope) and are issued at the same time, then they are effectively two instantiations of the same CRL. They must then (as the standard requires) have the same cRLNumber. <br> <br> <blockquote type=cite cite>> Notice also that the requirement is that when a new base is issued, the<br> > delta that is issued at the same time provides changes since the previous<br> > base. <br> <br> This is wrong as well because there is not necessarilly this previous base<br> (see the first major problem).<br> <br> > One does not issue an empty delta. If one did, then every relying<br> > party would be forced to download every base CRL.<br> <br> This is the intent, otherwise delta CRLs would grow for ever.</blockquote><br> This is not true. I have constructed an example below (hopefully it is well formatted so that it is readable). The example below shows the "traditional" method of issuing delta-CRLs. In this example, full CRLs are issued once every 3 hours and deltas are issued once an hour. As you have stated, if one wishes to begin issuing deltas at the same time that the very first full CRL, the delta must use the concurrently issued full CRL as its base. After that, however, a delta can always use a previously issued full CRL as its base. Notice that starting with cRLNumber 4, the delta CRL issued at the same time as a full CRL uses the previously issued full CRL as its base. However, the delta-CRLs never provide more than 3 hours of history. They do not grow forever.<br> <br> <br> <tt>current revoked<br> time<x-tab> </x-tab> certificates<x-tab> </x-tab>full CRL<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>delta-CRL<br> ------------------------------------------------------------<br> </tt>12:00<x-tab> </x-tab><x-tab> </x-tab>{14}<x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 1<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 12:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 12:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 15:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 13:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14}<x-tab> </x-tab><x-tab> </x-tab>CertificateList = {}<br> <br> <br> 13:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 2<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 13:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 14:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {124}<br> <br> <br> 14:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 3<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 14:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 15:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {124}<br> <br> <br> 15:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39}<x-tab> </x-tab>cRLNumber = 4<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 4<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 15:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 15:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 18:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 16:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 1<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14, 124, 39}<x-tab> </x-tab>CertificateList = {124, 39}<br> <br> <br> 16:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 5<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 16:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 17:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 4<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {67}<br> <br> <br> 17:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 6<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 17:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 18:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 4<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {67}<br> <br> <br> 18:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab>cRLNumber = 7<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 7<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 18:00<x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 18:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 21:00<x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 19:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 4<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {14, 124, 39,<x-tab> </x-tab>CertificateList = {67}<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab> 21}<br> <br> <br> 19:00<x-tab> </x-tab><x-tab> </x-tab>{14, 124, 39,<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>cRLNumber = 8<br> <x-tab> </x-tab><x-tab> </x-tab> 67}<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>thisUpdate = 19:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>nextUpdate = 20:00<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>BaseCRLNumber = 7<br> <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>CertificateList = {}<br> <br> <br> <blockquote type=cite cite>> >> b) the lack of use of the fields thisUpdate and nextUpdate in the<br> > >> delta-CRLs.<br> <br> > As I stated before, the thisUpdate field specifies the time at which the<br> > CRL was issued. There is absolutely no reason to check that the current<br> > time is after thisUpdate. <br> <br> There is no notion of current time. The evaluation is made at time T, which<br> may be the current time or a time in the past.</blockquote><br> In the note to which I was responding, you had proposed the following text:<br> <br> > > > > An application can construct a CRL that is the most current for <br> > > > > a given scope, at the current time, by retrieving the current <br> > > > > base CRL for that scope, and combining it with a delta-CRL which <br> > > > > contains a Delta CRL Indicator equal to the cRLNumber of the base <br> > > > > CRL and where the current date from that delta-CRL is between <br> > > > > thisUpdate and nextUpdate;<br> <br> In the proposed text, you specifically stated that the goal was to construct a CRL that is most current *at the current time*. If the text is changed to also describe how to determine the status of a certificate at some point in the past, then the situation becomes more complicated.<br> <br> <blockquote type=cite cite>> The nextUpdate field in a delta-CRL has the same meaning an in any other<br> > type of CRL, so there is no reason to discuss it here. As I said before,<br> > though, one can not say that any CRL whose nextUpdate time has not passed<br> > is the most current. There may have been an "emergency" CRL issued since<br> > that one was issued. If nextUpdate has passed, then you know the CRL is<br> > not the most current. If nextUpdate has not passed, then the CRL MAY be<br> > the most current, but there is no way to know for certain.<br> <br> See my response to Tim on that topic.</blockquote><br> I saw your response. X.509 states: "<font size=2>nextUpdate</font>, if present, indicates the date/time by which the next revocation list in this series will be issued. The next revocation list could be issued before the indicated date, but it will not be issued any later than the indicated time." While the term "emergency CRL" is not in the text, it does state that a new CRL may be issued before the date indicated in nextUpdate. Can you find anywhere in the text that suggests that this does not apply to delta-CRLs?<br> <br> <br> <blockquote type=cite cite>> >> > They seem to depart from the traditional<br> > >> > deltas in certain details,<br> > >><br> > >> They certainly do not.<br> <br> > As I stated above, you state that whenever a base CRL is issued, an empty<br> > delta-CRL should be issued at the same time, with the delta-CRL using the<br> > concurrently issued base CRL as its base. This is not how traditional<br> > delta-CRLs work.<br> <br> Think about it. To do that you have to take an example: a *first* base CRL<br> is issued at midnight (no base CRL *ever* exists before). A delta is<br> supposed to be issued every hour. Think first about the processing done by a<br> relying party at 3:30 a.m. Then think about the processing that will be done<br> at 0:30 a.m. You will then come to the same conclusion. Now if a base<br> existed before, then the proposal would not be consistant with the<br> definition of the construction of the updated CRL which is: <br> <br> An application can construct an updated CRL, for a specific time T, <br> by retrieving the appropriate base CRL for that scope, and combining <br> it with a delta CRL which contains a delta CRL indicator extension <br> with the same CRL number as the base CRL.<br> <br> Futhermore, the size of the delta CRLs would grow for ever.</blockquote><br> Not true. See the example above.<br> <br> <blockquote type=cite cite>> >> > but prevent use of sliding window deltas.<br> > >><br> > >> Maybe. However, if you really want them to be part of this document,<br> > >> then<br> > >> they MUST *not* be mandatory. So the only way would be to add<br> > >> additional<br> > >> text that would explain how this can be done as an option. However I<br> > >> got the<br> > >> fealing that the traditional method may be in some way incompatible<br> > >> with the<br> > >> sliding window deltas, i.e. if the sliding method is chosen by the CRL<br> > >> Issuer relying parties may have difficulties to use the traditional<br> > >> method.<br> > >> But, maybe, you have the right text just ready to explain how this can<br> > >> be<br> > >> done. :-)<br> <br> > When I referred to the "traditional" method in my paper, I was referring<br> > to the way delta-CRLs are issued, not how they are processed by relying<br> > parties. Notice, however, that the deltaCRLIndicator requires that "[t]he<br> > base CRL referenced by a deltaCRLIndicator extension shall be a CRL that<br> > is issued as complete for its scope (i.e. it is not itself a dCRL)." If by<br> > "relying parties using the traditional method" you mean always applying<br> > the delta-CRL to a full CRL whose cRLNumber is equal to the value in<br> > BaseCRLNumber, this requirement on the deltaCRLIndicator extension ensures<br> > that this can be done no matter how delta-CRLs are issued (traditional<br> > method, sliding window, or other). I don't think that anyone ever intended<br> > for this to be way that delta-CRLs are processed, but you can do it if you<br> > want.<br> <br> I undersand clearly that you would like relying parties to take advantage of<br> sliding windows, by the "algorithm" that you proposed, which is based on the<br> ISO text, has flaws in it. See above.</blockquote><br> Your belief that there are flaws in the ISO text is based on a misinterpretation of the cRLNumber field. Since this field is vital to the efficient use of delta-CRLs, this misinterpretation may be the reason for your confusion.<br> <br> <blockquote type=cite cite>> Even if delta-CRLs are issued using the "traditional" method, relying<br> > parties may choose to maintain a locally generated revocation list which<br> > they update which each successive delta-CRL that they download. <br> <br> I have addressed that point in details in my response to Tim. I think we<br> agree on this point.</blockquote><br> The text on delta-CRLs has two basic parts. One part, which is normative, describes what information a CRL issuer needs to place in a delta-CRL. The other part, which is informative, describes what information relying parties need to make use of delta-CRLs. If we use your text (below), then we are being less informative than we could be.<br> <br> <x-tab> </x-tab>An application can construct an updated CRL, for a specific time T, <br> <x-tab> </x-tab>by retrieving the appropriate base CRL for that scope, and combining <br> <x-tab> </x-tab>it with a delta CRL which contains a delta CRL indicator extension <br> <x-tab> </x-tab>with the same CRL number as the base CRL. <br> <br> The text hides from implementers the fact that a delta-CRL may be used in conjunction with a full CRL that was issued after the referenced base CRL was issued. The follow-up text ("Conforming implementations of this specification are not required to implement the above algorithm, but MUST provide functionality equivalent to the external behavior resulting from this procedure.") is only a source of confusion. The text above does not describe an algorithm, it merely states what information is required to construct an updated CRL using base CRLs and delta-CRLs. An algorithm would state how to construct an updated CRL.<br> <br> <br> <blockquote type=cite cite>> >> > >[David] A delta-CRL is nearly the same as a full CRL. It has a<br> > >> thisUpdate,<br> > >> > >nextUpdate, cRLNumber, etc. just as a full CRL. It just has an<br> > >> incomplete<br> > >> > >list of revoked certificates.<br> > >> > ><br> > >> > >[Denis] Yes, but you have to explain detail how a relying party<br> > >> will use<br> > >> > >thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate<br> > >> for a delta<br> > >> > >to make sure that in both cases he got the freshest information.<br> > ><br> <br> > There is no way, using CRLs, to ensure that you have the freshest<br> > information. <br> <br> True. But if you are using both base CRLs and delta-CRLs then you have that<br> guaranty up to the period of refresh of the delta-CRL (which is of course<br> much better than the period of refresh from the base CRL).</blockquote><br> At time T, you know that the information in a CRL (any type of CRL) is no older than T - thisUpdate. There is no guarantee that another CRL was not issued after thisUpdate, even if T < nextUpdate (see above).<br> <br> <blockquote type=cite cite>> >> > >[Denis]<br> > >> > ><br> > >> > >As said later, your paper provides the right answer (on page 1): "A<br> > >> > >delta-CRL is a CRL that only provides information about certificates who<br> > >> > >statuses have changed since the issuance of a specific, previously issued<br> > >> > >CRL". The text says " *a* specific, previously issued CRL", it does NOT say<br> > >> > >"or any, more recently, issued CRL".<br> <br> > You are misinterpreting the quote. The sentence states what information is<br> > provided in a delta-CRL. It does not say anything about how the delta-CRL<br> > can be used. A delta-CRL provides information about certificates whose<br> > statuses have changed since the issuance of a specific, previously issued<br> > CRL. The delta-CRL may, however, be applied to more recently issued CRLs.<br> <br> In the same spirit as you did, I could say that we would need a machine that<br> allows people to travel in the future. However, delta-CRLs cannot be applied<br> to more recently issued CRLs, unless you provide a clear example of how this<br> can be done.</blockquote><br> OK. Here is an example. Suppose that you have a delta-CRL with a cRLNumber of 8 and a BaseCRLNumber of 5. You also have a full CRL with a cRLNumber of 6. The following algorithm can then be used to determine the status of a certificate that is covered by the CRL at the time that the delta-CRL was issued (assume the certificate in question has serial number 153):<br> <br> 1) If 153 is listed on full CRL number 6, but not the delta-CRL, then it is revoked with the revocation reason stated in full CRL number 6.<br> <br> 2) If 153 is listed on the delta-CRL with a revocation reason of removeFromCRL, then it would not be found on a full CRL issued at the time the delta-CRL was issued. In this case it does not matter whether 153 was listed on full CRL number 6. The reason that it would not be on the full CRL (number 8) is unknown. It could either be that the certificate was removed from hold or that the certificate expired.<br> <br> 3) If 153 is listed on the delta-CRL with a revocation reason other than removeFromCRL, then it is revoked with the revocation reason stated in the delta-CRL. Again, in this case, it does not matter whether 153 was listed on full CRL number 6.<br> <br> 4) If 153 is not listed on either full CRL number 6 or the delta-CRL, then it is not revoked (or it expired before CRL number 6 was issued).<br> <br> <br> I created this algorithm on the fly, so it may not be perfect, but it should be sufficiently close to correct to be understandable. Notice, however, that the cRLNumber field is very important here. In order for this algorithm to work you must ensure that cRLNumber of the full CRL you use is greater than or equal to the BaseCRLNumber in the delta-CRL and less than the cRLNumber in the delta-CRL. One must be able to compare the CRL numbers in order to check that the delta-CRL and full CRL can be combined. <br> <br> <blockquote type=cite cite>> >> > > > >This paper is proposing a method for over-issuing the CRLs. It omits to take<br> > >> > > > >into consideration that in PKIX-1 we mandate the CRL number extension<br> > >> > > > >(section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL<br> > >> > > > >before the next update you have no more way to know which base CRL is the<br> > >> > > > >freshest CRL. I believe this is a major security weakness and for that<br> > >> > > > >reason this mechanism should be deprecated.<br> <br> > Over-issuing is really out-of-scope for this discussion. However,<br> > over-issuing is merely one way to distribute revocation information more<br> > efficiently. If you issue CRLs once every 4 hours and I issue CRLs once an<br> > hour, but with a nextUpdate time 4 hours in the future, the information<br> > relying parties get from me will be no more stale than the information<br> > they get from you. If there is any "security weakness" it is from the<br> > delay in distributing revocation information, not from over-issuing.<br> <br> Over-issuing of full CRLs provides a guaranty up to (usually less than) the<br> period of validity of the full CRL. A base CRL followed by delta-CRLs<br> provides a guaranty up to the period of validity of the delta CRLs (which is<br> indeed better). If mis-used, over-issuing of full CRLs provides could<br> provide a guaranty *equal* to the period of validity of the full CRL (which<br> is indeed worse).</blockquote><br> What guaranty are you talking about? You can compare the current time (or some other time T) to the time in thisUpdate to determine how fresh the revocation information is. What other guarantees do you think are provided? <br> <br> <br> > > You replace this with: <br> > > <br> > > CAs must ensure that application of a delta CRL to the referenced <br> > > base revocation information accurately reflects the current status of <br> > > revocation. If a CA supports the certificateHold revocation reason <br> > > the following rules must be applied when generating delta CRLs: <br> > > <br> > > (a) If a certificate was listed as revoked with revocation reason <br> > > certificateHold on a CRL (either a delta CRL or a CRL that is <br> > > complete for a given scope), and the hold is subsequently <br> > > released, the certificate must be listed with revocation reason <br> > > removeFromCRL until the next base CRL is issued. <br> > > <br> > > Note: Should the certificate be subsequently revoked again for <br> > > one of the revocation reasons covered by the delta CRL, <br> > > then the certificate must be listed with the revocation <br> > > reason appropriate for the subsequent revocation. <br> > > <br> > > (b) If the certificate was not removed from hold, but was <br> > > permanently revoked, then it must be listed as such on all <br> > subsequent delta CRLs until the next base CRL is issued . <br> > > <br> > > This text presents the biggest problems of all. The text describes *what* <br> > > needs to be listed on *which* delta CRLs. By limiting this text to one <br> > > very narrow scenario, you increase the likeliehood that delta CRL issuers <br> > > that wish to do something efficient will get it wrong. That will result <br> > > in bad information from the relying party.<br> ><br> > This text has be simply adapted to remove the semantics that existed on the <br> > CRL number from delta-CRLs. It describes what a CA does, not what a relying <br> > party does. I do not believe that there is the limitation as you mention. If <br> > you really think that the text needs to be changed, please make a proposal <br> > on it, but without adding any new seamntics to the CRL number. :-)<br> <br> It may have been your intention to simply re-word the text without changing the semantics, but this was not the result. The new text describes a different set of semantics and these new semantics prevent CRL issuers from issuing delta-CRLs in any way except one very inefficient manner. Without reference to CRL numbers, it is not possible to properly describe the rules for constructing delta-CRLs.<br> <br> <br> Dave<br> </html> Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA19663 for <ietf-pkix@imc.org>; Fri, 4 May 2001 07:30:42 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id KAA03827 for <ietf-pkix@imc.org>; Fri, 4 May 2001 10:30:13 -0400 (EDT) Message-Id: <200105041430.KAA03823@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Fri, 04 May 2001 10:27:55 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Basic constraints, key usage, and LDAP schema References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> <4.2.0.58.20010503155218.01769720@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim Polk wrote: > > However, I think that PKI clients need to be able to confirm that the CPS was > signed by a CA, not just some random certificate subject. They need to be > able to determine that the entity generating their key management key pair is > in fact the CA, not some random certificate subject. > > I don't know how we convey this information if we don't use the basic > constraints extension. Since we have key usage to refine the meaning of basic > constraints we should be able to say "the subject is a CA and the public key > may be used to [one or more of the following: validate signatures on > certificates; validate signatures on CRLs; key encipherment; etc. etc.]" The counter-argument is that you need to know that the entity generating the key management keypair is in fact the CA that will be signing your certificate, not some random CA. So checking the name and the signature chaining of the transaction certificate is necessary and sufficient, whereas checking the cA flag is neither necessary nor sufficient. The X.509 term "self-issued" covers the case of a CA issuing transaction, web server, and CRL-signing certificates to itself; the criterion for determining self-issued-ness is subject/issuer name equality, not key usage or basic constraints. > You are correct, it would be dangerous to assert cA=TRUE without specifying a > critical key usage extension. I guess the question is, what would a client do > if it encountered an intermediate certificate where basic constraints > indicated it was a CA certificate and the key usage extension appeared but > keyCertSign was not asserted? > > On the other hand, the subject is trusted to issue certificates or CRLs > anyway. If the subject wants to perform mischief, it can do so with the > appropriate key pair. Right? I'm more concerned about an adversary's mischief than the CA's. Certificate signing keys are the most powerful and should be the best protected. Web server and CRL signing private keys are more exposed, but compromising them causes less damage than compromise of a cert signing key. If an adversary has a compromised private key and a corresponding valid certificate with cA=true, then any application which would accept that certificate as part of a path would allow the adversary to escalate his privileges from impersonating a web server to creating bogus certificates. Setting the cA flag on non-certificate-signing certificates is not necessary. And it is potentially dangerous because even if we make a critical key usage extension a MUST in the profile, we can't guarantee that every CA in the world will be PKIX-compliant. I oppose re-defining the cA flag in this manner. I believe we should continue to treat the cA flag as having semantics identical to the keyCertSign bit. Dave Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA18120 for <ietf-pkix@imc.org>; Fri, 4 May 2001 07:14:47 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id KAA10263; Fri, 4 May 2001 10:14:44 -0400 (EDT) Message-Id: <4.2.0.58.20010504095234.01794f00@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Fri, 04 May 2001 10:12:40 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net>, "David A. Cooper" <david.cooper@nist.gov> From: Tim Polk <tim.polk@nist.gov> Subject: Re: delta-CRLs Cc: ietf-pkix@imc.org In-Reply-To: <3AF29EEA.17062674@bull.net> References: <4.2.2.20010503153844.00b0ae40@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis, Yes, I would agree. This thread is consuming far too much time for all of us. As we have diametrically opposed views, that cannot be helped. I will try to be brief, though.... At 02:22 PM 5/4/01 +0200, Denis Pinkas wrote: >David, > >This thread is now taking me (too) much time for my processing power. :-( > > > At 06:05 PM 5/2/01 +0200, Denis Pinkas wrote: > > > > >> The current is wrong on two major aspects: > > >> > > >> a) the numbering of the delta CRLs > > > > > > > Since you claim to want to support "traditional" delta-CRLs, I will quote > > the text on delta-CRLs from section 12.6.3.3 of X.509 3rd edition (1997): > > > > a delta-CRL shall not be issued without a corresponding complete > > CRL being issued at the same time. The value of the CRL number, > > as conveyed in the CRL number extension field (if present), shall > > be identical for both the delta-CRL and the corresponding complete CRL > > > > Similar text was included in one of the old proposed draft amendments to > > the 1997 standard: > > > > At reset time, concurrent with publication of a new base CRL is > > publication of the final delta-CRL for the old base CRL. Both CRLs > > published concurrently (new base and final delta for old base) shall > > contain identical values of the cRLNumber extension as well as > > identical values of thisUpdate time. The values of nextUpdate time > > will be different in each. > > > > Both texts are quite clear that when a complete CRL and a delta-CRL are > > issued at the same time, and the two CRLs provide the same information, > > they must have the same cRLnumber. This is because the are effectively two > > instantiations of the same CRL. > >The ISO text has two major problems: > >1) It makes a major assumption, ... which is wrong: once a CA has started to >issue a base CRL (and hence it will issue delta-CRLs) then it must do it for >ever. A CA can issue a base CRL and then delta CRLs but then simply issue >complete CRL (i.e. full CRLs that do not support the delta mechanism) and >later one can start to issue a base a delta CRLs again. I would agree that a CA is not required to issue deltas forever. A CA could issue a complete CRL (call it CRL-1), a series of deltas fusing CRL-1 as a base base, then a new complete CRL (CRL-2), then more deltas using CRL-2 as a base. I do not believe the ISO text precludes this scenario. >2) RFC 2459 in section 5.2.3 (CRL Number) says: > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > >Since two CRLs (whether they are base, delta, complete, whatever) cannot >have the same number, this means that the following sentence extracted from >the ISO text is wrong: "The value of the CRL number, as conveyed in the CRL >number extension field (if present), shall be identical for both the >delta-CRL and the corresponding complete CRL". Denis, a delta CRL may only be used in combination with a base CRL, right? The CRL number in the delta is the CRL number of the *constructed* CRL. When the delta and base combine to form *the same* CRL as a complete CRL, the complete CRL will have the same CRL number. Since the delta and *any legal base CRL* will combine to form *the same* CRL, the complete CRL and the delta MUST have the same CRL number. Note that this is *crucial* if we intend to use the constructed CRL as a base CRL in the future. If you cannot assign a CRL number to the constructed CRL you cannot use it as a base. > > Notice also that the requirement is that when a new base is issued, the > > delta that is issued at the same time provides changes since the previous > > base. > >This is wrong as well because there is not necessarilly this previous base >(see the first major problem). > > > One does not issue an empty delta. If one did, then every relying > > party would be forced to download every base CRL. > >This is the intent, otherwise delta CRLs would grow for ever. > > > >> b) the lack of use of the fields thisUpdate and nextUpdate in the > > >> delta-CRLs. > > > As I stated before, the thisUpdate field specifies the time at which the > > CRL was issued. There is absolutely no reason to check that the current > > time is after thisUpdate. > >There is no notion of current time. The evaluation is made at time T, which >may be the current time or a time in the past. > > > We can re-visit this issue, if necessary, once > > you have built a machine that allows people to travel back in time while > > simultaneously validating an X.509 certificate. Until then, we can assume > > that time increases monotonically and that the current time is always > > after thisUpdate. > >No need to invent such a machine, but I appreciate your sense of humor. >Please keep flames away. See the previous comment. > > > The nextUpdate field in a delta-CRL has the same meaning an in any other > > type of CRL, so there is no reason to discuss it here. As I said before, > > though, one can not say that any CRL whose nextUpdate time has not passed > > is the most current. There may have been an "emergency" CRL issued since > > that one was issued. If nextUpdate has passed, then you know the CRL is > > not the most current. If nextUpdate has not passed, then the CRL MAY be > > the most current, but there is no way to know for certain. > >See my response to Tim on that topic. > > > >> > They seem to depart from the traditional > > >> > deltas in certain details, > > >> > > >> They certainly do not. > > > As I stated above, you state that whenever a base CRL is issued, an empty > > delta-CRL should be issued at the same time, with the delta-CRL using the > > concurrently issued base CRL as its base. This is not how traditional > > delta-CRLs work. > >Think about it. To do that you have to take an example: a *first* base CRL >is issued at midnight (no base CRL *ever* exists before). A delta is >supposed to be issued every hour. Think first about the processing done by a >relying party at 3:30 a.m. Then think about the processing that will be done >at 0:30 a.m. You will then come to the same conclusion. Now if a base >existed before, then the proposal would not be consistant with the >definition of the construction of the updated CRL which is: > > An application can construct an updated CRL, for a specific time T, > by retrieving the appropriate base CRL for that scope, and combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. > >Futhermore, the size of the delta CRLs would grow for ever. > If you issue one complete CRL and only issue deltas in the future, all of which refer to the one complete CRL as a base, the delta will grow forever. I am certain *no one* has suggested that scenario, though. It > > >> > but prevent use of sliding window deltas. > > >> > > >> Maybe. However, if you really want them to be part of this document, > > >> then > > >> they MUST *not* be mandatory. So the only way would be to add > > >> additional > > >> text that would explain how this can be done as an option. However I > > >> got the > > >> fealing that the traditional method may be in some way incompatible > > >> with the > > >> sliding window deltas, i.e. if the sliding method is chosen by the CRL > > >> Issuer relying parties may have difficulties to use the traditional > > >> method. > > >> But, maybe, you have the right text just ready to explain how this can > > >> be > > >> done. :-) > > > When I referred to the "traditional" method in my paper, I was referring > > to the way delta-CRLs are issued, not how they are processed by relying > > parties. Notice, however, that the deltaCRLIndicator requires that "[t]he > > base CRL referenced by a deltaCRLIndicator extension shall be a CRL that > > is issued as complete for its scope (i.e. it is not itself a dCRL)." If by > > "relying parties using the traditional method" you mean always applying > > the delta-CRL to a full CRL whose cRLNumber is equal to the value in > > BaseCRLNumber, this requirement on the deltaCRLIndicator extension ensures > > that this can be done no matter how delta-CRLs are issued (traditional > > method, sliding window, or other). I don't think that anyone ever intended > > for this to be way that delta-CRLs are processed, but you can do it if you > > want. > >I undersand clearly that you would like relying parties to take advantage of >sliding windows, by the "algorithm" that you proposed, which is based on the >ISO text, has flaws in it. See above. > > > Even if delta-CRLs are issued using the "traditional" method, relying > > parties may choose to maintain a locally generated revocation list which > > they update which each successive delta-CRL that they download. > >I have addressed that point in details in my response to Tim. I think we >agree on this point. > > > Remember that RFC 2459 stated: > > > > The use of delta-CRLs can significantly improve processing time > > for applications > > which store revocation information in a format other than the CRL > > structure. This > > allows changes to be added to the local database while ignoring > > unchanged information that is already in the local database. > > > > We should not write text that seems to preclude this option. > > > > The text that is in the document now was painstakingly crafted by the ISO > > Directory group and was carefully profiled by PKIX. The text does not > > mandate sliding window delta-CRLs, nor does it specify a particular way > > that relying parties must use delta-CRLs. It provides options to both CRL > > issuers and relying parties, but does not impose requirements on either. > > Please do not suggest that we change the text to preclude useful options > > when doing so would provide no benefits. > >The ISO text has problems, so the text based on it has problems too. > > > >> > >[David] A delta-CRL is nearly the same as a full CRL. It has a > > >> thisUpdate, > > >> > >nextUpdate, cRLNumber, etc. just as a full CRL. It just has an > > >> incomplete > > >> > >list of revoked certificates. > > >> > > > > >> > >[Denis] Yes, but you have to explain detail how a relying party > > >> will use > > >> > >thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate > > >> for a delta > > >> > >to make sure that in both cases he got the freshest information. > > > > > > There is no way, using CRLs, to ensure that you have the freshest > > information. > >True. But if you are using both base CRLs and delta-CRLs then you have that >guaranty up to the period of refresh of the delta-CRL (which is of course >much better than the period of refresh from the base CRL). > > If nextUpdate has passed, then you know that fresher > > information is available. If nextUpdate has not passed, then you do not > > know whether you have the freshest information or not. This is true for > > full CRLs, delta-CRLs, indirect CRLs, and any other type of CRL. If more > > text is needed to explain the use of the nextUpdate field then it should > > go in section 5.1.2.5 on the nextUpdate field, since it would apply to all > > CRLs, not just delta-CRLs. > > > > >> > >[Denis] > > >> > > > > >> > >As said later, your paper provides the right answer (on page 1): " > > >> A > > >> > >delta-CRL is a CRL that only provides information about > > >> certificates who > > >> > >statuses have changed since the issuance of a specific, previously > > >> issued > > >> > >CRL". The text says " *a* specific, previously issued CRL", it does > > >> NOT say > > >> > >"or any, more recently, issued CRL". > > > You are misinterpreting the quote. The sentence states what information is > > provided in a delta-CRL. It does not say anything about how the delta-CRL > > can be used. A delta-CRL provides information about certificates whose > > statuses have changed since the issuance of a specific, previously issued > > CRL. The delta-CRL may, however, be applied to more recently issued CRLs. > >In the same spirit as you did, I could say that we would need a machine that >allows people to travel in the future. However, delta-CRLs cannot be applied >to more recently issued CRLs, unless you provide a clear example of how this >can be done. > > > >> > > > >This paper is proposing a method for over-issuing the CRLs. It > > >> omits to take > > >> > > > >into consideration that in PKIX-1 we mandate the CRL number > > >> extension > > >> > > > >(section 5.2.3) so we need to advertise the nextUpdate. If you > > >> issue a CRL > > >> > > > >before the next update you have no more way to know which base > > >> CRL is the > > >> > > > >freshest CRL. I believe this is a major security weakness and > > >> for that > > >> > > > >reason this mechanism should be deprecated. > > > Over-issuing is really out-of-scope for this discussion. However, > > over-issuing is merely one way to distribute revocation information more > > efficiently. If you issue CRLs once every 4 hours and I issue CRLs once an > > hour, but with a nextUpdate time 4 hours in the future, the information > > relying parties get from me will be no more stale than the information > > they get from you. If there is any "security weakness" it is from the > > delay in distributing revocation information, not from over-issuing. > >Over-issuing of full CRLs provides a guaranty up to (usually less than) the >period of validity of the full CRL. A base CRL followed by delta-CRLs >provides a guaranty up to the period of validity of the delta CRLs (which is >indeed better). If mis-used, over-issuing of full CRLs provides could >provide a guaranty *equal* to the period of validity of the full CRL (which >is indeed worse). > > > >> > >[David] Finally, since a CRL issuer may issue "emergency" > > >> delta-CRLs, there > > >> > >is no guarantee that any delta-CRL whose nextUpdate time is later > > >> than the > > >> > >current time is the most current delta-CRL. > > >> > > > > >> > >[Denis] If you issue such "emergency" delta-CRLs then once again > > >> there is no > > >> > >guarantee that they will ever be seen. The "most recent delta-CRL" > > >> is any > > >> > >delta CRL which satisfies the following condition : > > >> > > > > >> > >" A delta-CRL which contains a Delta CRL Indicator equal to the > > >> cRLNumber of > > >> > >the base CRL and where the validation date (which may be the > > >> current time) > > >> > >is between thisUpdate and nextUpdate from that delta-CRL;" > > > This seems to be a semantic problem. There can only be one "most recent > > CRL". You seem to want to mandate that people always use the "most recent > > CRL", but there is no way guarantee that you have the most recent CRL. > >See the response above and my response to Tim. > > > >> > > > >Any other method would first need to be proven to be secure > > >> (over-issuing > > >> > > > >CRLs and sliding window delta-CRLs have security problems) > > >> > > >> > >[Denis] There ARE security problems with sliding window delta-CRLs. > > >> I have > > >> > >descibed at length what the problems are. However, this does not > > >> mean that > > >> > >this technique cannot be supported as an OPTIO and IF we indicate > > >> in the > > >> > >text what are their security problems. The current text places the > > >> two > > >> > >techniques at the same level. The traditional way offers a > > >> guarantee while > > >> > >the other does not. There is indedd added complexity for building > > >> the > > >> > >software from the relying party. > > > You have not described any security problems with sliding window > > delta-CRLs. You suggest that sliding window delta-CRLs should not be used > > until they have been proven secure. What type of proof are you looking > > for? Where are the proofs that CRLs of any type are secure? Where is the > > proof that X.509 certificates are secure? Once you provide me with the > > proofs that everything else in X.509 is secure, I'll try to find time to > > write a similar proof to show that sliding window delta-CRLs are secure. > > Until then, any suggestion that sliding window delta-CRLs need to be > > proven to be secure before they can be used is nothing but a red herring. > >No comment. > >Denis > > > Dave Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA17823 for <ietf-pkix@imc.org>; Fri, 4 May 2001 07:12:22 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id KAA104038; Fri, 4 May 2001 10:10:20 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id KAA11170; Fri, 4 May 2001 10:06:41 -0400 Importance: Normal Subject: RE: Basic constraints, key usage, and LDAP schema To: Sharon Boeyen <sharon.boeyen@entrust.com> Cc: Santosh Chokhani <chokhani@cygnacom.com>, "'Tim Polk'" <tim.polk@nist.gov>, "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF79AAC907.B20AB276-ON85256A42.004DA084@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Fri, 4 May 2001 10:11:40 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/04/2001 10:11:50 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Just BTW, my reasoning is similar to Santosh's. I would like to mention that the reasons for issuing a distinct CMP certificate for a CA are even stronger than those for a distinct CRL certificate. However, it is not obvious whether this should be classed as a CA certificate since a certificate to be used with CMP looks more like a standard server certificate. Tom Gindin Sharon Boeyen <sharon.boeyen@entrust.com> on 05/03/2001 12:52:30 PM To: Santosh Chokhani <chokhani@cygnacom.com>, Tom Gindin/Watson/IBM@IBMUS cc: "'Tim Polk'" <tim.polk@nist.gov>, "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Basic constraints, key usage, and LDAP schema Thanks, I understand now. -----Original Message----- From: Santosh Chokhani Sent: Thursday, May 03, 2001 12:32 PM To: Sharon Boeyen; 'Tom Gindin' Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema Sharon: One reason a CA may issue itself a CRL signing certificate is the scenario as follows: 1. The CA is a trust anchor for some relying parties, and 2. The CA wants to use different key for CRL signing for operational security, and 3. The CA wants to only provide one trust anchor (i.e., the certificate signature verification public key). In that scenario, the CA will issue itself a certificate for the CRL signature verification public key. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Thursday, May 03, 2001 10:35 AM To: 'Tom Gindin'; Sharon Boeyen Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema I see your point - I was missing the point that they are self-issued and was thinking of the case where you are delegating authority to an indirect issuer. In the indirect case the cert would need to be in the cross-cert pairs attribute and may also appear in the caCerts attribute. On the self issued ones, why are they needed at all? Why would a CA issue a cert to itself indicating that it can sign CRLs? Why do we need that? Sharon > -----Original Message----- > From: Tom Gindin [mailto:tgindin@us.ibm.com] > Sent: Wednesday, May 02, 2001 5:43 PM > To: Sharon Boeyen > Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > > In the current draft of X.509v4, "self-issued" means something > different than "self-signed". "self-issued" appears to be > the condition > "the certificate's subject name can be matched to its own issuer name, > which is that of a CA", while "self-signed" is that with the added > condition "the certificate signature is verifiable with the public key > contained in the message". Most of these CRL signing certificates are > "self-issued" in this sense, although not "self-signed". > One other reason why such CRL signing certificates would > legitimately > not go into the CC Pair attribute would be that there is no > other directory > entry where the CA certificate to verify the signature on > this certificate > could be found, unlike any other certificates in CC Pair. > Lastly, if a CRL signing certificate were issued by a CA > certificate > with the same DN, it would certainly belong in the same realm, if that > concept has any meaning at all. > > Tom Gindin > > (snip) Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA10273 for <ietf-pkix@imc.org>; Fri, 4 May 2001 05:22:38 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA15502; Fri, 4 May 2001 14:22:27 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id OAA18700; Fri, 4 May 2001 14:21:59 +0200 Message-ID: <3AF29EEA.17062674@bull.net> Date: Fri, 04 May 2001 14:22:02 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David A. Cooper" <david.cooper@nist.gov> CC: ietf-pkix@imc.org Subject: Re: delta-CRLs References: <4.2.2.20010503153844.00b0ae40@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, This thread is now taking me (too) much time for my processing power. :-( > At 06:05 PM 5/2/01 +0200, Denis Pinkas wrote: > > >> The current is wrong on two major aspects: > >> > >> a) the numbering of the delta CRLs > > > > Since you claim to want to support "traditional" delta-CRLs, I will quote > the text on delta-CRLs from section 12.6.3.3 of X.509 3rd edition (1997): > > a delta-CRL shall not be issued without a corresponding complete > CRL being issued at the same time. The value of the CRL number, > as conveyed in the CRL number extension field (if present), shall > be identical for both the delta-CRL and the corresponding complete CRL > > Similar text was included in one of the old proposed draft amendments to > the 1997 standard: > > At reset time, concurrent with publication of a new base CRL is > publication of the final delta-CRL for the old base CRL. Both CRLs > published concurrently (new base and final delta for old base) shall > contain identical values of the cRLNumber extension as well as > identical values of thisUpdate time. The values of nextUpdate time > will be different in each. > > Both texts are quite clear that when a complete CRL and a delta-CRL are > issued at the same time, and the two CRLs provide the same information, > they must have the same cRLnumber. This is because the are effectively two > instantiations of the same CRL. The ISO text has two major problems: 1) It makes a major assumption, ... which is wrong: once a CA has started to issue a base CRL (and hence it will issue delta-CRLs) then it must do it for ever. A CA can issue a base CRL and then delta CRLs but then simply issue complete CRL (i.e. full CRLs that do not support the delta mechanism) and later one can start to issue a base a delta CRLs again. 2) RFC 2459 in section 5.2.3 (CRL Number) says: The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. Since two CRLs (whether they are base, delta, complete, whatever) cannot have the same number, this means that the following sentence extracted from the ISO text is wrong: "The value of the CRL number, as conveyed in the CRL number extension field (if present), shall be identical for both the delta-CRL and the corresponding complete CRL". > Notice also that the requirement is that when a new base is issued, the > delta that is issued at the same time provides changes since the previous > base. This is wrong as well because there is not necessarilly this previous base (see the first major problem). > One does not issue an empty delta. If one did, then every relying > party would be forced to download every base CRL. This is the intent, otherwise delta CRLs would grow for ever. > >> b) the lack of use of the fields thisUpdate and nextUpdate in the > >> delta-CRLs. > As I stated before, the thisUpdate field specifies the time at which the > CRL was issued. There is absolutely no reason to check that the current > time is after thisUpdate. There is no notion of current time. The evaluation is made at time T, which may be the current time or a time in the past. > We can re-visit this issue, if necessary, once > you have built a machine that allows people to travel back in time while > simultaneously validating an X.509 certificate. Until then, we can assume > that time increases monotonically and that the current time is always > after thisUpdate. No need to invent such a machine, but I appreciate your sense of humor. Please keep flames away. See the previous comment. > The nextUpdate field in a delta-CRL has the same meaning an in any other > type of CRL, so there is no reason to discuss it here. As I said before, > though, one can not say that any CRL whose nextUpdate time has not passed > is the most current. There may have been an "emergency" CRL issued since > that one was issued. If nextUpdate has passed, then you know the CRL is > not the most current. If nextUpdate has not passed, then the CRL MAY be > the most current, but there is no way to know for certain. See my response to Tim on that topic. > >> > They seem to depart from the traditional > >> > deltas in certain details, > >> > >> They certainly do not. > As I stated above, you state that whenever a base CRL is issued, an empty > delta-CRL should be issued at the same time, with the delta-CRL using the > concurrently issued base CRL as its base. This is not how traditional > delta-CRLs work. Think about it. To do that you have to take an example: a *first* base CRL is issued at midnight (no base CRL *ever* exists before). A delta is supposed to be issued every hour. Think first about the processing done by a relying party at 3:30 a.m. Then think about the processing that will be done at 0:30 a.m. You will then come to the same conclusion. Now if a base existed before, then the proposal would not be consistant with the definition of the construction of the updated CRL which is: An application can construct an updated CRL, for a specific time T, by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Futhermore, the size of the delta CRLs would grow for ever. > >> > but prevent use of sliding window deltas. > >> > >> Maybe. However, if you really want them to be part of this document, > >> then > >> they MUST *not* be mandatory. So the only way would be to add > >> additional > >> text that would explain how this can be done as an option. However I > >> got the > >> fealing that the traditional method may be in some way incompatible > >> with the > >> sliding window deltas, i.e. if the sliding method is chosen by the CRL > >> Issuer relying parties may have difficulties to use the traditional > >> method. > >> But, maybe, you have the right text just ready to explain how this can > >> be > >> done. :-) > When I referred to the "traditional" method in my paper, I was referring > to the way delta-CRLs are issued, not how they are processed by relying > parties. Notice, however, that the deltaCRLIndicator requires that "[t]he > base CRL referenced by a deltaCRLIndicator extension shall be a CRL that > is issued as complete for its scope (i.e. it is not itself a dCRL)." If by > "relying parties using the traditional method" you mean always applying > the delta-CRL to a full CRL whose cRLNumber is equal to the value in > BaseCRLNumber, this requirement on the deltaCRLIndicator extension ensures > that this can be done no matter how delta-CRLs are issued (traditional > method, sliding window, or other). I don't think that anyone ever intended > for this to be way that delta-CRLs are processed, but you can do it if you > want. I undersand clearly that you would like relying parties to take advantage of sliding windows, by the "algorithm" that you proposed, which is based on the ISO text, has flaws in it. See above. > Even if delta-CRLs are issued using the "traditional" method, relying > parties may choose to maintain a locally generated revocation list which > they update which each successive delta-CRL that they download. I have addressed that point in details in my response to Tim. I think we agree on this point. > Remember that RFC 2459 stated: > > The use of delta-CRLs can significantly improve processing time > for applications > which store revocation information in a format other than the CRL > structure. This > allows changes to be added to the local database while ignoring > unchanged information that is already in the local database. > > We should not write text that seems to preclude this option. > > The text that is in the document now was painstakingly crafted by the ISO > Directory group and was carefully profiled by PKIX. The text does not > mandate sliding window delta-CRLs, nor does it specify a particular way > that relying parties must use delta-CRLs. It provides options to both CRL > issuers and relying parties, but does not impose requirements on either. > Please do not suggest that we change the text to preclude useful options > when doing so would provide no benefits. The ISO text has problems, so the text based on it has problems too. > >> > >[David] A delta-CRL is nearly the same as a full CRL. It has a > >> thisUpdate, > >> > >nextUpdate, cRLNumber, etc. just as a full CRL. It just has an > >> incomplete > >> > >list of revoked certificates. > >> > > > >> > >[Denis] Yes, but you have to explain detail how a relying party > >> will use > >> > >thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate > >> for a delta > >> > >to make sure that in both cases he got the freshest information. > > > There is no way, using CRLs, to ensure that you have the freshest > information. True. But if you are using both base CRLs and delta-CRLs then you have that guaranty up to the period of refresh of the delta-CRL (which is of course much better than the period of refresh from the base CRL). > If nextUpdate has passed, then you know that fresher > information is available. If nextUpdate has not passed, then you do not > know whether you have the freshest information or not. This is true for > full CRLs, delta-CRLs, indirect CRLs, and any other type of CRL. If more > text is needed to explain the use of the nextUpdate field then it should > go in section 5.1.2.5 on the nextUpdate field, since it would apply to all > CRLs, not just delta-CRLs. > > >> > >[Denis] > >> > > > >> > >As said later, your paper provides the right answer (on page 1): " > >> A > >> > >delta-CRL is a CRL that only provides information about > >> certificates who > >> > >statuses have changed since the issuance of a specific, previously > >> issued > >> > >CRL". The text says " *a* specific, previously issued CRL", it does > >> NOT say > >> > >"or any, more recently, issued CRL". > You are misinterpreting the quote. The sentence states what information is > provided in a delta-CRL. It does not say anything about how the delta-CRL > can be used. A delta-CRL provides information about certificates whose > statuses have changed since the issuance of a specific, previously issued > CRL. The delta-CRL may, however, be applied to more recently issued CRLs. In the same spirit as you did, I could say that we would need a machine that allows people to travel in the future. However, delta-CRLs cannot be applied to more recently issued CRLs, unless you provide a clear example of how this can be done. > >> > > > >This paper is proposing a method for over-issuing the CRLs. It > >> omits to take > >> > > > >into consideration that in PKIX-1 we mandate the CRL number > >> extension > >> > > > >(section 5.2.3) so we need to advertise the nextUpdate. If you > >> issue a CRL > >> > > > >before the next update you have no more way to know which base > >> CRL is the > >> > > > >freshest CRL. I believe this is a major security weakness and > >> for that > >> > > > >reason this mechanism should be deprecated. > Over-issuing is really out-of-scope for this discussion. However, > over-issuing is merely one way to distribute revocation information more > efficiently. If you issue CRLs once every 4 hours and I issue CRLs once an > hour, but with a nextUpdate time 4 hours in the future, the information > relying parties get from me will be no more stale than the information > they get from you. If there is any "security weakness" it is from the > delay in distributing revocation information, not from over-issuing. Over-issuing of full CRLs provides a guaranty up to (usually less than) the period of validity of the full CRL. A base CRL followed by delta-CRLs provides a guaranty up to the period of validity of the delta CRLs (which is indeed better). If mis-used, over-issuing of full CRLs provides could provide a guaranty *equal* to the period of validity of the full CRL (which is indeed worse). > >> > >[David] Finally, since a CRL issuer may issue "emergency" > >> delta-CRLs, there > >> > >is no guarantee that any delta-CRL whose nextUpdate time is later > >> than the > >> > >current time is the most current delta-CRL. > >> > > > >> > >[Denis] If you issue such "emergency" delta-CRLs then once again > >> there is no > >> > >guarantee that they will ever be seen. The "most recent delta-CRL" > >> is any > >> > >delta CRL which satisfies the following condition : > >> > > > >> > >" A delta-CRL which contains a Delta CRL Indicator equal to the > >> cRLNumber of > >> > >the base CRL and where the validation date (which may be the > >> current time) > >> > >is between thisUpdate and nextUpdate from that delta-CRL;" > This seems to be a semantic problem. There can only be one "most recent > CRL". You seem to want to mandate that people always use the "most recent > CRL", but there is no way guarantee that you have the most recent CRL. See the response above and my response to Tim. > >> > > > >Any other method would first need to be proven to be secure > >> (over-issuing > >> > > > >CRLs and sliding window delta-CRLs have security problems) > >> > >> > >[Denis] There ARE security problems with sliding window delta-CRLs. > >> I have > >> > >descibed at length what the problems are. However, this does not > >> mean that > >> > >this technique cannot be supported as an OPTIO and IF we indicate > >> in the > >> > >text what are their security problems. The current text places the > >> two > >> > >techniques at the same level. The traditional way offers a > >> guarantee while > >> > >the other does not. There is indedd added complexity for building > >> the > >> > >software from the relying party. > You have not described any security problems with sliding window > delta-CRLs. You suggest that sliding window delta-CRLs should not be used > until they have been proven secure. What type of proof are you looking > for? Where are the proofs that CRLs of any type are secure? Where is the > proof that X.509 certificates are secure? Once you provide me with the > proofs that everything else in X.509 is secure, I'll try to find time to > write a similar proof to show that sliding window delta-CRLs are secure. > Until then, any suggestion that sliding window delta-CRLs need to be > proven to be secure before they can be used is nothing but a red herring. No comment. Denis > Dave Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id FAA08791 for <ietf-pkix@imc.org>; Fri, 4 May 2001 05:01:50 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA14588; Fri, 4 May 2001 14:01:42 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id OAA08798; Fri, 4 May 2001 14:01:13 +0200 Message-ID: <3AF29A0D.4FFA89B2@bull.net> Date: Fri, 04 May 2001 14:01:17 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Tim Polk <tim.polk@nist.gov> CC: "David A. Cooper" <david.cooper@nist.gov>, pkix <ietf-pkix@imc.org> Subject: Re: delta-CRLs References: <4.2.0.58.20010503134750.015d0f00@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim, I think we can solve the main problem you mention rather easily. Several people, including Russ, had difficulties to understand the wording -and the reason- of the following paragraph: Conforming implementations of this specification are not required to implement the above algorithm, but MUST provide functionality equivalent to the external behavior resulting from this procedure. The reason of that paragraph was to say that if you have a different technique to reconstruct the CRL, but if you get the same result, this is equally acceptable. That paragraph was especially there to cover the case you mention. You get the same result if you use a previously locally reconstructed CRL. Now that you know the intent, I would propose to change that paragraph. Taking into account the last proposal from Russ, this would lead to the two following paragraphs: An application can construct an updated CRL, for a specific time T, by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. Note: An application could also reconstruct an updated CRL, for a specific time T, by using a previously locally reconstructed CRL based on a given base CRL, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. I think this closes the issue. People not interrested in the details do not need to look any further down into this e-mail. However, I will nevertheless comment briefly for those interrested in the details the remaining of that e-mail. > Denis, > > You seem to be advocating one *extremely* limited scenario for the use of > delta CRLs. Under your text, deltas may only be used with a specifically > issued base CRLs. That is, the application of delta CRLs to constructed > CRLs seems to be forbidden. We believe this scenario is inefficient and > reduces or cancels completely the benefits of delta CRLs. See the response above. > Simple processing of the CRL number extension can support more efficient > delta CRL processing. These techniques permit an application to store > revocation information in more efficient formats (e.g., a local database) > and apply updates to that information. I do not understand the problems > you have with using the CRL number extension in deltas; the concepts in > son-of-2459 are aligned with the requirements stated in X.509. You have > also deleted important points in the processing of certificate hold, as > those points do not apply in your very limited scenario. > > The current text was very carefully crafted to be correct, complete, and > aligned with the X.509 standard. I believe that the current text is > correct, and should be maintained. I do *not* believe that the current text is correct, and thus it should *not* be maintained. > I will compare the two sets of text, and describe the rationale for the > original text. > > First paragraphs are nearly identical. You have replaced the second > sentence and deleted the last sentence. You replaced: > > Delta CRLs contain updates to revocation information previously > distributed, rather than all the information that would appear in a > complete CRL. > > with: > > A delta-CRL is a CRL that only provides information about > certificates who statuses have changed since the issuance of a > specific, previously issued CRL. > > That change is fine. However, you delete the final sentence: > > Applications which store revocation information in a format other > than the CRL structure can add new revocation information to the > local database without reprocessing information. > > I believe that is appropriate for your text, since the algorithm seems to > *require* reprocessing a base whenever a delta is processed. > Unfortunately, adding new revocation information without reprocessing > information is an important benefit of delta CRLs. I suspect that is why > we disagree so vehemently. We do not. See the explanations on top of this e-mail. > In the second paragraph, you again deleted the last sentence: > > The combination of a CRL containing the delta CRL indicator extension > plus the CRL referenced in the BaseCRLNumber component of this > extension is equivalent to a full CRL, for the applicable scope, at > the time of publication of the delta CRL. > > Why was this text deleted? By deleting this text, you impose unnecessary > limitations on the use of deltas. This seems to force the delta CRL user > to obtain new base CRLs rather than use constructed CRLs. Same. See the explanations on top of this e-mail. > The third paragraph needed to be revised anyway, since it incorporates the > old constraints that full CRLs and deltas be issued together. However, > you deleted all the information regarding the use of the CRL number > extension in delta CRLs. This is important information: > > Current text: > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL > that is complete for the given scope. Both the delta CRL and the > complete CRL MUST include the CRL number extension (see sec. 5.2.3). > The CRL number extension in the delta CRL and the complete CRL MUST > contain the same value. When a delta CRL is issued, it MUST cover > the same set of reasons and same set of certificates that were > covered by the base CRL it references. > > You deleted all but the last sentence. The CRL number extension is > required in delta CRLs so that future delta CRLs can be applied to the new > constructed base CRL. Certainly there is a CRL number extension in a delta CRL, but this is no need to use it in the "algorithm" to reconstruct the "full" CRL. So there is no need to add any *new* or additioal semantics to it. Your proposal would add such a new semantics. In other words, this new semantics is NOT required. > You have inserted a new paragraph four: > > When a conforming CA issues a delta CRL, the delta CRL MUST include > a critical delta CRL indicator extension. > > I am surprised we missed this one. We should keep this text. :-) > Current text for paragraphs four and five are: > > An application can construct a CRL that is complete for a given > scope, at the current time, in either of the following ways: > > (a) by retrieving the current delta CRL for that scope, and > combining it with an issued CRL that is complete for that scope > and that has a cRLNumber greater than or equal to the cRLNumber of > the base CRL referenced in the delta CRL; or > > (b) by retrieving the current delta CRL for that scope and > combining it with a locally constructed CRL whose cRLNumber is > greater than or equal to the cRLNumber of the base CRL referenced > in the current delta CRL. > > The constructed CRL has the CRL number specified in the CRL number > extension found in the delta CRL used in its construction. > > You've replaced this with: > > An application can construct a CRL that is the most current for > a given scope, for a specific date, by retrieving the appropriate > base CRL for that scope, and combining it with a delta-CRL which > contains a Delta CRL Indicator equal to the cRLNumber of the base > CRL and where the date for which the construction is being made is > between thisUpdate and nextUpdate as indicated the delta CRL. > > First, the CRL that is constructed (in either text) may be complete for a > given scope and time, but there is no way to demonstrate that the > constructed CRL is "the most current". We can never be sure that we > haven't missed an emergency CRL (or delta CRL.) We can only be sure that > we haven't reached the next scheduled CRL publication date. This is exactly where you missed the point. Remember the second sentence of the "algorithm": "Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL." With this sentence you can be sure that either you have the latest or you missed it. I can give you further details. If the CA issues a base CRL then, it will issue delta CRLs. Every delta CRL will contain the most recent information. There is no concept of emergency delta CRL. So for relying parties taking advantage of delta CRLs they cannot miss something or they will discover that they indeed missed something. > In addition, you have deleted the semantics of the CRL number extension in > delta CRLs. Certainly. I explained that the right "algorithm" makes use of nextUpdate and thisUpdate and thus does need to care about the numbering of delta CRLs. So no extra semantics is needed. > Instead, you substitute text on nextUpdate and thisUpdate, > which are independent extensions and have been covered elsewhere. They were not covered at all. > You have inserted a new paragraph: > > Conforming implementations of this specification are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. > > First, I don't really see an algorithm. Second, as Russ has pointed out, > we don't require processing of deltas at all. See the explanations on top of this e-mail. > The current text closes with: > > CAs must ensure that application of a delta CRL to the referenced > base revocation information accurately reflects the current status of > revocation. If a CA supports the certificateHold revocation reason > the following rules must be applied when generating delta CRLs: > > (a) If a certificate was listed as revoked with revocation reason > certificateHold on a CRL (either a delta CRL or a CRL that is > complete for a given scope), whose cRLNumber is n, and the hold is > subsequently released, the certificate must be included in all > delta CRLs issued after the hold is released where the cRLNumber > of the referenced base CRL is less than or equal to n. The > certificate must be listed with revocation reason removeFromCRL > unless the certificate is subsequently revoked again for one of > the revocation reasons covered by the delta CRL, in which case the > certificate must be listed with the revocation reason appropriate > for the subsequent revocation. > > (b) If the certificate was not removed from hold, but was > permanently revoked, then it must be listed on all subsequent > delta CRLs where the cRLNumber of the referenced base CRL is less > than the cRLNumber of the CRL (either a delta CRL or a CRL that is > complete for the given scope) on which the permanent revocation > notice first appeared. > > You replace this with: > > CAs must ensure that application of a delta CRL to the referenced > base revocation information accurately reflects the current status of > revocation. If a CA supports the certificateHold revocation reason > the following rules must be applied when generating delta CRLs: > > (a) If a certificate was listed as revoked with revocation reason > certificateHold on a CRL (either a delta CRL or a CRL that is > complete for a given scope), and the hold is subsequently > released, the certificate must be listed with revocation reason > removeFromCRL until the next base CRL is issued. > > Note: Should the certificate be subsequently revoked again for > one of the revocation reasons covered by the delta CRL, > then the certificate must be listed with the revocation > reason appropriate for the subsequent revocation. > > (b) If the certificate was not removed from hold, but was > permanently revoked, then it must be listed as such on all > subsequent delta CRLs until the next base CRL is issued . > > This text presents the biggest problems of all. The text describes *what* > needs to be listed on *which* delta CRLs. By limiting this text to one > very narrow scenario, you increase the likeliehood that delta CRL issuers > that wish to do something efficient will get it wrong. That will result > in bad information from the relying party. This text has be simply adapted to remove the semantics that existed on the CRL number from delta-CRLs. It describes what a CA does, not what a relying party does. I do not believe that there is the limitation as you mention. If you really think that the text needs to be changed, please make a proposal on it, but without adding any new seamntics to the CRL number. :-) > The current text was very carefully crafted to ensure that it was > consistent with X.509 and supported the general case. I do not see the > need to hamstring delta CRL implementers by limiting support to one > narrowly defined scenario. The revised text has been very carefully crafted to ensure that no new semantics was introduced and that a simple scheme can be implemented so that interoperability can be easily obtained. Denis > Tim Polk Received: from localhost (213.237.12.37.adsl.ynoe.worldonline.dk [213.237.12.37]) by above.proper.com (8.9.3/8.9.3) with SMTP id DAA04405 for <ietf-pkix@imc.org>; Fri, 4 May 2001 03:52:21 -0700 (PDT) Message-Id: <200105041052.DAA04405@above.proper.com> Content-Type: text/html X-Source: web mail X-Form: AdrMsg.html From: Gridcomp <gi2india@icenet.net> To: ietf-pkix@imc.org Date: Fri, 14 Apr 2000 00:07:30 Subject: Reduce your Software Development Cost <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> </HEAD> <body topmargin="0" leftmargin="0" bgcolor="#DDDDDD"> <table border="0" cellPadding="0" cellSpacing="0" height="101" width="100%"> <tbody> <tr> <td bgColor="#dddddd" height="111" width="165"> <p align="center"><a href="http://www.gridcompintl.com"><img border="0" src="http://www.gridcompintl.com/logogrid.gif" width="163" height="101"></a></p> </td> <td bgColor="#dddddd" height="111" width="693"> <p align="right"> <p align="right"><a href="http://www.gridcompintl.com"><img border="0" src="http://www.gridcompintl.com/grid.gif" width="420" height="43"></a> <p align="center"> </p> </td> </tr> <tr> <td bgColor="#264a6f" height="810" vAlign="top" width="165"> <p align="center"> <p align="center"> </p> <p align="center"><br> </p> <p align="center"> </p> <p align="center"> </p> <table border="0" width="100%"> <tr> <td align="center"><b><a href="http://www.gridcompintl.com"><font color="#DDDDDD" face="Verdana" size="2">Is time running out for your software development project?</font> </a></b> <p> </td> </tr> <tr> <td width="100%" align="center"><b><a href="http://www.gridcompintl.com/offshore.htm"><font color="#DDDDDD" face="Verdana" size="2">Are you looking for Off shore project development?</font> </a></b> <p><span style="mso-color-alt: windowtext"><b><font color="#DDDDDD" face="Verdana" size="2"><o:p> </o:p> </font> </b></span></td> </tr> <tr> <td width="100%" align="center"> <p class="MsoCommentText"><b><a href="http://www.gridcompintl.com/offshore.htm"><font color="#DDDDDD" face="Verdana" size="2">Do you have to cut cost?</font></a></b></p> <p class="MsoCommentText"><b><span style="mso-spacerun: yes"><font color="#DDDDDD" face="Verdana" size="2"> </font></span><a href="http://www.gridcompintl.com/offshore.htm"><font color="#DDDDDD" face="Verdana" size="2">But you must continue innovating?</font></a><font color="#DDDDDD" face="Verdana" size="2"> </font></b></p> <p><span style="mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><b><a href="http://www.gridcompintl.com/offshore.htm"><font color="#DDDDDD" face="Verdana" size="2">Must design and develop new products?</font></a></b></span></p> <p> </td> </tr> <tr> <td width="100%" align="center"> </td> </tr> </table> </td> <td bgColor="#dddddd" borderColor="#264a6f" height="810" style="border-top-style: solid; border-bottom-style: solid" width="695"> <img border="0" src="http://www.gridcompintl.com/curve.gif" width="110" height="107"> <table border="0" width="100%"> <tr> <td width="18%"></td> <td width="82%" align="center"><b><font color="#000080" face="Verdana" size="2"><a href="http://www.gridcompintl.com/">Is time running out for your software development project?</a></font> </b></td> </tr> <tr> <td width="18%"></td> <td width="82%" align="center"><b><font color="#000080" face="Verdana" size="2"><a href="http://www.gridcompintl.com/offshore.htm">Are you looking for Off shore project development?</a></font> </b></td> </tr> <tr> <td width="18%"></td> <td width="82%" align="center"><font color="#000080"><b><font color="#000080" face="Verdana" size="2"><a href="http://www.gridcompintl.com/offshore.htm">Do you have to cut cost? </a></font></b></font></td> </tr> <tr> <td width="18%"></td> <td width="82%" align="center"><font color="#000080" face="Verdana" size="2"><b><a href="http://www.gridcompintl.com/offshore.htm">But you must continue innovating? </a></b></font></td> </tr> <tr> <td width="18%"></td> <td width="82%" align="center"><font color="#000080"><span style="mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><font color="#000080" face="Verdana" size="2"><b><a href="http://www.gridcompintl.com/offshore.htm">Must design and develop new products?</a></b></font></span></font></td> </tr> </table> <blockquote> <p style="text-align: justify; "><br> <font face="Verdana" size="2"><b>Gridcomp</b> is on-site consulting and offshore development company. We design, develop, implement and support E-Business Solutions. Practically right from the start of IT boom, software development companies from USA, have used off-shore development company resources from other countries. We created Gridcomp Inc. exactly for the companies interested in <a href="http://www.gridcompintl.com/offshore.htm"> offshore</a> development. We believe in providing high quality yet inexpensive offshore development services with qualified on-site consultants for deployment of technology solutions for our clients in USA, enhancing their competitiveness. </font></p> <p style="text-align: justify; "><font face="Verdana" size="2">Gridcomp is one of the fast growing software services and product Development Company specializing in leading technologies.</font></p> <hr> <p align="Left"><font face="Verdana" size="2"><b> <a href="http://www.gridcompintl.com">Gridcomp International, Inc.</a></b></font></p> <table border="0" width="100%"> <tr> <td width="6%" align="center"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%"><b><font face="Verdana" size="2">Enterprise Application Integration</font></b> </td> </tr> <tr> <td width="6%" align="center"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%"><font face="Verdana" size="2"><b>Distributed Business Computing </b></font> </td> </tr> <tr> <td width="6%" align="center"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%"><font face="Verdana" size="2"><b>Business Intelligence </b></font> </td> </tr> <tr> <td width="6%" align="center"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%"><font face="Verdana" size="2"><b>E-Commerce </b></font> </td> </tr> </table> <hr> <p><font face="Verdana" size="2">Why Gridcomp International Inc. is suitable for your software development requirement? </font></p> <p class="MsoNormal" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> High reliability, High service level, Moderate prices, Wide range of services, Speedy project implementation, High degree of confidentiality, Very simple scheme for customer interaction, Constant working resource availability</span></font></p> <p class="MsoNormal"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> For more information visit our web page: <a href="http://www.gridcompintl.com/whyg2.htm"> Click here</a></span></font></p> <table border="0" width="80%"> <tr> <td width="6%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> Our distinctive competence lies in the focused range of services we provide.<o:p> </span></font></td> </tr> <tr> <td width="6%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> We believe that our thrust should be in specific areas where we can add significant value.<o:p> </span></font></td> </tr> <tr> <td width="6%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> We created Gridcomp Inc. exactly for the companies interested in offshore development.<o:p> </span></font></td> </tr> <tr> <td width="6%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> The Gridcomp business model adopts a true software factory approach.<o:p> </span></font></td> </tr> <tr> <td width="6%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> Our pool of on-site consultants is in turn backed by the offshore development center that executes offshore projects and also provides a 24/7 technical support desk. </span></font></td> </tr> <tr> <td width="6%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="94%" align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt">Our India Development Centers are located at Ahmedabad, India. Gridcomp plans to leverage the Software Park to provide dedicated development centers for clients worldwide. </span></font></td> </tr> </table> <hr> <p><font face="Verdana" size="2" color="#800000"><b><a href="http://www.gridcompintl.com/product.htm"> Our Services are divided into this areas</a></b></font></p> <table border="0" width="80%"> <tr> <td width="30" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="429" colspan="2"><font face="Verdana" size="2"><a href="http://www.gridcompintl.com/offshores.htm"> Off-Shore Software Development </a></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12"> <p align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="411"><font face="Verdana" size="2"><a href="http://www.gridcompintl.com/offshore.htm"> Why Offshore? </a></font></td> </tr> <tr> <td width="30" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="429" colspan="2"><font face="Verdana" size="2"><a href="http://www.gridcompintl.com/consulting.htm"> On-site consulting </a></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12"> <p align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="411"><font face="Verdana" size="2"><a href="http://www.gridcompintl.com/consulting.htm"> Why On-site? </a></font></td> </tr> <tr> <td width="30" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="429" colspan="2"><font face="Verdana" size="2"><a href="http://www.gridcompintl.com/technology.htm"> Technology Solutions</a></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"> <span style="mso-bidi-font-size: 12.0pt">Enterprise Application Integration </span></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt">Mobile Integration Solutions </span></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt">CAD / CAM Engineering Solutions </span></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt">E-Commerce </span></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt">ASIC / FPGA design </span></font></td> </tr> <tr> <td width="30" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="427" colspan="2"><font face="Verdana" size="2"><a href="http://www.gridcompintl.com/technical.htm"> Technology Marketing</a> </font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 10.0pt">Marketing Collateral Services </span> </font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 10.0pt"> Preparing marketing presentations Preparing technical presentations</span></font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> Technical Marketing Collateral </span><span style="mso-bidi-font-size: 10.0pt"> Product Training manuals </span> </font></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><span style="mso-bidi-font-size: 10.0pt"><font face="Verdana" size="2"> Competitive analysis for products Design</font> </span></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><span style="mso-bidi-font-size: 10.0pt"><font face="Verdana" size="2">Development of product demo (Hardware & Software) </font> </span></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><span style="mso-bidi-font-size: 10.0pt"><font face="Verdana" size="2"> Technical support</font> </span></td> </tr> <tr> <td width="30" align="center" valign="top"></td> <td width="12" align="center"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="413"><span style="mso-bidi-font-size: 10.0pt"><font face="Verdana" size="2"> Analysis and summary data of customer inquiries</font></span></td> </tr> </table> <hr> <p class="MsoNormal"><b><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"><font color="#800000"> Strategic advantages of software development in India</font></span></font></b></p> <table border="0" width="80%"> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2">Significant reduction in costs </font> </span></font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2">Competitive rates for contracting charges that are less than 50% of USA rates! </font></span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> No overheads. </font> </span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> No general and administrative costs. </font> </span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> No space requirements. </font> </span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> No facilities costs (such as rent, utilities, maintenance) </font></span></font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> No recruiting or human resources costs. </font> </span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> Availability of highly educated and skilled professionals </font></span></font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> India has the second largest pool of English-speaking technical talent. </font></span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> Shortened development time frames. </font> </span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><span style="mso-bidi-font-size: 12.0pt"><font face="Verdana" size="2"> Strong work ethics.</font> </span></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> Scope for development to take place 24 hours a day because of the different time zones.</font></span></font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"> Full control over the project being developed in India by keeping in touch with the development team through high-speed communication links. </font></span> </font></td> </tr> <tr> <td width="7%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="190%"><span style="mso-bidi-font-size: 12.0pt"><font face="Verdana" size="2">Easier procedure for movement of hardware and software</font> </span></td> </tr> <tr> <td width="7%" align="center" valign="top"></td> <td width="190%"></td> </tr> </table> <p class="MsoNormal"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> For more details log on to our web page: <a href="http://www.gridcompintl.com/benefito.htm"> Click here</a></span></font></p> <hr> <p class="MsoNormal" align="Left"><span style="mso-bidi-font-size: 12.0pt"><b><span style="mso-bidi-font-size: 12.0pt; mso-tab-count: 1"><font face="Verdana" color="#800000" size="2"> Our interaction model are as follows</font></span></b></span></p> <table border="0" width="80%"> <tr> <td width="33%" align="center"><font size="2" face="Verdana"><b><a href="http://www.gridcompintl.com/product.htm#plan"> Via Local Manager </a> </b></font></td> <td width="8%" align="center" rowspan="2"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol"><</span></b></font></td> <td width="9%" align="center" rowspan="2"><font size="2" face="Verdana"><b><font color="#336600">Client</font></b></font></td> <td width="9%" align="center" rowspan="2"><font size="2" face="Verdana"><b><span style="font-size: 8pt; font-family: Symbol">></span></b></font></td> <td width="43%" align="center"><font size="2" face="Verdana"><b><a href="http://www.gridcompintl.com/product.htm#plan">Via Off-shore Manager </a></b></font></td> </tr> <tr> <td width="33%" align="center"><font size="2" face="Verdana"><b>(USA office)</b></font></td> <td width="43%" align="center"><font size="2" face="Verdana"><b> (India Development Center)</b></font></td> </tr> </table> <hr> <p class="MsoNormal" align="Left"><b><font face="Verdana" size="2" color="#800000"><span style="mso-bidi-font-size: 12.0pt"> Goals of our Company</span></font><u><span style="font-size: 8pt; "><o:p></o:p> </span></u></b></p> <p style="text-align: justify; "><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> One of the most important goals of our Company is to create the most comfortable conditions for customers. We have developed <a href="http://www.gridcompintl.com/product.htm#plan"> plans</a> that are most convenient for our clients (the details about the customized plans log on our <a href="http://www.gridcompintl.com/product.htm">web-page</a>.</span><span style="color: rgb(38,74,111); "> <br> </span></font></p> <p style="text-align: justify; "><font face="Verdana" size="2"><span style="color: black; ">We offer also a wide selection of planning and budgeting models for our services. The most widely used models are as follows: <a href="http://www.gridcompintl.com/product.htm#Project_based">Project-Based Plan</a> & <a href="http://www.gridcompintl.com/product.htm#Time_based">Time-Based Plan</a>.<o:p></o:p></span></font></p> <p class="MsoNormal" style="MsoNormaltext-align: justify; " align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> Nevertheless, if your company requires other operating rules, we would be glad to oblige.<o:p></o:p></span></font></p> <p class="MsoNormal" style="MsoNormaltext-align: justify; " align="justify"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"> Our main goal is to make a client's life easier. We solve most of the technical problems internally within our Company, so a client is usually only informed that the project is implemented. When necessary, however, our specialists are ready to supply technical consulting of any depth concerning the project; this approach allows a client to be aware of as many project implementation details.<o:p> </span></font></p> <hr> <p class="MsoNormal" style="tab-stops: 115.0pt" align="Left"><b><font face="Verdana" size="2" color="#800000"><span style="mso-bidi-font-size: 12.0pt">Our Strengths</span></font></b></p> <p class="MsoNormal" style="tab-stops: 115.0pt" align="Left"><font face="Verdana" size="2">Our core competency is software / hardware engineers with these skills: </font></p> <table border="0" width="80%"> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">Software programming skills: Java, J2EE, <span style="font-size: 10.0pt; mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Java Beans, EJB, JSP, JINI, XML, WAP, WML, J2ME, UML-Rational Rose,<span style="mso-spacerun: yes"> </span></span>C, C++, VC++, C # and Visual basic.</font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font size="2" face="Verdana"><span style="mso-spacerun: yes; font-size: 10.0pt; mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Application Servers: </span><span style="font-size: 10.0pt; mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><span style="mso-spacerun: yes">BEA </span>Web Logic, IBM Web Sphere, Sun Java Web server, Apache, Oracle 9i Application Server.</span></font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">Client / Server and Data Base technology CORBA, Oracle, Sybase, SQL server, Power Builder.</font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">Web Based Technology Java, COM, DCOM, Perl, CGI, HTML, XML.</font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">Operating system internals UNIX, Solaris, NT, Windows 95</font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">Network management/administration SNMP, Routers, switches, bridges, DSL, Frame relay, ATM</font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">System administration Unix, NT, Win 2000, Solaris, Linux</font></td> </tr> <tr> <td width="5%" align="center" valign="top"><font face="Verdana"><span style="mso-bidi-font-size: 12.0pt"><font size="2"><b>»</b> </font> </span></font></td> <td width="95%"><font face="Verdana" size="2">Networking / Telecommunication software TCP/IP protocol suite, ISDN, xDSL, ATM, Frame relay, SNMP, LAN, WAN protocols</font></td> </tr> </table> <hr> <p class="MsoNormal" style="tab-stops: 115.0pt" align="Left"><font face="Verdana" size="2"><span style="mso-bidi-font-size: 12.0pt"><font color="#800000"><b> For further information please contact at</b></font></span><span style="color: black; "><o:p> </o:p></span></font></p> <p class="MsoNormal" align="Center"><b><font face="Verdana" size="2" color="#283043"><span style="mso-bidi-font-size: 12.0pt"> </span><span style="color: black; ">706 Colorado Ave, Suite C11, Palo Alto, CA 94303, USA<br> Telephone: +01-650-494-0613 <br> Fax:+01-</span><span style="color: black; " class="emailstyle17">240-</span><span style="color: black; "> 371-0543<o:p></o:p></span></font></b></p> <p class="MsoNormal" align="left"><font face="Verdana" size="2" color="#283043"><b><span style="mso-bidi-font-size: 10.0pt">e-mail:</span><span style="color: black; "><a href="mailto:sales@gridcompintl.com"> sales@gridcompintl.com</a> <br> e-mail: <a href="mailto:support@gridcompintl.com"> support@gridcompintl.com</a></span></b></font></p> </blockquote> <p><img border="0" src="http://www.gridcompintl.com/curve2.gif" width="107" height="110"></p> </td> </tr> </tbody> </table> <p align="center"><b><font face="Verdana" size="2">This is not meant to be an unsolicited email.....<br> Under Bills 1618 Title III passed by the 105th US Congress this mail cannot be considered spam as long as <br> we include contact information and a method to be removed from our mailing list.</font></b></p> <p align="center"><b><font face="Verdana" size="2">If you like an email or list of email address(es) to be removed from the mailing list, <br> please reply to this e-mail with a subject REMOVE and list the email address(es) <br> in the body of your reply message. We will make sure that you do not receive further messages.<br> We sincerely apologize for any inconvenience caused to you.</font></b></p> </BODY> </HTML> Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA11164 for <ietf-pkix@imc.org>; Thu, 3 May 2001 14:39:25 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KGKQ8LVQ>; Thu, 3 May 2001 17:38:57 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE665@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 3 May 2001 17:29:52 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D418.30B6BDC0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D418.30B6BDC0 Content-Type: text/plain; charset="iso-8859-1" Russ: Please comments in-line >Russ: Please note minor word smithing for grammar and for technical >accuracy. The sentences should read as follows. > >"A delta CRL provides an update to a previously issued complete CRL. A >delta CRL only includes entries for certificates that have changed status >since the complete CRL referenced in the delta CRL extension was issued." No problem. [Santosh Says: Per other e-mails, also replace "complete" with "base") >Also a minor technical change to your other sentence: > >"An application can construct an updated CRL by retrieving the appropriate >base CRL for that scope, and combining it with a delta CRL which contains >a delta CRL indicator extension with the same CRL number or lower number >as the base CRL." The most recent X.509 says: the combination of a CRL containing the delta CRL indicator extension plus the CRL referenced in the BaseCRLNumber component of this extension is equivalent to a full CRL, for the applicable scope, at the time of publication of the dCRL. So, the appropriate thing to do seems to be dropping the phrase: An application can construct an updated CRL by combining a base CRL and a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. >Please note that the delta CRL can always be applied to a higher base than >the one referenced in the delta CRL extension. This will result in collisions. The later CRL and delta CRL may both contain the same additions. However, with on-hold, a certificate that was removeFromCRL could be put back on hold. [Santosh Says: The collisions are not a problem. You may need to apply a later CRL because other bases may have been issued and the referenced base may have been deleted from the directory. The basic approach is to apply a delta to a base only of the delta is issued to a base whose thisUpdate is prior to thisUpdate field of the delta. Thus, what you are suggesting regarding hold can never occur. All of these rules are spelled out in Annex B of the X.509] >I also agree with Russ that PKIX need not include the "hold" feature. Cool. Russ ------_=_NextPart_001_01C0D418.30B6BDC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ:</FONT> </P> <P><FONT SIZE=3D2>Please comments in-line</FONT> </P> <BR> <P><FONT SIZE=3D2>>Russ: Please note minor word smithing for grammar = and for technical </FONT> <BR><FONT SIZE=3D2>>accuracy. The sentences should read as = follows.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>"A delta CRL provides an update to a = previously issued complete CRL. A </FONT> <BR><FONT SIZE=3D2>>delta CRL only includes entries for certificates = that have changed status </FONT> <BR><FONT SIZE=3D2>>since the complete CRL referenced in the delta = CRL extension was issued."</FONT> </P> <P><FONT SIZE=3D2>No problem.</FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: Per other e-mails, also replace = "complete" with "base")</FONT> </P> <P><FONT SIZE=3D2>>Also a minor technical change to your other = sentence:</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>>"An application can construct an updated = CRL by retrieving the appropriate </FONT> <BR><FONT SIZE=3D2>>base CRL for that scope, and combining it with a = delta CRL which contains </FONT> <BR><FONT SIZE=3D2>>a delta CRL indicator extension with the same = CRL number or lower number </FONT> <BR><FONT SIZE=3D2>>as the base CRL."</FONT> </P> <P><FONT SIZE=3D2>The most recent X.509 says:</FONT> </P> <P><FONT SIZE=3D2> the combination of a CRL = containing the delta CRL indicator extension</FONT> <BR><FONT SIZE=3D2> plus the CRL referenced in the = BaseCRLNumber component of this</FONT> <BR><FONT SIZE=3D2> extension is equivalent to a full = CRL, for the applicable scope, at the</FONT> <BR><FONT SIZE=3D2> time of publication of the = dCRL.</FONT> </P> <P><FONT SIZE=3D2>So, the appropriate thing to do seems to be dropping = the phrase:</FONT> </P> <P><FONT SIZE=3D2> An application can construct an = updated CRL by combining a base CRL and</FONT> <BR><FONT SIZE=3D2> a delta CRL which contains a = delta CRL indicator extension with the same</FONT> <BR><FONT SIZE=3D2> CRL number as the base = CRL.</FONT> </P> <P><FONT SIZE=3D2>>Please note that the delta CRL can always be = applied to a higher base than </FONT> <BR><FONT SIZE=3D2>>the one referenced in the delta CRL = extension.</FONT> </P> <P><FONT SIZE=3D2>This will result in collisions. The later CRL = and delta CRL may both </FONT> <BR><FONT SIZE=3D2>contain the same additions. However, with = on-hold, a certificate that was </FONT> <BR><FONT SIZE=3D2>removeFromCRL could be put back on hold.</FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: The collisions are not a = problem. You may need to apply a later CRL because other bases = may have been issued and the referenced base may have been deleted from = the directory. The basic approach is to apply a delta to a base = only of the delta is issued to a base whose thisUpdate is prior to = thisUpdate field of the delta. Thus, what you are suggesting = regarding hold can never occur. All of these rules are spelled = out in Annex B of the X.509]</FONT></P> <P><FONT SIZE=3D2>>I also agree with Russ that PKIX need not include = the "hold" feature.</FONT> </P> <P><FONT SIZE=3D2>Cool.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D418.30B6BDC0-- Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA10778 for <ietf-pkix@imc.org>; Thu, 3 May 2001 14:37:27 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5FQ7; Thu, 3 May 2001 14:32:08 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Tim Polk" <tim.polk@nist.gov>, "pkix" <ietf-pkix@imc.org> Subject: RE: delta-CRLs Date: Thu, 3 May 2001 14:38:12 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGMEDNCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0002_01C0D3DE.AE2DC710" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <4.2.0.58.20010503134750.015d0f00@email.nist.gov> This is a multi-part message in MIME format. ------=_NextPart_000_0002_01C0D3DE.AE2DC710 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Tim, Just to set the record straight, Russ Housley proposed the "new paragraph four" in an email on 4/26. See below. Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation ---------------------------------------------------------------------------- ------------------------------------- Carlin: I would prefer to leave the first sentence alone. I think that it is explanation of delta CRLs. However, I like your point, and suggest the addition of the following paragraph: When a conforming CA issues a delta CRL, the delta CRL MUST include a critical delta CRL indicator extension. Russ -----Original Message----- From: Tim Polk [mailto:tim.polk@nist.gov] Sent: Thursday, May 03, 2001 12:30 PM To: Denis Pinkas; David A. Cooper; pkix Subject: Re: delta-CRLs <snip> You have inserted a new paragraph four: When a conforming CA issues a delta CRL, the delta CRL MUST include a critical delta CRL indicator extension. I am surprised we missed this one. We should keep this text. <snip> ------=_NextPart_000_0002_01C0D3DE.AE2DC710 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Dus-ascii" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR></HEAD> <BODY> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630353121-03052001>Tim,</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630353121-03052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630353121-03052001>Just=20 to set the record straight, Russ Housley proposed the "new paragraph = four"=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630353121-03052001>in an=20 email on 4/26. See below.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630353121-03052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630353121-03052001> <P><FONT=20 size=3D2>Regards,<BR><BR>Carlin<BR><BR>____________________________<BR><B= R>- =20 Carlin Covey<BR> Cylink Corporation = </FONT></P></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630353121-03052001></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630353121-03052001>----------------------------------------------= -------------------------------------------------------------------</SPAN= ></FONT><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630353121-03052001></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630353121-03052001><FONT=20 size=3D2> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <P>Carlin:</P> <P>I would prefer to leave the first sentence alone. I think that it = is </P> <P>explanation of delta CRLs. However, I like your point, and = suggest the=20 </P> <P>addition of the following paragraph:</P> <P>When a conforming CA issues a delta CRL, the delta CRL MUST = include a</P> <P>critical delta CRL indicator extension.</P> <P>Russ</P></BLOCKQUOTE></BLOCKQUOTE> <P> </P></FONT></SPAN></FONT></DIV> <BLOCKQUOTE> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma><FONT=20 size=3D2>-----Original Message-----<BR><B>From:</B> Tim Polk=20 [mailto:tim.polk@nist.gov]<BR><B>Sent:</B> Thursday, May 03, 2001 = 12:30=20 PM<BR><B>To:</B> Denis Pinkas; David A. Cooper; = pkix<BR><B>Subject:</B> Re:=20 delta-CRLs<BR><BR></FONT></FONT></DIV></BLOCKQUOTE> <DIV><FONT color=3D#0000ff><SPAN class=3D630353121-03052001><FONT = face=3DArial=20 size=3D2> <FONT = face=3DTahoma><snip></FONT></FONT></SPAN></FONT></DIV> <DIV><SPAN class=3D630353121-03052001></SPAN> </DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV><SPAN class=3D630353121-03052001><FONT color=3D#0000ff = face=3DArial=20 size=3D2> </FONT></SPAN></DIV> <DIV><SPAN class=3D630353121-03052001> </SPAN>You have inserted a = new=20 paragraph four:<BR></DIV> <DL> <DD>When a conforming CA issues a delta CRL, the delta CRL MUST = include=20 <DD>a critical delta CRL indicator extension.<BR><BR></DD></DL> <DIV>I am surprised we missed this one. We should keep this=20 text.<BR><FONT size=3D2><FONT color=3D#0000ff><FONT face=3DArial><SPAN = = class=3D630353121-03052001> </SPAN></FONT></FONT></FONT></DIV></BLOC= KQUOTE> <DIV><FONT color=3D#0000ff><FONT size=3D2><FONT face=3DArial><SPAN=20 class=3D630353121-03052001> </SPAN><BR><SPAN=20 class=3D630353121-03052001> <snip> </SPAN></FONT></FONT><= /FONT></DIV></BODY></HTML> ------=_NextPart_000_0002_01C0D3DE.AE2DC710-- Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA09632 for <ietf-pkix@imc.org>; Thu, 3 May 2001 14:27:02 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA14280; Thu, 3 May 2001 17:27:03 -0400 (EDT) Message-Id: <4.2.0.58.20010503155218.01769720@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 03 May 2001 17:24:51 -0400 To: "David P. Kemp" <dpkemp@missi.ncsc.mil>, ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> Subject: Re: Basic constraints, key usage, and LDAP schema In-Reply-To: <200105031840.OAA09699@stingray.missi.ncsc.mil> References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Dave,<br> <br> My comments are in-line.<br> <br> At 02:37 PM 5/3/01 -0400, David P. Kemp wrote:<br> <blockquote type=cite cite>Tim,<br> <br> Does this mean that if a user wanted to send an S/MIME request<br> for information to a CA, the user agent should look for the CA's<br> email certificate in the cACertificate or crossCertficatePair<br> attribute? Similarly for a CMC certificate signing request<br> encrypted for the CA? And for the TLS server certificate for<br> the CA's web site? And for the signature certificate used to<br> validate the CA's published CPS?</blockquote><br> Yes, that is what it would mean. (Actually, I don't think the TLS server certificate would necessarily have the same name; in that case, it wouldn't be a CA certificate. I would consider that an RA. I'm splitting hairs, though.)<br> <br> When a client needs a CA's public key, it would be advantageous if the client could guess which attribute the certificate might be found in. However, a client has no way to guess the full range of uses for the key used to sign a CRL, or used to sign the published CPS. If the same private key is used to sign certs, the certificate will appear in either the caCertificate attribute, crossCertificatePair attribute, or both. [Note we are already checking two locations!] On the other hand, if this private key is not used to sign certificates the corresponding certificate would have to be stored in the userCertificate attribute. [That is three locations]<br> <br> The client doesn't want a user's public key. It wants a public key associated with a CA for some purpose other than validating a certificate. Why shouldn't it look for a cA certificate?<br> <br> <blockquote type=cite cite>I believe that the original intent of the cA flag in basicConstraints<br> was that it be an indicator that the certificate can be used in<br> path validation, not that it should be set in in every certificate<br> belonging to a CA. With this interpretation, the cA flag is synonymous<br> with, and MUST always have the same value as, the keyCertSign bit whenever<br> both basic constraints and key usage are present in a certificate.</blockquote><br> That may in fact have been the intent. X.509 states <dl> <dd>The <font size=2>cA</font> component indicates if the certified public key may be used to verify certificate signatures. </dl>I wasn't around in those meetings, so I am not sure if this was the *original* intent.<br> <br> However, I think that PKI clients need to be able to confirm that the CPS was signed by a CA, not just some random certificate subject. They need to be able to determine that the entity generating their key management key pair is in fact the CA, not some random certificate subject.<br> <br> I don't know how we convey this information if we don't use the basic constraints extension. Since we have key usage to refine the meaning of basic constraints we should be able to say "the subject is a CA and the public key may be used to [one or more of the following: validate signatures on certificates; validate signatures on CRLs; key encipherment; etc. etc.]"<br> <br> <blockquote type=cite cite>Mandating cA=keyCertSign is a much cleaner solution than expecting<br> clients to reject a path containing a CA's web server certificate<br> which has cA=true and key usage not present. Are you proposing that<br> PKIX-conforming CAs MUST populate a critical key usage extension in all<br> certificates used to sign certificates AND all end-entity certificates<br> belonging to a CA? And that all PKIX-conforming applications MUST reject<br> a path unless a critical key usage extension is present with keyCertSign<br> asserted in every certificate but the last?</blockquote><br> That's pretty much what I'm proposing, although the criticality is a requirement imposed on generation, not processing. PKIX conforming implementations require that basic constraints assert cA=TRUE *OR** the client must have out-of-band information that the subject is a CA for each intermediate certificate (6.1.4.step (k)). If key usage appears, it must assert keyCertSign. The path validation algorithm does not check the criticality of these extensions.<br> <br> <blockquote type=cite cite>I'd heartily agree with that generation requirement, but I don't think<br> the application requirement is practical. And without the application<br> requirement, it would be dangerous to assert the cA flag in CA<br> certificates not intended for use in validating signatures on<br> certificates.</blockquote><br> You are correct, it would be dangerous to assert cA=TRUE without specifying a critical key usage extension. I guess the question is, what would a client do if it encountered an intermediate certificate where basic constraints indicated it was a CA certificate and the key usage extension appeared but keyCertSign was not asserted? <br> <br> On the other hand, the subject is trusted to issue certificates or CRLs anyway. If the subject wants to perform mischief, it can do so with the appropriate key pair. Right?<br> <br> <blockquote type=cite cite>Regards,<br> Dave<br> <br> <br> <br> <br> Tim Polk wrote:<br> > <br> > Folks,<br> > <br> > I have been reading the email messages on the list about the relationships<br> > between basic constraints, key usage, and the schema. After mulling over<br> > the problem. I would like to propose a solution - the only solution, as<br> > far as I can tell...<br> > <br> > The solution is to simplify and separate the semantics of the basic<br> > constraints and key usage extension. This has positive implications for<br> > the PKIX LDAP schema as well.<br> > <br> > Basic Constraints<br> > <br> > As stated in the current text for Basic Constraints (in 2459): "The basic<br> > constraints extension identifies whether the subject of the certificate is<br> > a CA and how deep a certification path may exist through that CA."<br> > <br> > I believe this is the right semantics, and that basic constraints should be<br> > included and cA should be asserted in *any* certificate issued to a CA,<br> > regardless of the type or role associated with the public key in the<br> > certificate.<br> > <br> > Key Usage<br> > <br> > The issuer should use the Key Usage extension to disambiguate the subject's<br> > key pairs:<br> > (a) The issuer indicates this public key may be used to verify the<br> > signature on a public key certificate by asserting keyCertSign. (b) The<br> > issuer indicates this public key may be used to verify the signature on<br> > CRLs by asserting cRLSign. (c) The issuer indicates that this public key<br> > may be used to establish symmetric keys with the subject by asserting<br> > either keyEncipherment or keyAgreement. (d) The issuer indicates that this<br> > public key may be used to verify signatures on objects other than public<br> > key certificates and CRLs by asserting nonRerpuidation or digitalSignature.<br> > <br> > Of course, if a key pair is used for multiple purposes, multiple key usages<br> > may be asserted.<br> > <br> > In each of these cases, the basic constraints extension also appears in the<br> > certificate and asserts that the subject is a CA.<br> > <br> > LDAP Schema<br> > <br> > All certificates issued to CAs would be considered CA certificates since<br> > the basic constraints extension is present and asserts that the subject is<br> > a CA. As a result, each of these could appear in the cACertificate<br> > attribute or crossCertificatePair attribute. They would *not* appear in<br> > the userCertificate attribute. (That would include all types (a) through<br> > (d) above).<br> > <br> > ------------------<br> > <br> > The implications of this strategy are as follows: (1) when a client is<br> > searching for a CA certificate, they will not have to check the<br> > userCertificate attribute; (2) the issuer can indicate that the subject is<br> > a CA regardless of the key usage; and (3) minimal changes to the text (my<br> > favorite!).<br> > <br> > What do you think?<br> > <br> > Thanks,<br> > <br> > Tim Polk</blockquote></html> Received: from mail.funk.com (mail.funk.com [198.186.160.22]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA09568 for <ietf-pkix@imc.org>; Thu, 3 May 2001 14:26:09 -0700 (PDT) Received: by mail.funk.com with Internet Mail Service (5.5.2653.19) id <J9V08ZJQ>; Thu, 3 May 2001 17:27:52 -0400 Message-ID: <2D6D813F2AEBD411BC6C000103C42C9412AAEE@mail.funk.com> From: Aslam <aslam@funk.com> To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: How to get Base and Delta CRLs for a particular end entity certif icate... Date: Thu, 3 May 2001 17:27:43 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Hi, I'm working on CRL stuff, I have a question regarding Delta CRL, in following senario: I get a certificate from somewhere, whose validity I have to check against the CRL mechanism. For this I obtain the CRL Distribution Point extension from the cert and download the CRL from that location, then I check for extension and finds that its a base crl, so every thing work good. Now from where I should get the Delta CRL, if the answer is that these can be obtained fron the same CRL distribution point then if my first is a delta crl then how to get the base crl corresponding to a delta crl. Any help is much more appriciated.. Thanks Aslam Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA04439 for <ietf-pkix@imc.org>; Thu, 3 May 2001 13:27:01 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id QAA20388; Thu, 3 May 2001 16:27:00 -0400 (EDT) Message-Id: <4.2.2.20010503153844.00b0ae40@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Thu, 03 May 2001 16:26:35 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net> From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: delta-CRLs Cc: ietf-pkix@imc.org In-Reply-To: <4.2.0.58.20010502130121.01755720@email.nist.gov> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> At 06:05 PM 5/2/01 +0200, Denis Pinkas wrote:<br> <blockquote type=cite cite><blockquote type=cite cite>The current is wrong on two major aspects:<br> <br> a) the numbering of the delta CRLs</blockquote></blockquote><br> Since you claim to want to support "traditional" delta-CRLs, I will quote the text on delta-CRLs from section 12.6.3.3 of X.509 3rd edition (1997):<br> <br> <x-tab> </x-tab>a delta-CRL shall not be issued without a corresponding complete CRL being issued<br> <x-tab> </x-tab>at the same time. The value of the CRL number, as conveyed in the CRL number extension<br> <x-tab> </x-tab>field (if present), shall be identical for both the delta-CRL and the corresponding complete CRL<br> <br> Similar text was included in one of the old proposed draft amendments to the 1997 standard:<br> <br> <x-tab> </x-tab>At reset time, concurrent with publication of a new base CRL is publication of the final<br> <x-tab> </x-tab>delta-CRL for the old base CRL. Both CRLs published concurrently (new base and final<br> <x-tab> </x-tab>delta for old base) shall contain identical values of the <font size=2>cRLNumber</font> extension as well as<br> <x-tab> </x-tab>identical values of <font size=2>thisUpdate</font> time. The values of <font size=2>nextUpdate</font> time will be different in each.<br> <br> Both texts are quite clear that when a complete CRL and a delta-CRL are issued at the same time, and the two CRLs provide the same information, they must have the same cRLnumber. This is because the are effectively two instantiations of the same CRL.<br> <br> Notice also that the requirement is that when a new base is issued, the delta that is issued at the same time provides changes since the previous base. One does not issue an empty delta. If one did, then every relying party would be forced to download every base CRL.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>b) the lack of use of the fields thisUpdate and nextUpdate in the delta-CRLs.</blockquote></blockquote><br> As I stated before, the thisUpdate field specifies the time at which the CRL was issued. There is absolutely no reason to check that the current time is after thisUpdate. We can re-visit this issue, if necessary, once you have built a machine that allows people to travel back in time while simultaneously validating an X.509 certificate. Until then, we can assume that time increases monotonically and that the current time is always after thisUpdate.<br> <br> The nextUpdate field in a delta-CRL has the same meaning an in any other type of CRL, so there is no reason to discuss it here. As I said before, though, one can not say that any CRL whose nextUpdate time has not passed is the most current. There may have been an "emergency" CRL issued since that one was issued. If nextUpdate has passed, then you know the CRL is not the most current. If nextUpdate has not passed, then the CRL MAY be the most current, but there is no way to know for certain.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>> They seem to depart from the traditional<br> > deltas in certain details,<br> <br> They certainly do not.</blockquote></blockquote><br> As I stated above, you state that whenever a base CRL is issued, an empty delta-CRL should be issued at the same time, with the delta-CRL using the concurrently issued base CRL as its base. This is not how traditional delta-CRLs work.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>> but prevent use of sliding window deltas.<br> <br> Maybe. However, if you really want them to be part of this document, then<br> they MUST *not* be mandatory. So the only way would be to add additional<br> text that would explain how this can be done as an option. However I got the<br> fealing that the traditional method may be in some way incompatible with the<br> sliding window deltas, i.e. if the sliding method is chosen by the CRL<br> Issuer relying parties may have difficulties to use the traditional method.<br> But, maybe, you have the right text just ready to explain how this can be<br> done. :-)</blockquote></blockquote><br> When I referred to the "traditional" method in my paper, I was referring to the way delta-CRLs are issued, not how they are processed by relying parties. Notice, however, that the deltaCRLIndicator requires that "[t]he base CRL referenced by a <font size=2>deltaCRLIndicator</font> extension shall be a CRL that is issued as complete for its scope (i.e. it is not itself a dCRL)." If by "relying parties using the traditional method" you mean always applying the delta-CRL to a full CRL whose cRLNumber is equal to the value in BaseCRLNumber, this requirement on the deltaCRLIndicator extension ensures that this can be done no matter how delta-CRLs are issued (traditional method, sliding window, or other). I don't think that anyone ever intended for this to be way that delta-CRLs are processed, but you can do it if you want.<br> <br> Even if delta-CRLs are issued using the "traditional" method, relying parties may choose to maintain a locally generated revocation list which they update which each successive delta-CRL that they download. Remember that RFC 2459 stated:<br> <br> <x-tab> </x-tab>The use of delta-CRLs can significantly improve processing time for applications<br> <x-tab> </x-tab>which store revocation information in a format other than the CRL structure. This<br> <x-tab> </x-tab>allows changes to be added to the local database while ignoring unchanged<br> <x-tab> </x-tab>information that is already in the local database.<br> <br> We should not write text that seems to preclude this option.<br> <br> The text that is in the document now was painstakingly crafted by the ISO Directory group and was carefully profiled by PKIX. The text does not mandate sliding window delta-CRLs, nor does it specify a particular way that relying parties must use delta-CRLs. It provides options to both CRL issuers and relying parties, but does not impose requirements on either. Please do not suggest that we change the text to preclude useful options when doing so would provide no benefits.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>> >[David] A delta-CRL is nearly the same as a full CRL. It has a thisUpdate,<br> > >nextUpdate, cRLNumber, etc. just as a full CRL. It just has an incomplete<br> > >list of revoked certificates.<br> > ><br> > >[Denis] Yes, but you have to explain detail how a relying party will use<br> > >thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate for a delta<br> > >to make sure that in both cases he got the freshest information.</blockquote></blockquote><br> There is no way, using CRLs, to ensure that you have the freshest information. If nextUpdate has passed, then you know that fresher information is available. If nextUpdate has not passed, then you do not know whether you have the freshest information or not. This is true for full CRLs, delta-CRLs, indirect CRLs, and any other type of CRL. If more text is needed to explain the use of the nextUpdate field then it should go in section 5.1.2.5 on the nextUpdate field, since it would apply to all CRLs, not just delta-CRLs.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>> >[Denis]<br> > ><br> > >As said later, your paper provides the right answer (on page 1): " A<br> > >delta-CRL is a CRL that only provides information about certificates who<br> > >statuses have changed since the issuance of a specific, previously issued<br> > >CRL". The text says " *a* specific, previously issued CRL", it does NOT say<br> > >"or any, more recently, issued CRL".</blockquote></blockquote><br> You are misinterpreting the quote. The sentence states what information is provided in a delta-CRL. It does not say anything about how the delta-CRL can be used. A delta-CRL provides information about certificates whose statuses have changed since the issuance of a specific, previously issued CRL. The delta-CRL may, however, be applied to more recently issued CRLs. <br> <br> <br> <blockquote type=cite cite><blockquote type=cite cite>> > > >This paper is proposing a method for over-issuing the CRLs. It omits to take<br> > > > >into consideration that in PKIX-1 we mandate the CRL number extension<br> > > > >(section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL<br> > > > >before the next update you have no more way to know which base CRL is the<br> > > > >freshest CRL. I believe this is a major security weakness and for that<br> > > > >reason this mechanism should be deprecated.</blockquote></blockquote><br> Over-issuing is really out-of-scope for this discussion. However, over-issuing is merely one way to distribute revocation information more efficiently. If you issue CRLs once every 4 hours and I issue CRLs once an hour, but with a nextUpdate time 4 hours in the future, the information relying parties get from me will be no more stale than the information they get from you. If there is any "security weakness" it is from the delay in distributing revocation information, not from over-issuing.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>> >[David] Finally, since a CRL issuer may issue "emergency" delta-CRLs, there<br> > >is no guarantee that any delta-CRL whose nextUpdate time is later than the<br> > >current time is the most current delta-CRL.<br> > ><br> > >[Denis] If you issue such "emergency" delta-CRLs then once again there is no<br> > >guarantee that they will ever be seen. The "most recent delta-CRL" is any<br> > >delta CRL which satisfies the following condition :<br> > ><br> > >" A delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of<br> > >the base CRL and where the validation date (which may be the current time)<br> > >is between thisUpdate and nextUpdate from that delta-CRL;"</blockquote></blockquote><br> This seems to be a semantic problem. There can only be one "most recent CRL". You seem to want to mandate that people always use the "most recent CRL", but there is no way guarantee that you have the most recent CRL.<br> <br> <blockquote type=cite cite><blockquote type=cite cite>> > > >Any other method would first need to be proven to be secure (over-issuing<br> > > > >CRLs and sliding window delta-CRLs have security problems) <br> <br> > >[Denis] There ARE security problems with sliding window delta-CRLs. I have<br> > >descibed at length what the problems are. However, this does not mean that<br> > >this technique cannot be supported as an OPTIO and IF we indicate in the<br> > >text what are their security problems. The current text places the two<br> > >techniques at the same level. The traditional way offers a guarantee while<br> > >the other does not. There is indedd added complexity for building the<br> > >software from the relying party.</blockquote></blockquote><br> You have not described any security problems with sliding window delta-CRLs. You suggest that sliding window delta-CRLs should not be used until they have been proven secure. What type of proof are you looking for? Where are the proofs that CRLs of any type are secure? Where is the proof that X.509 certificates are secure? Once you provide me with the proofs that everything else in X.509 is secure, I'll try to find time to write a similar proof to show that sliding window delta-CRLs are secure. Until then, any suggestion that sliding window delta-CRLs need to be proven to be secure before they can be used is nothing but a red herring.<br> <br> Dave<br> <br> <br> </html> Received: from mtiwmhc23.worldnet.att.net (mtiwmhc23.worldnet.att.net [204.127.131.48]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA03380 for <ietf-pkix@imc.org>; Thu, 3 May 2001 13:16:16 -0700 (PDT) From: todd.glassey@att.net Received: from webmail.worldnet.att.net ([204.127.135.41]) by mtiwmhc23.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010503201551.NQTA1837.mtiwmhc23.worldnet.att.net@webmail.worldnet.att.net>; Thu, 3 May 2001 20:15:51 +0000 Received: from [161.215.27.211] by webmail.worldnet.att.net; Thu, 03 May 2001 20:15:50 +0000 To: "Carlin Covey" <ccovey@cylink.com> Cc: "Housley, Russ" <rhousley@rsasecurity.com>, "Denis Pinkas" <Denis.Pinkas@bull.net>, <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Thu, 03 May 2001 20:15:50 +0000 X-Mailer: AT&T Message Center Version 1 (May 2 2001) Message-Id: <20010503201551.NQTA1837.mtiwmhc23.worldnet.att.net@webmail.worldnet.att.net> Here again is an instance where the protocol structure starts to invade the domain of the use model. As the hold-over CRL's anyone that wants to use a CRL should be prepared to query the CRL server and to find out when the last update was made. That's just common sense -- Also this should be left up to the App developer since it may change in any number of situations. -- Regards, Todd > Russ and Denis, > > I was somewhat confused about your positions on the "hold" feature. > Having read the email below, I am now REALLY confused. > > Based on context, I interpreted Denis' comment: > "So I am not advocating the addition of on hold now." > to mean > "I have not recently switched my position on 'hold'." > > Denis, is that correct? > > Russ, it appears from your comment: > "Fair reply. And, unless there is a ground swell of > support, I will drop it." > that you have interpreted Denis as meaning > "I have withdrawn my support for 'hold'." > > Russ, is that correct? > > And Russ, I am further confused by "... I will drop it." > > Did you mean that you will add text to prohibit compliant > CA's from issuing delta CRL's that include "hold" and > "removeFromCRL" reason codes or text that will prohibit > this for full CRL's as well as delta-CRLs, or did you > mean something else entirely? > > Regards, > > Carlin > > ____________________________ > > - Carlin Covey > Cylink Corporation > > -----Original Message----- > From: Housley, Russ [mailto:rhousley@rsasecurity.com] > Sent: Thursday, May 03, 2001 10:17 AM > To: Denis Pinkas > Cc: ietf-pkix@imc.org > Subject: Re: delta CRLs > > > Denis: > > > > >5.2.4 Delta CRL Indicator > > > > > > > > The delta CRL indicator is a critical CRL extension that identifies > > > > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > > > > information about certificates who statuses have changed since the > > > > issuance of a specific, previously issued CRL. The use of delta > > > > > > I do not like the second sentence any better than the original. How > about: > > > > > > A delta CRL provides an updates a previously issued complete CRL. > > > A delta CRL only includes entries for certificates that have changed > > > status since the complete CRL was issued. > > > >This sentence was nearly a copy and paste from a sentence written by David > >Cooper in his paper. I would have no problem to have two short sentences > >instead of a long one. I would however like to make an observation. I have > >been using the term "base CRL" when it is a CRL that is advertised to > >support delta CRLs. I have ben using the term "complete" CRL for a CRL that > >does NOT support delta CRLs. According to this convention, I would change > >"complete" into "base". This would lead to: > > > > A delta CRL provides an updates a previously issued base CRL. > > A delta CRL only includes entries for certificates that have changed > > status since the base CRL was issued. > > Fine. > > > > > CRLs can significantly reduce network load and processing time in > > > > some environments. Delta CRLs are generally much smaller than the > > > > CRLs they update, so applications that obtain delta CRLs consume > > > > less network bandwidth than applications that obtain the > > > > corresponding complete CRLs. > > Did you want to rephrase this to get rid of complete here too? > > > > > The delta CRL indicator extension contains a single value of type > > > > BaseCRLNumber. This value identifies the CRL number of the base > CRL > > > > that was used as the foundation in the generation of this delta > CRL. > > > > The referenced base CRL is a CRL that was explicitly issued as a > CRL > > > > that is complete for a given scope (e.g., a set of revocation > reasons > > > > or a particular distribution point.) The CRL containing the delta > CRL > > > > indicator extension contains all updates to the certificate > > > > revocation status for that same scope. > > > > > > > > When a delta CRL is issued, it MUST cover the same set of reasons > > > > and same set of certificates that were covered by the base CRL it > > > > references. > > > > > > > > When a conforming CA issues a delta CRL, the delta CRL MUST include > > > > a critical delta CRL indicator extension. > > > > > > > > An application can construct a CRL that is the most current for > > > > a given scope, for a specific date, by retrieving the appropriate > > > > base CRL for that scope, and combining it with a delta-CRL which > > > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > > > CRL and where the date for which the construction is being made is > > > > between thisUpdate and nextUpdate as indicated the delta CRL. > > > > > Can we focus on the most common case? How about: > > > > > An application can construct an updated CRL by retrieving the > > > appropriate base CRL for that scope, and combining it with a delta > > > CRL which contains a delta CRL indicator extension with the same > > > CRL number as the base CRL. > > > >This does not work, since the sentence does not speak anymore about the > time > >and thus there is no guaranty that what you get is the "freshest". Remember > >that the extension for advertising delta is (mis-)named freshestCRL ! > >I would have no problem to have two short sentences instead of a long one. > >How about: > > > > An application can construct an updated CRL, for a specific time T, > > by retrieving the appropriate base CRL for that scope, and combining > > it with a delta CRL which contains a delta CRL indicator extension > > with the same CRL number as the base CRL. Time T MUST fall between > > thisUpdate and nextUpdate for both the base CRL and the delta CRL. > > Okay, however, we should say: Applications that support delta CRLs MUST > ensure that time T falls between thisUpdate and nextUpdate for both the > base CRL and the delta CRL. > > > > > Conforming implementations of this specification are not required > > > > to implement the above algorithm, but MUST provide functionality > > > > equivalent to the external behavior resulting from this procedure. > > > > > No. We do not presently require CRL implementation. The paragraph > would > > > seem to change that situation, and require CRL and delta CRL > > > implelmentation. I suggest that the previous paragraph be omitted. > > > >I understand what you mean, but this was not the intent. How about: > > > > Conforming implementations supporting delta-CRLs are not required > > to implement the above algorithm, but MUST provide functionality > > equivalent to the external behavior resulting from this procedure. > > Reading the previous paragraph, I do not think that we need to have this > paragraph at all. The previous paragraph does not actually include an > algorithm. > > > > > CAs must ensure that application of a delta CRL to the referenced > > > > > > Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs > > MUST". > > > >Fine. > > > > > > base revocation information accurately reflects the current status > of > > > > revocation. If a CA supports the certificateHold revocation reason > > > > the following rules must be applied when generating delta CRLs: > > > > > I argued against the inclusion of support for certificate hold in RFC > > > 2459. Your text demonstrates the complexity of supporting this feature. > I > > > am quite concerned that this topic is being raised so late in the > > > process. We are in WG Last Call ... [Denis, you will recall that you > made > > > a similar response to a comment that I made regarding TSP.] > > > >The text was there, it has not been added now. I have only corrected the > >text. So I am not advocating the addition of on hold now. I could reverse > >the argument saying that I am surprised that in WG last call, *you* now > >would like certificate hold to be removed everywhere in the document. > > Fair reply. And, unless there is a ground swell of support, I will drop it. > > >Coming back to the technical arguments only, when "on hold" was introduced > >(many years ago) I originally believed that there could be some problems > >when being used in the context of a non repudiation service. I have not > >been able to find a single case where there would be a problem. > > When trying to determine if a certificate was valid at a particular time T > (in the significant past), an application must recreate the history of > on-hold/off-hold events near time T. > > > > I am still concerned about the significant complexity that certificate > hold > > > adds. It makes non-repudiation even more difficult. Further, I am not > > > convinced that there is really a constituency for this feature. > > > > > > I would be very happy if we changed the profile to say that conforming > CAs > > > MUST NOT use certificateHold. I would be happy if we changed the > profile > > > to say that conforming CAs SHOULD NOT use certificateHold. I would be > quite > > > upset if we require clients to support certificateHold in any manner > other > > > than simply revoked. (Note that section 5.3.2 provides the conformant > > > application the alternative of simply rejecting the certificate.) > > > >This is clearly a much wider topic, that is not solely directed to > >delta-CRLs. So I would request that people interresting to debate along > this > >topic change the title of the thread to someting like: "certificate hold". > > > >As far as I am concerned, until I will see an argument where the use of > hold > >creates more problems than its non-use, I see no reason why we should make > a > >change to the document. > > Fair request. > > Russ > Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA00923 for <ietf-pkix@imc.org>; Thu, 3 May 2001 12:32:03 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id PAA06664; Thu, 3 May 2001 15:32:03 -0400 (EDT) Message-Id: <4.2.0.58.20010503134750.015d0f00@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Thu, 03 May 2001 15:29:56 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net>, "David A. Cooper" <david.cooper@nist.gov>, pkix <ietf-pkix@imc.org> From: Tim Polk <tim.polk@nist.gov> Subject: Re: delta-CRLs In-Reply-To: <3AF01CF6.78789733@bull.net> Mime-Version: 1.0 Content-Type: text/html; charset="us-ascii" <html> Denis,<br> <br> You seem to be advocating one *extremely* limited scenario for the use of delta CRLs. Under your text, deltas may only be used with a specifically issued base CRLs. That is, the application of delta CRLs to constructed CRLs seems to be forbidden. We believe this scenario is inefficient and reduces or cancels completely the benefits of delta CRLs.<br> <br> Simple processing of the CRL number extension can support more efficient delta CRL processing. These techniques permit an application to store revocation information in more efficient formats (e.g., a local database) and apply updates to that information. I do not understand the problems you have with using the CRL number extension in deltas; the concepts in son-of-2459 are aligned with the requirements stated in X.509. You have also deleted important points in the processing of certificate hold, as those points do not apply in your very limited scenario.<br> <br> The current text was very carefully crafted to be correct, complete, and aligned with the X.509 standard. I believe that the current text is correct, and should be maintained.<br> <br> I will compare the two sets of text, and describe the rationale for the original text.<br> <br> First paragraphs are nearly identical. You have replaced the second sentence and deleted the last sentence. You replaced:<br> <dl> <dd>Delta CRLs contain updates to revocation information previously distributed, rather than all the information that would appear in a complete CRL.<br> <br> </dl>with:<br> <dl> <dd>A delta-CRL is a CRL that only provides information about certificates who statuses have changed since the issuance of a specific, previously issued CRL.<br> <br> </dl>That change is fine. However, you delete the final sentence:<br> <dl> <dd>Applications which store revocation information in a format other than the CRL structure can add new revocation information to the local database without reprocessing information.<br> <br> </dl>I believe that is appropriate for your text, since the algorithm seems to *require* reprocessing a base whenever a delta is processed. Unfortunately, adding new revocation information without reprocessing information is an important benefit of delta CRLs. I suspect that is why we disagree so vehemently.<br> <br> In the second paragraph, you again deleted the last sentence:<br> <dl> <dd>The combination of a CRL containing the delta CRL indicator extension plus the CRL referenced in the BaseCRLNumber component of this extension is equivalent to a full CRL, for the applicable scope, at the time of publication of the delta CRL.<br> <br> </dl>Why was this text deleted? By deleting this text, you impose unnecessary limitations on the use of deltas. This seems to force the delta CRL user to obtain new base CRLs rather than use constructed CRLs.<br> <br> The third paragraph needed to be revised anyway, since it incorporates the old constraints that full CRLs and deltas be issued together. However, you deleted all the information regarding the use of the CRL number extension in delta CRLs. This is important information:<br> <br> Current text:<br> <br> When a conforming CA issues a delta CRL, the CA MUST also issue a CRL<br> that is complete for the given scope. Both the delta CRL and the<br> complete CRL MUST include the CRL number extension (see sec. 5.2.3).<br> The CRL number extension in the delta CRL and the complete CRL MUST<br> contain the same value. When a delta CRL is issued, it MUST cover<br> the same set of reasons and same set of certificates that were<br> covered by the base CRL it references.<br> <br> You deleted all but the last sentence. The CRL number extension is required in delta CRLs so that future delta CRLs can be applied to the new constructed base CRL. <br> <br> You have inserted a new paragraph four:<br> <dl> <dd>When a conforming CA issues a delta CRL, the delta CRL MUST include <dd>a critical delta CRL indicator extension.<br> <br> </dl>I am surprised we missed this one. We should keep this text.<br> <br> Current text for paragraphs four and five are:<br> <br> An application can construct a CRL that is complete for a given<br> scope, at the current time, in either of the following ways:<br> <br> (a) by retrieving the current delta CRL for that scope, and<br> combining it with an issued CRL that is complete for that scope<br> and that has a cRLNumber greater than or equal to the cRLNumber of<br> the base CRL referenced in the delta CRL; or<br> <br> (b) by retrieving the current delta CRL for that scope and<br> combining it with a locally constructed CRL whose cRLNumber is<br> greater than or equal to the cRLNumber of the base CRL referenced<br> in the current delta CRL.<br> <br> The constructed CRL has the CRL number specified in the CRL number<br> extension found in the delta CRL used in its construction.<br> <br> You've replaced this with:<br> <dl> <dd>An application can construct a CRL that is the most current for <dd>a given scope, for a specific date, by retrieving the appropriate <dd>base CRL for that scope, and combining it with a delta-CRL which <dd>contains a Delta CRL Indicator equal to the cRLNumber of the base <dd>CRL and where the date for which the construction is being made is <dd>between thisUpdate and nextUpdate as indicated the delta CRL.<br> <br> </dl>First, the CRL that is constructed (in either text) may be complete for a given scope and time, but there is no way to demonstrate that the constructed CRL is "the most current". We can never be sure that we haven't missed an emergency CRL (or delta CRL.) We can only be sure that we haven't reached the next scheduled CRL publication date.<br> <br> In addition, you have deleted the semantics of the CRL number extension in delta CRLs. Instead, you substitute text on nextUpdate and thisUpdate, which are independent extensions and have been covered elsewhere.<br> <br> You have inserted a new paragraph:<br> <br> Conforming implementations of this specification are not required <br> to implement the above algorithm, but MUST provide functionality <br> equivalent to the external behavior resulting from this procedure.<br> <br> First, I don't really see an algorithm. Second, as Russ has pointed out, we don't require processing of deltas at all.<br> <br> The current text closes with:<br> <br> CAs must ensure that application of a delta CRL to the referenced<br> base revocation information accurately reflects the current status of<br> revocation. If a CA supports the certificateHold revocation reason<br> the following rules must be applied when generating delta CRLs:<br> <br> (a) If a certificate was listed as revoked with revocation reason<br> certificateHold on a CRL (either a delta CRL or a CRL that is<br> complete for a given scope), whose cRLNumber is n, and the hold is<br> subsequently released, the certificate must be included in all<br> delta CRLs issued after the hold is released where the cRLNumber<br> of the referenced base CRL is less than or equal to n. The<br> certificate must be listed with revocation reason removeFromCRL<br> unless the certificate is subsequently revoked again for one of<br> the revocation reasons covered by the delta CRL, in which case the<br> certificate must be listed with the revocation reason appropriate<br> for the subsequent revocation.<br> <br> (b) If the certificate was not removed from hold, but was<br> permanently revoked, then it must be listed on all subsequent<br> delta CRLs where the cRLNumber of the referenced base CRL is less<br> than the cRLNumber of the CRL (either a delta CRL or a CRL that is<br> complete for the given scope) on which the permanent revocation<br> notice first appeared.<br> <br> You replace this with:<br> <br> CAs must ensure that application of a delta CRL to the referenced <br> base revocation information accurately reflects the current status of <br> revocation. If a CA supports the certificateHold revocation reason <br> the following rules must be applied when generating delta CRLs:<br> <dl> <dd>(a) If a certificate was listed as revoked with revocation reason <dd>certificateHold on a CRL (either a delta CRL or a CRL that is <dd>complete for a given scope), and the hold is subsequently <dd>released, the certificate must be listed with revocation reason <dd>removeFromCRL until the next base CRL is issued.<br> <br> <dd>Note: Should the certificate be subsequently revoked again for <dd>one of the revocation reasons covered by the delta CRL, <dd>then the certificate must be listed with the revocation <dd>reason appropriate for the subsequent revocation.<br> <br> <dd>(b) If the certificate was not removed from hold, but was <dd>permanently revoked, then it must be listed as such on all <dd>subsequent delta CRLs until the next base CRL is issued .<br> <br> </dl>This text presents the biggest problems of all. The text describes *what* needs to be listed on *which* delta CRLs. By limiting this text to one very narrow scenario, you increase the likeliehood that delta CRL issuers that wish to do something efficient will get it wrong. That will result in bad information fro the relying party.<br> <br> The current text was very carefully crafted to ensure that it was consistent with X.509 and supported the general case. I do not see the need to hamstring delta CRL implementers by limiting support to one narrowly defined scenario.<br> <br> Tim Polk<br> </html> Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA28932 for <ietf-pkix@imc.org>; Thu, 3 May 2001 11:40:35 -0700 (PDT) Received: from stingray.missi.ncsc.mil (root@localhost) by stingray.missi.ncsc.mil with ESMTP id OAA09703 for <ietf-pkix@imc.org>; Thu, 3 May 2001 14:40:07 -0400 (EDT) Message-Id: <200105031840.OAA09699@stingray.missi.ncsc.mil> Sender: dpkemp@stingray.missi.ncsc.mil Date: Thu, 03 May 2001 14:37:54 -0400 From: "David P. Kemp" <dpkemp@missi.ncsc.mil> X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.7 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: ietf-pkix@imc.org Subject: Re: Basic constraints, key usage, and LDAP schema References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim, Does this mean that if a user wanted to send an S/MIME request for information to a CA, the user agent should look for the CA's email certificate in the cACertificate or crossCertficatePair attribute? Similarly for a CMC certificate signing request encrypted for the CA? And for the TLS server certificate for the CA's web site? And for the signature certificate used to validate the CA's published CPS? I believe that the original intent of the cA flag in basicConstraints was that it be an indicator that the certificate can be used in path validation, not that it should be set in in every certificate belonging to a CA. With this interpretation, the cA flag is synonymous with, and MUST always have the same value as, the keyCertSign bit whenever both basic constraints and key usage are present in a certificate. Mandating cA=keyCertSign is a much cleaner solution than expecting clients to reject a path containing a CA's web server certificate which has cA=true and key usage not present. Are you proposing that PKIX-conforming CAs MUST populate a critical key usage extension in all certificates used to sign certificates AND all end-entity certificates belonging to a CA? And that all PKIX-conforming applications MUST reject a path unless a critical key usage extension is present with keyCertSign asserted in every certificate but the last? I'd heartily agree with that generation requirement, but I don't think the application requirement is practical. And without the application requirement, it would be dangerous to assert the cA flag in CA certificates not intended for use in validating signatures on certificates. Regards, Dave Tim Polk wrote: > > Folks, > > I have been reading the email messages on the list about the relationships > between basic constraints, key usage, and the schema. After mulling over > the problem. I would like to propose a solution - the only solution, as > far as I can tell... > > The solution is to simplify and separate the semantics of the basic > constraints and key usage extension. This has positive implications for > the PKIX LDAP schema as well. > > Basic Constraints > > As stated in the current text for Basic Constraints (in 2459): "The basic > constraints extension identifies whether the subject of the certificate is > a CA and how deep a certification path may exist through that CA." > > I believe this is the right semantics, and that basic constraints should be > included and cA should be asserted in *any* certificate issued to a CA, > regardless of the type or role associated with the public key in the > certificate. > > Key Usage > > The issuer should use the Key Usage extension to disambiguate the subject's > key pairs: > (a) The issuer indicates this public key may be used to verify the > signature on a public key certificate by asserting keyCertSign. (b) The > issuer indicates this public key may be used to verify the signature on > CRLs by asserting cRLSign. (c) The issuer indicates that this public key > may be used to establish symmetric keys with the subject by asserting > either keyEncipherment or keyAgreement. (d) The issuer indicates that this > public key may be used to verify signatures on objects other than public > key certificates and CRLs by asserting nonRerpuidation or digitalSignature. > > Of course, if a key pair is used for multiple purposes, multiple key usages > may be asserted. > > In each of these cases, the basic constraints extension also appears in the > certificate and asserts that the subject is a CA. > > LDAP Schema > > All certificates issued to CAs would be considered CA certificates since > the basic constraints extension is present and asserts that the subject is > a CA. As a result, each of these could appear in the cACertificate > attribute or crossCertificatePair attribute. They would *not* appear in > the userCertificate attribute. (That would include all types (a) through > (d) above). > > ------------------ > > The implications of this strategy are as follows: (1) when a client is > searching for a CA certificate, they will not have to check the > userCertificate attribute; (2) the issuer can indicate that the subject is > a CA regardless of the key usage; and (3) minimal changes to the text (my > favorite!). > > What do you think? > > Thanks, > > Tim Polk Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id LAA28919 for <ietf-pkix@imc.org>; Thu, 3 May 2001 11:40:33 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 3 May 2001 18:40:23 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id OAA00659 for <ietf-pkix@imc.org>; Thu, 3 May 2001 14:40:35 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N4G2B>; Thu, 3 May 2001 14:40:34 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (housley-lap.securitydynamics.com [10.100.142.235]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N4GH9; Thu, 3 May 2001 14:40:30 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010503132613.01d00df0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 03 May 2001 14:40:25 -0400 Subject: RE: delta CRLs In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE603@scygmxs01.cygnacom. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Santosh: >Russ: Please note minor word smithing for grammar and for technical >accuracy. The sentences should read as follows. > >"A delta CRL provides an update to a previously issued complete CRL. A >delta CRL only includes entries for certificates that have changed status >since the complete CRL referenced in the delta CRL extension was issued." No problem. >Also a minor technical change to your other sentence: > >"An application can construct an updated CRL by retrieving the appropriate >base CRL for that scope, and combining it with a delta CRL which contains >a delta CRL indicator extension with the same CRL number or lower number >as the base CRL." The most recent X.509 says: the combination of a CRL containing the delta CRL indicator extension plus the CRL referenced in the BaseCRLNumber component of this extension is equivalent to a full CRL, for the applicable scope, at the time of publication of the dCRL. So, the appropriate thing to do seems to be dropping the phrase: An application can construct an updated CRL by combining a base CRL and a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. >Please note that the delta CRL can always be applied to a higher base than >the one referenced in the delta CRL extension. This will result in collisions. The later CRL and delta CRL may both contain the same additions. However, with on-hold, a certificate that was removeFromCRL could be put back on hold. >I also agree with Russ that PKIX need not include the "hold" feature. Cool. Russ Received: from exchange.cylink.com (exchange.cylink.com [192.43.161.25]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA25623 for <ietf-pkix@imc.org>; Thu, 3 May 2001 10:44:56 -0700 (PDT) Received: from COVEY (cpe-24-221-22-222.az.sprintbbd.net [24.221.22.222]) by exchange.cylink.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id J0AR5145; Thu, 3 May 2001 10:39:05 -0700 From: "Carlin Covey" <ccovey@cylink.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, "Denis Pinkas" <Denis.Pinkas@bull.net> Cc: <ietf-pkix@imc.org> Subject: RE: Certificate Hold (was RE: delta CRLs) Date: Thu, 3 May 2001 10:44:10 -0700 Message-ID: <FLEELNBJKAIIGDJJKPDGIEDLCEAA.ccovey@cylink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <5.0.1.4.2.20010503123633.01ca5338@exna07.securitydynamics.com> Russ and Denis, I was somewhat confused about your positions on the "hold" feature. Having read the email below, I am now REALLY confused. Based on context, I interpreted Denis' comment: "So I am not advocating the addition of on hold now." to mean "I have not recently switched my position on 'hold'." Denis, is that correct? Russ, it appears from your comment: "Fair reply. And, unless there is a ground swell of support, I will drop it." that you have interpreted Denis as meaning "I have withdrawn my support for 'hold'." Russ, is that correct? And Russ, I am further confused by "... I will drop it." Did you mean that you will add text to prohibit compliant CA's from issuing delta CRL's that include "hold" and "removeFromCRL" reason codes or text that will prohibit this for full CRL's as well as delta-CRLs, or did you mean something else entirely? Regards, Carlin ____________________________ - Carlin Covey Cylink Corporation -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Thursday, May 03, 2001 10:17 AM To: Denis Pinkas Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Denis: > > >5.2.4 Delta CRL Indicator > > > > > > The delta CRL indicator is a critical CRL extension that identifies > > > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > > > information about certificates who statuses have changed since the > > > issuance of a specific, previously issued CRL. The use of delta > > > > I do not like the second sentence any better than the original. How about: > > > > A delta CRL provides an updates a previously issued complete CRL. > > A delta CRL only includes entries for certificates that have changed > > status since the complete CRL was issued. > >This sentence was nearly a copy and paste from a sentence written by David >Cooper in his paper. I would have no problem to have two short sentences >instead of a long one. I would however like to make an observation. I have >been using the term "base CRL" when it is a CRL that is advertised to >support delta CRLs. I have ben using the term "complete" CRL for a CRL that >does NOT support delta CRLs. According to this convention, I would change >"complete" into "base". This would lead to: > > A delta CRL provides an updates a previously issued base CRL. > A delta CRL only includes entries for certificates that have changed > status since the base CRL was issued. Fine. > > > CRLs can significantly reduce network load and processing time in > > > some environments. Delta CRLs are generally much smaller than the > > > CRLs they update, so applications that obtain delta CRLs consume > > > less network bandwidth than applications that obtain the > > > corresponding complete CRLs. Did you want to rephrase this to get rid of complete here too? > > > The delta CRL indicator extension contains a single value of type > > > BaseCRLNumber. This value identifies the CRL number of the base CRL > > > that was used as the foundation in the generation of this delta CRL. > > > The referenced base CRL is a CRL that was explicitly issued as a CRL > > > that is complete for a given scope (e.g., a set of revocation reasons > > > or a particular distribution point.) The CRL containing the delta CRL > > > indicator extension contains all updates to the certificate > > > revocation status for that same scope. > > > > > > When a delta CRL is issued, it MUST cover the same set of reasons > > > and same set of certificates that were covered by the base CRL it > > > references. > > > > > > When a conforming CA issues a delta CRL, the delta CRL MUST include > > > a critical delta CRL indicator extension. > > > > > > An application can construct a CRL that is the most current for > > > a given scope, for a specific date, by retrieving the appropriate > > > base CRL for that scope, and combining it with a delta-CRL which > > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > > CRL and where the date for which the construction is being made is > > > between thisUpdate and nextUpdate as indicated the delta CRL. > > > Can we focus on the most common case? How about: > > > An application can construct an updated CRL by retrieving the > > appropriate base CRL for that scope, and combining it with a delta > > CRL which contains a delta CRL indicator extension with the same > > CRL number as the base CRL. > >This does not work, since the sentence does not speak anymore about the time >and thus there is no guaranty that what you get is the "freshest". Remember >that the extension for advertising delta is (mis-)named freshestCRL ! >I would have no problem to have two short sentences instead of a long one. >How about: > > An application can construct an updated CRL, for a specific time T, > by retrieving the appropriate base CRL for that scope, and combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Time T MUST fall between > thisUpdate and nextUpdate for both the base CRL and the delta CRL. Okay, however, we should say: Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. > > > Conforming implementations of this specification are not required > > > to implement the above algorithm, but MUST provide functionality > > > equivalent to the external behavior resulting from this procedure. > > > No. We do not presently require CRL implementation. The paragraph would > > seem to change that situation, and require CRL and delta CRL > > implelmentation. I suggest that the previous paragraph be omitted. > >I understand what you mean, but this was not the intent. How about: > > Conforming implementations supporting delta-CRLs are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. Reading the previous paragraph, I do not think that we need to have this paragraph at all. The previous paragraph does not actually include an algorithm. > > > CAs must ensure that application of a delta CRL to the referenced > > > > Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs > MUST". > >Fine. > > > > base revocation information accurately reflects the current status of > > > revocation. If a CA supports the certificateHold revocation reason > > > the following rules must be applied when generating delta CRLs: > > > I argued against the inclusion of support for certificate hold in RFC > > 2459. Your text demonstrates the complexity of supporting this feature. I > > am quite concerned that this topic is being raised so late in the > > process. We are in WG Last Call ... [Denis, you will recall that you made > > a similar response to a comment that I made regarding TSP.] > >The text was there, it has not been added now. I have only corrected the >text. So I am not advocating the addition of on hold now. I could reverse >the argument saying that I am surprised that in WG last call, *you* now >would like certificate hold to be removed everywhere in the document. Fair reply. And, unless there is a ground swell of support, I will drop it. >Coming back to the technical arguments only, when "on hold" was introduced >(many years ago) I originally believed that there could be some problems >when being used in the context of a non repudiation service. I have not >been able to find a single case where there would be a problem. When trying to determine if a certificate was valid at a particular time T (in the significant past), an application must recreate the history of on-hold/off-hold events near time T. > > I am still concerned about the significant complexity that certificate hold > > adds. It makes non-repudiation even more difficult. Further, I am not > > convinced that there is really a constituency for this feature. > > > > I would be very happy if we changed the profile to say that conforming CAs > > MUST NOT use certificateHold. I would be happy if we changed the profile > > to say that conforming CAs SHOULD NOT use certificateHold. I would be quite > > upset if we require clients to support certificateHold in any manner other > > than simply revoked. (Note that section 5.3.2 provides the conformant > > application the alternative of simply rejecting the certificate.) > >This is clearly a much wider topic, that is not solely directed to >delta-CRLs. So I would request that people interresting to debate along this >topic change the title of the thread to someting like: "certificate hold". > >As far as I am concerned, until I will see an argument where the use of hold >creates more problems than its non-use, I see no reason why we should make a >change to the document. Fair request. Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA23390 for <ietf-pkix@imc.org>; Thu, 3 May 2001 10:17:25 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 3 May 2001 17:17:15 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA23482 for <ietf-pkix@imc.org>; Thu, 3 May 2001 13:17:27 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8N41XP>; Thu, 3 May 2001 13:17:26 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (housley-lap.securitydynamics.com [10.100.142.235]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8N41X2; Thu, 3 May 2001 13:17:19 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010503123633.01ca5338@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Thu, 03 May 2001 13:17:08 -0400 Subject: Re: delta CRLs In-Reply-To: <3AF16202.AF399E78@bull.net> References: <5.0.1.4.2.20010502204050.00b1ced0@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: > > >5.2.4 Delta CRL Indicator > > > > > > The delta CRL indicator is a critical CRL extension that identifies > > > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > > > information about certificates who statuses have changed since the > > > issuance of a specific, previously issued CRL. The use of delta > > > > I do not like the second sentence any better than the original. How about: > > > > A delta CRL provides an updates a previously issued complete CRL. > > A delta CRL only includes entries for certificates that have changed > > status since the complete CRL was issued. > >This sentence was nearly a copy and paste from a sentence written by David >Cooper in his paper. I would have no problem to have two short sentences >instead of a long one. I would however like to make an observation. I have >been using the term "base CRL" when it is a CRL that is advertised to >support delta CRLs. I have ben using the term "complete" CRL for a CRL that >does NOT support delta CRLs. According to this convention, I would change >"complete" into "base". This would lead to: > > A delta CRL provides an updates a previously issued base CRL. > A delta CRL only includes entries for certificates that have changed > status since the base CRL was issued. Fine. > > > CRLs can significantly reduce network load and processing time in > > > some environments. Delta CRLs are generally much smaller than the > > > CRLs they update, so applications that obtain delta CRLs consume > > > less network bandwidth than applications that obtain the > > > corresponding complete CRLs. Did you want to rephrase this to get rid of complete here too? > > > The delta CRL indicator extension contains a single value of type > > > BaseCRLNumber. This value identifies the CRL number of the base CRL > > > that was used as the foundation in the generation of this delta CRL. > > > The referenced base CRL is a CRL that was explicitly issued as a CRL > > > that is complete for a given scope (e.g., a set of revocation reasons > > > or a particular distribution point.) The CRL containing the delta CRL > > > indicator extension contains all updates to the certificate > > > revocation status for that same scope. > > > > > > When a delta CRL is issued, it MUST cover the same set of reasons > > > and same set of certificates that were covered by the base CRL it > > > references. > > > > > > When a conforming CA issues a delta CRL, the delta CRL MUST include > > > a critical delta CRL indicator extension. > > > > > > An application can construct a CRL that is the most current for > > > a given scope, for a specific date, by retrieving the appropriate > > > base CRL for that scope, and combining it with a delta-CRL which > > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > > CRL and where the date for which the construction is being made is > > > between thisUpdate and nextUpdate as indicated the delta CRL. > > > Can we focus on the most common case? How about: > > > An application can construct an updated CRL by retrieving the > > appropriate base CRL for that scope, and combining it with a delta > > CRL which contains a delta CRL indicator extension with the same > > CRL number as the base CRL. > >This does not work, since the sentence does not speak anymore about the time >and thus there is no guaranty that what you get is the "freshest". Remember >that the extension for advertising delta is (mis-)named freshestCRL ! >I would have no problem to have two short sentences instead of a long one. >How about: > > An application can construct an updated CRL, for a specific time T, > by retrieving the appropriate base CRL for that scope, and combining > it with a delta CRL which contains a delta CRL indicator extension > with the same CRL number as the base CRL. Time T MUST fall between > thisUpdate and nextUpdate for both the base CRL and the delta CRL. Okay, however, we should say: Applications that support delta CRLs MUST ensure that time T falls between thisUpdate and nextUpdate for both the base CRL and the delta CRL. > > > Conforming implementations of this specification are not required > > > to implement the above algorithm, but MUST provide functionality > > > equivalent to the external behavior resulting from this procedure. > > > No. We do not presently require CRL implementation. The paragraph would > > seem to change that situation, and require CRL and delta CRL > > implelmentation. I suggest that the previous paragraph be omitted. > >I understand what you mean, but this was not the intent. How about: > > Conforming implementations supporting delta-CRLs are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. Reading the previous paragraph, I do not think that we need to have this paragraph at all. The previous paragraph does not actually include an algorithm. > > > CAs must ensure that application of a delta CRL to the referenced > > > > Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs > MUST". > >Fine. > > > > base revocation information accurately reflects the current status of > > > revocation. If a CA supports the certificateHold revocation reason > > > the following rules must be applied when generating delta CRLs: > > > I argued against the inclusion of support for certificate hold in RFC > > 2459. Your text demonstrates the complexity of supporting this feature. I > > am quite concerned that this topic is being raised so late in the > > process. We are in WG Last Call ... [Denis, you will recall that you made > > a similar response to a comment that I made regarding TSP.] > >The text was there, it has not been added now. I have only corrected the >text. So I am not advocating the addition of on hold now. I could reverse >the argument saying that I am surprised that in WG last call, *you* now >would like certificate hold to be removed everywhere in the document. Fair reply. And, unless there is a ground swell of support, I will drop it. >Coming back to the technical arguments only, when "on hold" was introduced >(many years ago) I originally believed that there could be some problems >when being used in the context of a non repudiation service. I have not >been able to find a single case where there would be a problem. When trying to determine if a certificate was valid at a particular time T (in the significant past), an application must recreate the history of on-hold/off-hold events near time T. > > I am still concerned about the significant complexity that certificate hold > > adds. It makes non-repudiation even more difficult. Further, I am not > > convinced that there is really a constituency for this feature. > > > > I would be very happy if we changed the profile to say that conforming CAs > > MUST NOT use certificateHold. I would be happy if we changed the profile > > to say that conforming CAs SHOULD NOT use certificateHold. I would be quite > > upset if we require clients to support certificateHold in any manner other > > than simply revoked. (Note that section 5.3.2 provides the conformant > > application the alternative of simply rejecting the certificate.) > >This is clearly a much wider topic, that is not solely directed to >delta-CRLs. So I would request that people interresting to debate along this >topic change the title of the thread to someting like: "certificate hold". > >As far as I am concerned, until I will see an argument where the use of hold >creates more problems than its non-use, I see no reason why we should make a >change to the document. Fair request. Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA21754 for <ietf-pkix@imc.org>; Thu, 3 May 2001 09:59:23 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KGKQ8G82>; Thu, 3 May 2001 12:58:51 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE630@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Denis Pinkas <Denis.Pinkas@bull.net>, Santosh Chokhani <chokhani@cygnacom.com> Cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 3 May 2001 12:49:48 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D3F1.104FD3E0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D3F1.104FD3E0 Content-Type: text/plain; charset="iso-8859-1" Please see comments in-line. -----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] Sent: Thursday, May 03, 2001 10:49 AM To: Santosh Chokhani Cc: Housley, Russ; ietf-pkix@imc.org Subject: Re: delta CRLs Santosh, Mails are crossing around, and are not necessarilly received in the same order. :-) You indicated "Also a minor technical change to your other sentence" in your response to Russ: "An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number or lower number as the base CRL." What is a "delta CRL which contains a delta CRL indicator extension with (...) lower number as the base CRL." If you pick this delta CRL then it is missing some of the information. Unless you speak of the time T and compare it with thisUpdate and nextUpdate this does not work. [Santosh says: Denis, the language is a bit awkward. Let us take an example, a delta is issued reference base 20, i.e., delta CRL indicator = 20. Now, let us say base 21 and 22 are also issued prior to delta. You may be able to use any one of the three bases: 20, 21, and 22 in conjunction with the delta to create a "current" revocation picture at the relying party.] You also said: " Please note that the delta CRL can always be applied to a higher base than the one referenced in the delta CRL extension." You now say "higher" in that sentence. This is even more confusing. [Santosh Says: That is because in one case I am saying that you can use any base with a delta referencing lower base. In the other case I am saying that a delta or referenced or higher base together can be used. I WANTED TO MAKE LEAST AMOUNT TO CHANGES TO RUSS'S ORIGINAL SENTENCE.] Please take note that the intent is to describe what is necessary to support the "traditional scheme" and I got the feeling that you would like this sentence to support a different scheme. On April 19, David Cooper provided some explanations making some confusing between the numering of delta-CRLs and the numbering of base CRLs. Thay have no relationships besides that the numbers should always increase. If I just re-use the text from David, then you get the effect he wanted without the need to take advantage of any new sequential numbering. Here is the corrected text: " Suppose that delta-CRLs are issued once an hour. For example, suppose that a base CRL, CRL number 5, was issued at midnight and that every hour for the next 24 hours, delta-CRLs were issued with a BaseCRLNumber of 5. If a relying party performs its first validation at 3:10am, it would the base CRL issued at midnight and the delta-CRL issued at 3:00am (e.g. CRL number 28). It would combine these to construct the freshest CRL. A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the CRL which it constructed at 3:10am. It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 42 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 28 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of the CRL which it constructed at 3:10am to obtain the freshest CRL." So the addition you were proposing is not adequate. If we were going to support variations beyond the traditional scheme, this should be in a separate sentence. Regards, Denis ------_=_NextPart_001_01C0D3F1.104FD3E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Please see comments in-line.</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Denis Pinkas [<A = HREF=3D"mailto:Denis.Pinkas@bull.net">mailto:Denis.Pinkas@bull.net</A>]<= /FONT> <BR><FONT SIZE=3D2>Sent: Thursday, May 03, 2001 10:49 AM</FONT> <BR><FONT SIZE=3D2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=3D2>Cc: Housley, Russ; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Santosh,</FONT> </P> <P><FONT SIZE=3D2>Mails are crossing around, and are not necessarilly = received in the same</FONT> <BR><FONT SIZE=3D2>order. :-)</FONT> </P> <P><FONT SIZE=3D2>You indicated "Also a minor technical change to = your other sentence" in your</FONT> <BR><FONT SIZE=3D2>response to Russ:</FONT> </P> <P><FONT SIZE=3D2> "An application can construct an updated = CRL by retrieving the appropriate</FONT> <BR><FONT SIZE=3D2> base CRL for that scope, and combining it with = a delta CRL which contains</FONT> <BR><FONT SIZE=3D2> a delta CRL indicator extension with the same = CRL number or lower number</FONT> <BR><FONT SIZE=3D2> as the base CRL."</FONT> </P> <P><FONT SIZE=3D2>What is a "delta CRL which contains a delta CRL = indicator extension with</FONT> <BR><FONT SIZE=3D2>(...) lower number as the base CRL." If you = pick this delta CRL then it is</FONT> <BR><FONT SIZE=3D2>missing some of the information. Unless you speak of = the time T and compare</FONT> <BR><FONT SIZE=3D2>it with thisUpdate and nextUpdate this does not = work.</FONT> </P> <P><FONT SIZE=3D2>[Santosh says: Denis, the language is a bit = awkward. Let us take an example, a delta is issued reference base = 20, i.e., delta CRL indicator =3D 20. Now, let us say base 21 and = 22 are also issued prior to delta. You may be able to use any one = of the three bases: 20, 21, and 22 in conjunction with the delta to = create a "current" revocation picture at the relying = party.]</FONT></P> <P><FONT SIZE=3D2>You also said: " Please note that the delta CRL = can always be applied to a</FONT> <BR><FONT SIZE=3D2>higher base than the one referenced in the delta CRL = extension."</FONT> </P> <P><FONT SIZE=3D2>You now say "higher" in that sentence. This = is even more confusing.</FONT> </P> <P><FONT SIZE=3D2>[Santosh Says: That is because in one case I am = saying that you can use any base with a delta referencing lower = base. In the other case I am saying that a delta or referenced or = higher base together can be used. I WANTED TO MAKE LEAST AMOUNT = TO CHANGES TO RUSS'S ORIGINAL SENTENCE.]</FONT></P> <P><FONT SIZE=3D2>Please take note that the intent is to describe what = is necessary to support</FONT> <BR><FONT SIZE=3D2>the "traditional scheme" and I got the = feeling that you would like this</FONT> <BR><FONT SIZE=3D2>sentence to support a different scheme. On April 19, = David Cooper provided</FONT> <BR><FONT SIZE=3D2>some explanations making some confusing between the = numering of delta-CRLs</FONT> <BR><FONT SIZE=3D2>and the numbering of base CRLs. Thay have no = relationships besides that the</FONT> <BR><FONT SIZE=3D2>numbers should always increase.</FONT> </P> <P><FONT SIZE=3D2>If I just re-use the text from David, then you get = the effect he wanted</FONT> <BR><FONT SIZE=3D2>without the need to take advantage of any new = sequential numbering. Here is</FONT> <BR><FONT SIZE=3D2>the corrected text:</FONT> </P> <P><FONT SIZE=3D2>" Suppose that delta-CRLs are issued once an = hour. For example, suppose that</FONT> <BR><FONT SIZE=3D2>a base CRL, CRL number 5, was issued at midnight and = that every hour for the</FONT> <BR><FONT SIZE=3D2>next 24 hours, delta-CRLs were issued with a = BaseCRLNumber of 5. If a</FONT> <BR><FONT SIZE=3D2>relying party performs its first validation at = 3:10am, it would the base CRL</FONT> <BR><FONT SIZE=3D2>issued at midnight and the delta-CRL issued at = 3:00am (e.g. CRL number 28).</FONT> <BR><FONT SIZE=3D2>It would combine these to construct the freshest = CRL.</FONT> </P> <P><FONT SIZE=3D2>A few hours later, at 6:30am, the relying party = performs another validation.</FONT> <BR><FONT SIZE=3D2>The relying party has, in its local cache, the CRL = which it constructed at</FONT> <BR><FONT SIZE=3D2>3:10am. It wants to update the information in its = local case to based on the</FONT> <BR><FONT SIZE=3D2>newly available revocation information. So, it = obtains the latest delta-CRL.</FONT> <BR><FONT SIZE=3D2>This delta-CRL has a CRL number of 42 and a = BaseCRLnumber of 5. Since</FONT> <BR><FONT SIZE=3D2>it has a BaseCRLNumber of 5, the delta-CRL provides = status information for</FONT> <BR><FONT SIZE=3D2>all certificates whose status has changed since CRL = number 5 was issued</FONT> <BR><FONT SIZE=3D2>(midnight). So, clearly the delta-CRL provides = status information for all</FONT> <BR><FONT SIZE=3D2>certificates whose status has changed since 3:00am = when CRL number 28 was</FONT> <BR><FONT SIZE=3D2>issued. Thus, the relying party can combine the = delta-CRL with its locally</FONT> <BR><FONT SIZE=3D2>cached version of the CRL which it constructed at = 3:10am to obtain the</FONT> <BR><FONT SIZE=3D2>freshest CRL."</FONT> </P> <P><FONT SIZE=3D2>So the addition you were proposing is not adequate. = If we were going to</FONT> <BR><FONT SIZE=3D2>support variations beyond the traditional scheme, = this should be in a</FONT> <BR><FONT SIZE=3D2>separate sentence.</FONT> </P> <P><FONT SIZE=3D2>Regards,</FONT> </P> <P><FONT SIZE=3D2>Denis</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D3F1.104FD3E0-- Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA21717 for <ietf-pkix@imc.org>; Thu, 3 May 2001 09:59:14 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432Y23T>; Thu, 3 May 2001 12:58:44 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA4021@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: Santosh Chokhani <chokhani@cygnacom.com>, "'Tom Gindin'" <tgindin@us.ibm.com> Cc: "'Tim Polk'" <tim.polk@nist.gov>, "'Denis Pinkas'" <Denis.Pinkas@bull.net>, "'ietf-pkix@imc.org'" <ietf-pkix@imc.org> Subject: RE: Basic constraints, key usage, and LDAP schema Date: Thu, 3 May 2001 12:52:30 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D3F1.710ED370" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D3F1.710ED370 Content-Type: text/plain; charset="iso-8859-1" Thanks, I understand now. -----Original Message----- From: Santosh Chokhani Sent: Thursday, May 03, 2001 12:32 PM To: Sharon Boeyen; 'Tom Gindin' Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema Sharon: One reason a CA may issue itself a CRL signing certificate is the scenario as follows: 1. The CA is a trust anchor for some relying parties, and 2. The CA wants to use different key for CRL signing for operational security, and 3. The CA wants to only provide one trust anchor (i.e., the certificate signature verification public key). In that scenario, the CA will issue itself a certificate for the CRL signature verification public key. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Thursday, May 03, 2001 10:35 AM To: 'Tom Gindin'; Sharon Boeyen Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema I see your point - I was missing the point that they are self-issued and was thinking of the case where you are delegating authority to an indirect issuer. In the indirect case the cert would need to be in the cross-cert pairs attribute and may also appear in the caCerts attribute. On the self issued ones, why are they needed at all? Why would a CA issue a cert to itself indicating that it can sign CRLs? Why do we need that? Sharon > -----Original Message----- > From: Tom Gindin [ mailto:tgindin@us.ibm.com <mailto:tgindin@us.ibm.com> ] > Sent: Wednesday, May 02, 2001 5:43 PM > To: Sharon Boeyen > Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > > In the current draft of X.509v4, "self-issued" means something > different than "self-signed". "self-issued" appears to be > the condition > "the certificate's subject name can be matched to its own issuer name, > which is that of a CA", while "self-signed" is that with the added > condition "the certificate signature is verifiable with the public key > contained in the message". Most of these CRL signing certificates are > "self-issued" in this sense, although not "self-signed". > One other reason why such CRL signing certificates would > legitimately > not go into the CC Pair attribute would be that there is no > other directory > entry where the CA certificate to verify the signature on > this certificate > could be found, unlike any other certificates in CC Pair. > Lastly, if a CRL signing certificate were issued by a CA > certificate > with the same DN, it would certainly belong in the same realm, if that > concept has any meaning at all. > > Tom Gindin > > > Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM > > To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas > <Denis.Pinkas@bull.net> > cc: ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > Hi Tim, > > > I just want to clarify the directory attributes. All certs > that are not > self issued must go in the cross certificates attribute. All > self issued > certs must go in the caCertificates attribute. A subset of > the certificates > in the cross certificate pairs attributes may also be present in the > caCertificates attribute (those issued within the same realm, > a term left > undefined). Lets not go back down that rathole :-) The two > attributes are > not interchangeable. Given that the certs you are talking > about are not > self issued then they must go in the cross certificate pairs > attribute and > may also be placed in the caCertificate attribute if issued > within the same > realm. > > > Sharon > > > > -----Original Message----- > > From: Tim Polk [ mailto:tim.polk@nist.gov <mailto:tim.polk@nist.gov> ] > > Sent: Wednesday, May 02, 2001 10:43 AM > > To: Denis Pinkas > > Cc: ietf-pkix@imc.org > > Subject: Re: Basic constraints, key usage, and LDAP schema > > > > > > Denis, > > > > These messages have been flying fast and furious under several topic > > lines. I don't believe I caught them all either! As they > > are all related, > > it is difficult to resolve the issues one-by-one. The > > separate solutions > > may combine to present new problems. That was the rationale > > for the single > > comprehensive posting. > > > > The real problems, in my opinion, are as follows: > > > > (1) Consider a PKIX client, searching for a certificate to > validate a > > particular CRL. Under 2459, the client cannot guess whether > > the basic > > constraints extension will be present with the CA bit asserted. > > > > If the key used to validate the CRL is also used to validate > > certificates, > > it will have basic constraints and assert cA is TRUE. In > > this case, the > > certificate should be in the ca certificate attribute (or > > perhaps the cross > > certificate pairs). > > > > If the key is not used to validate certificates, basic > > constraints will be > > omitted and the certificate will be stored in the user > > certificate attribute. > > > > (2) If a PKIX client wishes to communicate with a CA for certificate > > management purposes (e.g., to request a new certificate, request > > revocation, or perhaps centralized key generation for key > > escrow scenarios) > > the client will need to validate the CA's signature and > > perhaps make use of > > the CA's key management key. If the keys used for these > > transactions are > > also used to sign PKCs, the certs will be in the CA certificate > > attribute. If the keys used for these purposes are not used > > to sign PKCs, > > there will be no indication that this entity is a CA and the > > certs will be > > stored in the user certificate attribute. > > > > As above, the PKIX client does not know where to look for these > > certificates. Where they are not used to sign PKCs, there > will be no > > indication in the certificate that this entity is a CA at all. > > > > (3) The attribute certificate profile is very clear regarding > > AC issuers > > versus PKC issuers. Section 4.5 states "the AC issuer's PKC > > MUST NOT have a > > basicConstraints extension with the cA BOOLEAN set to TRUE." > > > > However, the combination of RFC 2459 and the attribute > > certificate profile > > does not permit an issuer to specify whether a subject can > issue CRLs > > for PKCs, ACs, or both. This would provide us with an > > analogous solution: > > if the CA bit is not asserted, but the cRLSign bit is set in > > key usage, the > > subject is only permitted to issue CRLs for ACs. > > > > To be honest, (3) is the least compelling problem. The CA > > must explicitly > > name an indirect CRL issuer in PKCs it issues *anyway*, so > > the CA bit isn't > > a big security issue. Still, I think it is nice to supply > > clients with > > this information. > > > > Anyway, I hope this clarifies things a bit. My goal was to > > resolve all > > three problems simultaneously and consistently. > > > > Thanks, > > > > Tim Polk > > > > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote: > > >Tim, > > > > > >I stayed silent on that topic and it is quite hard to catch > > all the e-mails > > >related to it. I certainly missed or skipped missed some of them. > > > > > > > Terry, > > > > > > > > I think it would be best if the client did not need to check the > > > > userCertificate attribute to validate CRLs. This adds > > complexity without > > > > any real benefit (in my opinion.) I have included some > > proposed text for > > > > the first paragraph of section 4.2.1.10 (basic > > constraints) that would > > > > clarify the issue. > > > > > > > > ----------------proposed text for first paragraph of > > > 4.2.1.10---------------- > > > > > > > > The basic constraints extension identifies whether the > > subject of the > > > > certificate is a CA and the maximum depth of valid > > certification paths that > > > > include this certificate. A subject is considered a CA > > if it issues public > > > > key certificates or CRLs that describe the revocation > > status of public key > > > > certificates. > > > > > > > > ----------------------end proposed text > > > > What do you think? > > > > > >RFC 2459 only said: > > > > > > The basic constraints extension identifies whether the > > subject of the > > > certificate is a CA and how deep a certification path may exist > > > through that CA. > > > > > >However, according to the new text a "CRL Issuer" is now > > also a "CA": " A > > >subject is considered a CA if it issues public key > > certificates or CRLs that > > >describe the revocation status of public key certificates." > > > > > >The current text of new-part1-06 also goes in the same direction. > > > > > > The cA bit indicates if the certified public key may be used to > > > verify signatures on other certificates. If the cA bit > > is asserted, > > > then either the keyCertSign bit or the cRLSign bit in > > the key usage > > > extension (see 4.2.1.3) MUST also be asserted. If the cA > > bit is not > > > asserted, then both the keyCertSign bit and the cRLSign > > in the key > > > usage extension MUST NOT be asserted. > > > > > >This seems quite strange. A CRL issuer is just one way to > > make available > > >revocation status information. OCSP is another way. RFC 2560 says: > > > > > > OCSP signing delegation SHALL be designated by the > > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage > certificate > > > extension included in the OCSP response signer's > > certificate. This > > > certificate MUST be issued directly by the CA that issued the > > > certificate in question. > > > > > >If a "CRL issuer" is a "CA", why should an OCSP responder > > designated by a CA > > >not also be a "CA" ? > > > > > >As far as I remember, originally the cA boolean in the basic > > constraints > > >extension only allowed to make the difference between leaf > > certificates and > > >CA certificates. This boolean now seems to be be used with a > > different > > >meaning (and, maybe, we should change its meaning - not > the syntax). > > > > > >Could someone say again, why that change was requested and > > what are the real > > >benefits of that change ? > > > > > >In other words, could someone say again what the problem was ? :-) > > > > > >Thanks, > > > > > >Denis > > > > > > > Thanks, > > > > > > > > Tim Polk > > > > > > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > > > > >Tim, > > > > > > > > > >I agree with your proposed solution. As you have said, > > it separates the > > > > >semantics of the two extensions, and simplifies the > > rules for the LDAP > > > schema. > > > > > > > > > >There is one remaining point to address, and I believe > > it may be the main > > > > >point of discussion in the current thread. > > > > > > > > > >When a CA uses the CRLDP extension to designate another > > entity to be the > > > > >source for revocation information about some of its > > certificates, should > > > > >that entity have a "CA" certificate (with appropriate > > basicConstraints > > > > >extension)? I'm *not* suggesting that a > > basicConstraints extension is > > > > >necessary for the entity to be authorized to sign the > > CRL. Instead, the > > > > >problem is that clients that are trying to locate the > > certificate will not > > > > >know whether they should look in the cACertificate > > attribute or the > > > > >userCertificate attribute to find the appropriate certificate. > > > > > > > > > >To solve this, we can suggest that cACertificate be > > searched first, > > > > >followed by userCertificate, or we can require that > > designated entities > > > > >must always be a "CA", and the client can safely skip > > the userCertificate > > > > >attribute. This is a question of searching the > > directory only, and does > > > > >not suggest changing your assertion that any set of bits > > may be set in the > > > > >keyUsage extension of "CA" certificates. > > > > > > > > > >Terry > > > > > > > > > >Tim Polk wrote: > > > > > > > > > >>Folks, > > > > >> > > > > >>I have been reading the email messages on the list about the > > > > >>relationships between basic constraints, key usage, and > > the schema. > > > > >>After mulling over the problem. I would like to > > propose a solution - the > > > > >>only solution, as far as I can tell... > > > > >> > > > > >>The solution is to simplify and separate the semantics > > of the basic > > > > >>constraints and key usage extension. This has positive > > implications for > > > > >>the PKIX LDAP schema as well. > > > > >> > > > > >>Basic Constraints > > > > >> > > > > >>As stated in the current text for Basic Constraints (in > > 2459): "The > > > > >>basic constraints extension identifies whether the > > subject of the > > > > >>certificate is a CA and how deep a certification path > > may exist through > > > > >>that CA." > > > > >> > > > > >>I believe this is the right semantics, and that basic > > constraints should > > > > >>be included and cA should be asserted in *any* > > certificate issued to a > > > > >>CA, regardless of the type or role associated with the > > public key in the > > > > >>certificate. > > > > >> > > > > >>Key Usage > > > > >> > > > > >>The issuer should use the Key Usage extension to > > disambiguate the > > > > >>subject's key pairs: > > > > >>(a) The issuer indicates this public key may be used to > > verify the > > > > >>signature on a public key certificate by asserting > > keyCertSign. (b) The > > > > >>issuer indicates this public key may be used to verify > > the signature on > > > > >>CRLs by asserting cRLSign. (c) The issuer indicates > > that this public key > > > > >>may be used to establish symmetric keys with the > > subject by asserting > > > > >>either keyEncipherment or keyAgreement. (d) The issuer > > indicates that > > > > >>this public key may be used to verify signatures on > > objects other than > > > > >>public key certificates and CRLs by asserting > nonRerpuidation or > > > > >>digitalSignature. > > > > >> > > > > >>Of course, if a key pair is used for multiple purposes, > > multiple key > > > > >>usages may be asserted. > > > > >> > > > > >>In each of these cases, the basic constraints extension > > also appears in > > > > >>the certificate and asserts that the subject is a CA. > > > > >> > > > > >>LDAP Schema > > > > >> > > > > >>All certificates issued to CAs would be considered CA > > certificates since > > > > >>the basic constraints extension is present and asserts > > that the subject > > > > >>is a CA. As a result, each of these could appear in > > the cACertificate > > > > >>attribute or crossCertificatePair attribute. They > > would *not* appear in > > > > >>the userCertificate attribute. (That would include all > > types (a) through > > > > >>(d) above). > > > > >> > > > > >>------------------ > > > > >> > > > > >>The implications of this strategy are as follows: (1) > > when a client is > > > > >>searching for a CA certificate, they will not have to > check the > > > > >>userCertificate attribute; (2) the issuer can indicate > > that the subject > > > > >>is a CA regardless of the key usage; and (3) minimal > > changes to the text > > > > >>(my favorite!). > > > > >> > > > > >>What do you think? > > > > >> > > > > >>Thanks, > > > > >> > > > > >>Tim Polk > > > > >> > > > > >> > > > > > > > > > > > > > > > ------_=_NextPart_001_01C0D3F1.710ED370 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: Basic constraints, key usage, and LDAP schema</TITLE> <META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD> <BODY> <DIV><SPAN class=784215816-03052001><FONT face=Arial color=#0000ff size=2>Thanks, I understand now.</FONT></SPAN></DIV> <BLOCKQUOTE dir=ltr style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Santosh Chokhani <BR><B>Sent:</B> Thursday, May 03, 2001 12:32 PM<BR><B>To:</B> Sharon Boeyen; 'Tom Gindin'<BR><B>Cc:</B> 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org<BR><B>Subject:</B> RE: Basic constraints, key usage, and LDAP schema<BR><BR></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001>Sharon:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001>One reason a CA may issue itself a CRL signing certificate is the scenario as follows:</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001>1. The CA is a trust anchor for some relying parties, and</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001>2. The CA wants to use different key for CRL signing for operational security, and</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001>3. The CA wants to only provide one trust anchor (i.e., the certificate signature verification public key).</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001>In that scenario, the CA will issue itself a certificate for the CRL signature verification public key.</SPAN></FONT></DIV> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Thursday, May 03, 2001 10:35 AM<BR><B>To:</B> 'Tom Gindin'; Sharon Boeyen<BR><B>Cc:</B> 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org<BR><B>Subject:</B> RE: Basic constraints, key usage, and LDAP schema<BR><BR></FONT></DIV> <P><FONT size=2>I see your point - I was missing the point that they are self-issued and was </FONT><BR><FONT size=2>thinking of the case where you are delegating authority to an indirect </FONT><BR><FONT size=2>issuer. In the indirect case the cert would need to be in the cross-cert pairs</FONT> <BR><FONT size=2>attribute and may also appear in the caCerts attribute.</FONT> </P> <P><FONT size=2>On the self issued ones, why are they needed at all? Why would a CA issue </FONT><BR><FONT size=2>a cert to itself indicating that it can sign CRLs? Why do we need that?</FONT> </P> <P><FONT size=2>Sharon</FONT> </P> <P><FONT size=2>> -----Original Message-----</FONT> <BR><FONT size=2>> From: Tom Gindin [<A href="mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT> <BR><FONT size=2>> Sent: Wednesday, May 02, 2001 5:43 PM</FONT> <BR><FONT size=2>> To: Sharon Boeyen</FONT> <BR><FONT size=2>> Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: RE: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> In the current draft of X.509v4, "self-issued" means something</FONT> <BR><FONT size=2>> different than "self-signed". "self-issued" appears to be </FONT><BR><FONT size=2>> the condition</FONT> <BR><FONT size=2>> "the certificate's subject name can be matched to its own issuer name,</FONT> <BR><FONT size=2>> which is that of a CA", while "self-signed" is that with the added</FONT> <BR><FONT size=2>> condition "the certificate signature is verifiable with the public key</FONT> <BR><FONT size=2>> contained in the message". Most of these CRL signing certificates are</FONT> <BR><FONT size=2>> "self-issued" in this sense, although not "self-signed".</FONT> <BR><FONT size=2>> One other reason why such CRL signing certificates would </FONT><BR><FONT size=2>> legitimately</FONT> <BR><FONT size=2>> not go into the CC Pair attribute would be that there is no </FONT><BR><FONT size=2>> other directory</FONT> <BR><FONT size=2>> entry where the CA certificate to verify the signature on </FONT><BR><FONT size=2>> this certificate</FONT> <BR><FONT size=2>> could be found, unlike any other certificates in CC Pair.</FONT> <BR><FONT size=2>> Lastly, if a CRL signing certificate were issued by a CA </FONT><BR><FONT size=2>> certificate</FONT> <BR><FONT size=2>> with the same DN, it would certainly belong in the same realm, if that</FONT> <BR><FONT size=2>> concept has any meaning at all.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Tom Gindin</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas</FONT> <BR><FONT size=2>> <Denis.Pinkas@bull.net></FONT> <BR><FONT size=2>> cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: RE: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Hi Tim,</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> I just want to clarify the directory attributes. All certs </FONT><BR><FONT size=2>> that are not</FONT> <BR><FONT size=2>> self issued must go in the cross certificates attribute. All </FONT><BR><FONT size=2>> self issued</FONT> <BR><FONT size=2>> certs must go in the caCertificates attribute. A subset of </FONT><BR><FONT size=2>> the certificates</FONT> <BR><FONT size=2>> in the cross certificate pairs attributes may also be present in the</FONT> <BR><FONT size=2>> caCertificates attribute (those issued within the same realm, </FONT><BR><FONT size=2>> a term left</FONT> <BR><FONT size=2>> undefined). Lets not go back down that rathole :-) The two </FONT><BR><FONT size=2>> attributes are</FONT> <BR><FONT size=2>> not interchangeable. Given that the certs you are talking </FONT><BR><FONT size=2>> about are not</FONT> <BR><FONT size=2>> self issued then they must go in the cross certificate pairs </FONT><BR><FONT size=2>> attribute and</FONT> <BR><FONT size=2>> may also be placed in the caCertificate attribute if issued </FONT><BR><FONT size=2>> within the same</FONT> <BR><FONT size=2>> realm.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Sharon</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> > -----Original Message-----</FONT> <BR><FONT size=2>> > From: Tim Polk [<A href="mailto:tim.polk@nist.gov">mailto:tim.polk@nist.gov</A>]</FONT> <BR><FONT size=2>> > Sent: Wednesday, May 02, 2001 10:43 AM</FONT> <BR><FONT size=2>> > To: Denis Pinkas</FONT> <BR><FONT size=2>> > Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> > Subject: Re: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Denis,</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > These messages have been flying fast and furious under several topic</FONT> <BR><FONT size=2>> > lines. I don't believe I caught them all either! As they</FONT> <BR><FONT size=2>> > are all related,</FONT> <BR><FONT size=2>> > it is difficult to resolve the issues one-by-one. The</FONT> <BR><FONT size=2>> > separate solutions</FONT> <BR><FONT size=2>> > may combine to present new problems. That was the rationale</FONT> <BR><FONT size=2>> > for the single</FONT> <BR><FONT size=2>> > comprehensive posting.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > The real problems, in my opinion, are as follows:</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > (1) Consider a PKIX client, searching for a certificate to </FONT><BR><FONT size=2>> validate a</FONT> <BR><FONT size=2>> > particular CRL. Under 2459, the client cannot guess whether</FONT> <BR><FONT size=2>> > the basic</FONT> <BR><FONT size=2>> > constraints extension will be present with the CA bit asserted.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > If the key used to validate the CRL is also used to validate</FONT> <BR><FONT size=2>> > certificates,</FONT> <BR><FONT size=2>> > it will have basic constraints and assert cA is TRUE. In</FONT> <BR><FONT size=2>> > this case, the</FONT> <BR><FONT size=2>> > certificate should be in the ca certificate attribute (or</FONT> <BR><FONT size=2>> > perhaps the cross</FONT> <BR><FONT size=2>> > certificate pairs).</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > If the key is not used to validate certificates, basic</FONT> <BR><FONT size=2>> > constraints will be</FONT> <BR><FONT size=2>> > omitted and the certificate will be stored in the user</FONT> <BR><FONT size=2>> > certificate attribute.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > (2) If a PKIX client wishes to communicate with a CA for certificate</FONT> <BR><FONT size=2>> > management purposes (e.g., to request a new certificate, request</FONT> <BR><FONT size=2>> > revocation, or perhaps centralized key generation for key</FONT> <BR><FONT size=2>> > escrow scenarios)</FONT> <BR><FONT size=2>> > the client will need to validate the CA's signature and</FONT> <BR><FONT size=2>> > perhaps make use of</FONT> <BR><FONT size=2>> > the CA's key management key. If the keys used for these</FONT> <BR><FONT size=2>> > transactions are</FONT> <BR><FONT size=2>> > also used to sign PKCs, the certs will be in the CA certificate</FONT> <BR><FONT size=2>> > attribute. If the keys used for these purposes are not used</FONT> <BR><FONT size=2>> > to sign PKCs,</FONT> <BR><FONT size=2>> > there will be no indication that this entity is a CA and the</FONT> <BR><FONT size=2>> > certs will be</FONT> <BR><FONT size=2>> > stored in the user certificate attribute.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > As above, the PKIX client does not know where to look for these</FONT> <BR><FONT size=2>> > certificates. Where they are not used to sign PKCs, there </FONT><BR><FONT size=2>> will be no</FONT> <BR><FONT size=2>> > indication in the certificate that this entity is a CA at all.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > (3) The attribute certificate profile is very clear regarding</FONT> <BR><FONT size=2>> > AC issuers</FONT> <BR><FONT size=2>> > versus PKC issuers. Section 4.5 states "the AC issuer's PKC</FONT> <BR><FONT size=2>> > MUST NOT have a</FONT> <BR><FONT size=2>> > basicConstraints extension with the cA BOOLEAN set to TRUE."</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > However, the combination of RFC 2459 and the attribute</FONT> <BR><FONT size=2>> > certificate profile</FONT> <BR><FONT size=2>> > does not permit an issuer to specify whether a subject can </FONT><BR><FONT size=2>> issue CRLs</FONT> <BR><FONT size=2>> > for PKCs, ACs, or both. This would provide us with an</FONT> <BR><FONT size=2>> > analogous solution:</FONT> <BR><FONT size=2>> > if the CA bit is not asserted, but the cRLSign bit is set in</FONT> <BR><FONT size=2>> > key usage, the</FONT> <BR><FONT size=2>> > subject is only permitted to issue CRLs for ACs.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > To be honest, (3) is the least compelling problem. The CA</FONT> <BR><FONT size=2>> > must explicitly</FONT> <BR><FONT size=2>> > name an indirect CRL issuer in PKCs it issues *anyway*, so</FONT> <BR><FONT size=2>> > the CA bit isn't</FONT> <BR><FONT size=2>> > a big security issue. Still, I think it is nice to supply</FONT> <BR><FONT size=2>> > clients with</FONT> <BR><FONT size=2>> > this information.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Anyway, I hope this clarifies things a bit. My goal was to</FONT> <BR><FONT size=2>> > resolve all</FONT> <BR><FONT size=2>> > three problems simultaneously and consistently.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Thanks,</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Tim Polk</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote:</FONT> <BR><FONT size=2>> > >Tim,</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >I stayed silent on that topic and it is quite hard to catch</FONT> <BR><FONT size=2>> > all the e-mails</FONT> <BR><FONT size=2>> > >related to it. I certainly missed or skipped missed some of them.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > > Terry,</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > I think it would be best if the client did not need to check the</FONT> <BR><FONT size=2>> > > > userCertificate attribute to validate CRLs. This adds</FONT> <BR><FONT size=2>> > complexity without</FONT> <BR><FONT size=2>> > > > any real benefit (in my opinion.) I have included some</FONT> <BR><FONT size=2>> > proposed text for</FONT> <BR><FONT size=2>> > > > the first paragraph of section 4.2.1.10 (basic</FONT> <BR><FONT size=2>> > constraints) that would</FONT> <BR><FONT size=2>> > > > clarify the issue.</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > ----------------proposed text for first paragraph of</FONT> <BR><FONT size=2>> > > 4.2.1.10----------------</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > The basic constraints extension identifies whether the</FONT> <BR><FONT size=2>> > subject of the</FONT> <BR><FONT size=2>> > > > certificate is a CA and the maximum depth of valid</FONT> <BR><FONT size=2>> > certification paths that</FONT> <BR><FONT size=2>> > > > include this certificate. A subject is considered a CA</FONT> <BR><FONT size=2>> > if it issues public</FONT> <BR><FONT size=2>> > > > key certificates or CRLs that describe the revocation</FONT> <BR><FONT size=2>> > status of public key</FONT> <BR><FONT size=2>> > > > certificates.</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > ----------------------end proposed text</FONT> <BR><FONT size=2>> > > > What do you think?</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >RFC 2459 only said:</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > The basic constraints extension identifies whether the</FONT> <BR><FONT size=2>> > subject of the</FONT> <BR><FONT size=2>> > > certificate is a CA and how deep a certification path may exist</FONT> <BR><FONT size=2>> > > through that CA.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >However, according to the new text a "CRL Issuer" is now</FONT> <BR><FONT size=2>> > also a "CA": " A</FONT> <BR><FONT size=2>> > >subject is considered a CA if it issues public key</FONT> <BR><FONT size=2>> > certificates or CRLs that</FONT> <BR><FONT size=2>> > >describe the revocation status of public key certificates."</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >The current text of new-part1-06 also goes in the same direction.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > The cA bit indicates if the certified public key may be used to</FONT> <BR><FONT size=2>> > > verify signatures on other certificates. If the cA bit</FONT> <BR><FONT size=2>> > is asserted,</FONT> <BR><FONT size=2>> > > then either the keyCertSign bit or the cRLSign bit in</FONT> <BR><FONT size=2>> > the key usage</FONT> <BR><FONT size=2>> > > extension (see 4.2.1.3) MUST also be asserted. If the cA</FONT> <BR><FONT size=2>> > bit is not</FONT> <BR><FONT size=2>> > > asserted, then both the keyCertSign bit and the cRLSign</FONT> <BR><FONT size=2>> > in the key</FONT> <BR><FONT size=2>> > > usage extension MUST NOT be asserted.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >This seems quite strange. A CRL issuer is just one way to</FONT> <BR><FONT size=2>> > make available</FONT> <BR><FONT size=2>> > >revocation status information. OCSP is another way. RFC 2560 says:</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > OCSP signing delegation SHALL be designated by the</FONT> <BR><FONT size=2>> > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage </FONT><BR><FONT size=2>> certificate</FONT> <BR><FONT size=2>> > > extension included in the OCSP response signer's</FONT> <BR><FONT size=2>> > certificate. This</FONT> <BR><FONT size=2>> > > certificate MUST be issued directly by the CA that issued the</FONT> <BR><FONT size=2>> > > certificate in question.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >If a "CRL issuer" is a "CA", why should an OCSP responder</FONT> <BR><FONT size=2>> > designated by a CA</FONT> <BR><FONT size=2>> > >not also be a "CA" ?</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >As far as I remember, originally the cA boolean in the basic</FONT> <BR><FONT size=2>> > constraints</FONT> <BR><FONT size=2>> > >extension only allowed to make the difference between leaf</FONT> <BR><FONT size=2>> > certificates and</FONT> <BR><FONT size=2>> > >CA certificates. This boolean now seems to be be used with a</FONT> <BR><FONT size=2>> > different</FONT> <BR><FONT size=2>> > >meaning (and, maybe, we should change its meaning - not </FONT><BR><FONT size=2>> the syntax).</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >Could someone say again, why that change was requested and</FONT> <BR><FONT size=2>> > what are the real</FONT> <BR><FONT size=2>> > >benefits of that change ?</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >In other words, could someone say again what the problem was ? :-)</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >Thanks,</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >Denis</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > > Thanks,</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > Tim Polk</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote:</FONT> <BR><FONT size=2>> > > > >Tim,</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >I agree with your proposed solution. As you have said,</FONT> <BR><FONT size=2>> > it separates the</FONT> <BR><FONT size=2>> > > > >semantics of the two extensions, and simplifies the</FONT> <BR><FONT size=2>> > rules for the LDAP</FONT> <BR><FONT size=2>> > > schema.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >There is one remaining point to address, and I believe</FONT> <BR><FONT size=2>> > it may be the main</FONT> <BR><FONT size=2>> > > > >point of discussion in the current thread.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >When a CA uses the CRLDP extension to designate another</FONT> <BR><FONT size=2>> > entity to be the</FONT> <BR><FONT size=2>> > > > >source for revocation information about some of its</FONT> <BR><FONT size=2>> > certificates, should</FONT> <BR><FONT size=2>> > > > >that entity have a "CA" certificate (with appropriate</FONT> <BR><FONT size=2>> > basicConstraints</FONT> <BR><FONT size=2>> > > > >extension)? I'm *not* suggesting that a</FONT> <BR><FONT size=2>> > basicConstraints extension is</FONT> <BR><FONT size=2>> > > > >necessary for the entity to be authorized to sign the</FONT> <BR><FONT size=2>> > CRL. Instead, the</FONT> <BR><FONT size=2>> > > > >problem is that clients that are trying to locate the</FONT> <BR><FONT size=2>> > certificate will not</FONT> <BR><FONT size=2>> > > > >know whether they should look in the cACertificate</FONT> <BR><FONT size=2>> > attribute or the</FONT> <BR><FONT size=2>> > > > >userCertificate attribute to find the appropriate certificate.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >To solve this, we can suggest that cACertificate be</FONT> <BR><FONT size=2>> > searched first,</FONT> <BR><FONT size=2>> > > > >followed by userCertificate, or we can require that</FONT> <BR><FONT size=2>> > designated entities</FONT> <BR><FONT size=2>> > > > >must always be a "CA", and the client can safely skip</FONT> <BR><FONT size=2>> > the userCertificate</FONT> <BR><FONT size=2>> > > > >attribute. This is a question of searching the</FONT> <BR><FONT size=2>> > directory only, and does</FONT> <BR><FONT size=2>> > > > >not suggest changing your assertion that any set of bits</FONT> <BR><FONT size=2>> > may be set in the</FONT> <BR><FONT size=2>> > > > >keyUsage extension of "CA" certificates.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >Terry</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >Tim Polk wrote:</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >>Folks,</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>I have been reading the email messages on the list about the</FONT> <BR><FONT size=2>> > > > >>relationships between basic constraints, key usage, and</FONT> <BR><FONT size=2>> > the schema.</FONT> <BR><FONT size=2>> > > > >>After mulling over the problem. I would like to</FONT> <BR><FONT size=2>> > propose a solution - the</FONT> <BR><FONT size=2>> > > > >>only solution, as far as I can tell...</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>The solution is to simplify and separate the semantics</FONT> <BR><FONT size=2>> > of the basic</FONT> <BR><FONT size=2>> > > > >>constraints and key usage extension. This has positive</FONT> <BR><FONT size=2>> > implications for</FONT> <BR><FONT size=2>> > > > >>the PKIX LDAP schema as well.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Basic Constraints</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>As stated in the current text for Basic Constraints (in</FONT> <BR><FONT size=2>> > 2459): "The</FONT> <BR><FONT size=2>> > > > >>basic constraints extension identifies whether the</FONT> <BR><FONT size=2>> > subject of the</FONT> <BR><FONT size=2>> > > > >>certificate is a CA and how deep a certification path</FONT> <BR><FONT size=2>> > may exist through</FONT> <BR><FONT size=2>> > > > >>that CA."</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>I believe this is the right semantics, and that basic</FONT> <BR><FONT size=2>> > constraints should</FONT> <BR><FONT size=2>> > > > >>be included and cA should be asserted in *any*</FONT> <BR><FONT size=2>> > certificate issued to a</FONT> <BR><FONT size=2>> > > > >>CA, regardless of the type or role associated with the</FONT> <BR><FONT size=2>> > public key in the</FONT> <BR><FONT size=2>> > > > >>certificate.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Key Usage</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>The issuer should use the Key Usage extension to</FONT> <BR><FONT size=2>> > disambiguate the</FONT> <BR><FONT size=2>> > > > >>subject's key pairs:</FONT> <BR><FONT size=2>> > > > >>(a) The issuer indicates this public key may be used to</FONT> <BR><FONT size=2>> > verify the</FONT> <BR><FONT size=2>> > > > >>signature on a public key certificate by asserting</FONT> <BR><FONT size=2>> > keyCertSign. (b) The</FONT> <BR><FONT size=2>> > > > >>issuer indicates this public key may be used to verify</FONT> <BR><FONT size=2>> > the signature on</FONT> <BR><FONT size=2>> > > > >>CRLs by asserting cRLSign. (c) The issuer indicates</FONT> <BR><FONT size=2>> > that this public key</FONT> <BR><FONT size=2>> > > > >>may be used to establish symmetric keys with the</FONT> <BR><FONT size=2>> > subject by asserting</FONT> <BR><FONT size=2>> > > > >>either keyEncipherment or keyAgreement. (d) The issuer</FONT> <BR><FONT size=2>> > indicates that</FONT> <BR><FONT size=2>> > > > >>this public key may be used to verify signatures on</FONT> <BR><FONT size=2>> > objects other than</FONT> <BR><FONT size=2>> > > > >>public key certificates and CRLs by asserting </FONT><BR><FONT size=2>> nonRerpuidation or</FONT> <BR><FONT size=2>> > > > >>digitalSignature.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Of course, if a key pair is used for multiple purposes,</FONT> <BR><FONT size=2>> > multiple key</FONT> <BR><FONT size=2>> > > > >>usages may be asserted.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>In each of these cases, the basic constraints extension</FONT> <BR><FONT size=2>> > also appears in</FONT> <BR><FONT size=2>> > > > >>the certificate and asserts that the subject is a CA.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>LDAP Schema</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>All certificates issued to CAs would be considered CA</FONT> <BR><FONT size=2>> > certificates since</FONT> <BR><FONT size=2>> > > > >>the basic constraints extension is present and asserts</FONT> <BR><FONT size=2>> > that the subject</FONT> <BR><FONT size=2>> > > > >>is a CA. As a result, each of these could appear in</FONT> <BR><FONT size=2>> > the cACertificate</FONT> <BR><FONT size=2>> > > > >>attribute or crossCertificatePair attribute. They</FONT> <BR><FONT size=2>> > would *not* appear in</FONT> <BR><FONT size=2>> > > > >>the userCertificate attribute. (That would include all</FONT> <BR><FONT size=2>> > types (a) through</FONT> <BR><FONT size=2>> > > > >>(d) above).</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>------------------</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>The implications of this strategy are as follows: (1)</FONT> <BR><FONT size=2>> > when a client is</FONT> <BR><FONT size=2>> > > > >>searching for a CA certificate, they will not have to </FONT><BR><FONT size=2>> check the</FONT> <BR><FONT size=2>> > > > >>userCertificate attribute; (2) the issuer can indicate</FONT> <BR><FONT size=2>> > that the subject</FONT> <BR><FONT size=2>> > > > >>is a CA regardless of the key usage; and (3) minimal</FONT> <BR><FONT size=2>> > changes to the text</FONT> <BR><FONT size=2>> > > > >>(my favorite!).</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>What do you think?</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Thanks,</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Tim Polk</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT></P></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C0D3F1.710ED370-- Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA20469 for <ietf-pkix@imc.org>; Thu, 3 May 2001 09:42:04 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KGKQ8GVK>; Thu, 3 May 2001 12:41:34 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE627@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Sharon Boeyen <sharon.boeyen@entrust.com>, "'Tom Gindin'" <tgindin@us.ibm.com> Cc: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema Date: Thu, 3 May 2001 12:32:29 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D3EE.A5514DA0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D3EE.A5514DA0 Content-Type: text/plain; charset="iso-8859-1" Sharon: One reason a CA may issue itself a CRL signing certificate is the scenario as follows: 1. The CA is a trust anchor for some relying parties, and 2. The CA wants to use different key for CRL signing for operational security, and 3. The CA wants to only provide one trust anchor (i.e., the certificate signature verification public key). In that scenario, the CA will issue itself a certificate for the CRL signature verification public key. -----Original Message----- From: Sharon Boeyen [mailto:sharon.boeyen@entrust.com] Sent: Thursday, May 03, 2001 10:35 AM To: 'Tom Gindin'; Sharon Boeyen Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema I see your point - I was missing the point that they are self-issued and was thinking of the case where you are delegating authority to an indirect issuer. In the indirect case the cert would need to be in the cross-cert pairs attribute and may also appear in the caCerts attribute. On the self issued ones, why are they needed at all? Why would a CA issue a cert to itself indicating that it can sign CRLs? Why do we need that? Sharon > -----Original Message----- > From: Tom Gindin [ mailto:tgindin@us.ibm.com <mailto:tgindin@us.ibm.com> ] > Sent: Wednesday, May 02, 2001 5:43 PM > To: Sharon Boeyen > Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > > In the current draft of X.509v4, "self-issued" means something > different than "self-signed". "self-issued" appears to be > the condition > "the certificate's subject name can be matched to its own issuer name, > which is that of a CA", while "self-signed" is that with the added > condition "the certificate signature is verifiable with the public key > contained in the message". Most of these CRL signing certificates are > "self-issued" in this sense, although not "self-signed". > One other reason why such CRL signing certificates would > legitimately > not go into the CC Pair attribute would be that there is no > other directory > entry where the CA certificate to verify the signature on > this certificate > could be found, unlike any other certificates in CC Pair. > Lastly, if a CRL signing certificate were issued by a CA > certificate > with the same DN, it would certainly belong in the same realm, if that > concept has any meaning at all. > > Tom Gindin > > > Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM > > To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas > <Denis.Pinkas@bull.net> > cc: ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > Hi Tim, > > > I just want to clarify the directory attributes. All certs > that are not > self issued must go in the cross certificates attribute. All > self issued > certs must go in the caCertificates attribute. A subset of > the certificates > in the cross certificate pairs attributes may also be present in the > caCertificates attribute (those issued within the same realm, > a term left > undefined). Lets not go back down that rathole :-) The two > attributes are > not interchangeable. Given that the certs you are talking > about are not > self issued then they must go in the cross certificate pairs > attribute and > may also be placed in the caCertificate attribute if issued > within the same > realm. > > > Sharon > > > > -----Original Message----- > > From: Tim Polk [ mailto:tim.polk@nist.gov <mailto:tim.polk@nist.gov> ] > > Sent: Wednesday, May 02, 2001 10:43 AM > > To: Denis Pinkas > > Cc: ietf-pkix@imc.org > > Subject: Re: Basic constraints, key usage, and LDAP schema > > > > > > Denis, > > > > These messages have been flying fast and furious under several topic > > lines. I don't believe I caught them all either! As they > > are all related, > > it is difficult to resolve the issues one-by-one. The > > separate solutions > > may combine to present new problems. That was the rationale > > for the single > > comprehensive posting. > > > > The real problems, in my opinion, are as follows: > > > > (1) Consider a PKIX client, searching for a certificate to > validate a > > particular CRL. Under 2459, the client cannot guess whether > > the basic > > constraints extension will be present with the CA bit asserted. > > > > If the key used to validate the CRL is also used to validate > > certificates, > > it will have basic constraints and assert cA is TRUE. In > > this case, the > > certificate should be in the ca certificate attribute (or > > perhaps the cross > > certificate pairs). > > > > If the key is not used to validate certificates, basic > > constraints will be > > omitted and the certificate will be stored in the user > > certificate attribute. > > > > (2) If a PKIX client wishes to communicate with a CA for certificate > > management purposes (e.g., to request a new certificate, request > > revocation, or perhaps centralized key generation for key > > escrow scenarios) > > the client will need to validate the CA's signature and > > perhaps make use of > > the CA's key management key. If the keys used for these > > transactions are > > also used to sign PKCs, the certs will be in the CA certificate > > attribute. If the keys used for these purposes are not used > > to sign PKCs, > > there will be no indication that this entity is a CA and the > > certs will be > > stored in the user certificate attribute. > > > > As above, the PKIX client does not know where to look for these > > certificates. Where they are not used to sign PKCs, there > will be no > > indication in the certificate that this entity is a CA at all. > > > > (3) The attribute certificate profile is very clear regarding > > AC issuers > > versus PKC issuers. Section 4.5 states "the AC issuer's PKC > > MUST NOT have a > > basicConstraints extension with the cA BOOLEAN set to TRUE." > > > > However, the combination of RFC 2459 and the attribute > > certificate profile > > does not permit an issuer to specify whether a subject can > issue CRLs > > for PKCs, ACs, or both. This would provide us with an > > analogous solution: > > if the CA bit is not asserted, but the cRLSign bit is set in > > key usage, the > > subject is only permitted to issue CRLs for ACs. > > > > To be honest, (3) is the least compelling problem. The CA > > must explicitly > > name an indirect CRL issuer in PKCs it issues *anyway*, so > > the CA bit isn't > > a big security issue. Still, I think it is nice to supply > > clients with > > this information. > > > > Anyway, I hope this clarifies things a bit. My goal was to > > resolve all > > three problems simultaneously and consistently. > > > > Thanks, > > > > Tim Polk > > > > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote: > > >Tim, > > > > > >I stayed silent on that topic and it is quite hard to catch > > all the e-mails > > >related to it. I certainly missed or skipped missed some of them. > > > > > > > Terry, > > > > > > > > I think it would be best if the client did not need to check the > > > > userCertificate attribute to validate CRLs. This adds > > complexity without > > > > any real benefit (in my opinion.) I have included some > > proposed text for > > > > the first paragraph of section 4.2.1.10 (basic > > constraints) that would > > > > clarify the issue. > > > > > > > > ----------------proposed text for first paragraph of > > > 4.2.1.10---------------- > > > > > > > > The basic constraints extension identifies whether the > > subject of the > > > > certificate is a CA and the maximum depth of valid > > certification paths that > > > > include this certificate. A subject is considered a CA > > if it issues public > > > > key certificates or CRLs that describe the revocation > > status of public key > > > > certificates. > > > > > > > > ----------------------end proposed text > > > > What do you think? > > > > > >RFC 2459 only said: > > > > > > The basic constraints extension identifies whether the > > subject of the > > > certificate is a CA and how deep a certification path may exist > > > through that CA. > > > > > >However, according to the new text a "CRL Issuer" is now > > also a "CA": " A > > >subject is considered a CA if it issues public key > > certificates or CRLs that > > >describe the revocation status of public key certificates." > > > > > >The current text of new-part1-06 also goes in the same direction. > > > > > > The cA bit indicates if the certified public key may be used to > > > verify signatures on other certificates. If the cA bit > > is asserted, > > > then either the keyCertSign bit or the cRLSign bit in > > the key usage > > > extension (see 4.2.1.3) MUST also be asserted. If the cA > > bit is not > > > asserted, then both the keyCertSign bit and the cRLSign > > in the key > > > usage extension MUST NOT be asserted. > > > > > >This seems quite strange. A CRL issuer is just one way to > > make available > > >revocation status information. OCSP is another way. RFC 2560 says: > > > > > > OCSP signing delegation SHALL be designated by the > > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage > certificate > > > extension included in the OCSP response signer's > > certificate. This > > > certificate MUST be issued directly by the CA that issued the > > > certificate in question. > > > > > >If a "CRL issuer" is a "CA", why should an OCSP responder > > designated by a CA > > >not also be a "CA" ? > > > > > >As far as I remember, originally the cA boolean in the basic > > constraints > > >extension only allowed to make the difference between leaf > > certificates and > > >CA certificates. This boolean now seems to be be used with a > > different > > >meaning (and, maybe, we should change its meaning - not > the syntax). > > > > > >Could someone say again, why that change was requested and > > what are the real > > >benefits of that change ? > > > > > >In other words, could someone say again what the problem was ? :-) > > > > > >Thanks, > > > > > >Denis > > > > > > > Thanks, > > > > > > > > Tim Polk > > > > > > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > > > > >Tim, > > > > > > > > > >I agree with your proposed solution. As you have said, > > it separates the > > > > >semantics of the two extensions, and simplifies the > > rules for the LDAP > > > schema. > > > > > > > > > >There is one remaining point to address, and I believe > > it may be the main > > > > >point of discussion in the current thread. > > > > > > > > > >When a CA uses the CRLDP extension to designate another > > entity to be the > > > > >source for revocation information about some of its > > certificates, should > > > > >that entity have a "CA" certificate (with appropriate > > basicConstraints > > > > >extension)? I'm *not* suggesting that a > > basicConstraints extension is > > > > >necessary for the entity to be authorized to sign the > > CRL. Instead, the > > > > >problem is that clients that are trying to locate the > > certificate will not > > > > >know whether they should look in the cACertificate > > attribute or the > > > > >userCertificate attribute to find the appropriate certificate. > > > > > > > > > >To solve this, we can suggest that cACertificate be > > searched first, > > > > >followed by userCertificate, or we can require that > > designated entities > > > > >must always be a "CA", and the client can safely skip > > the userCertificate > > > > >attribute. This is a question of searching the > > directory only, and does > > > > >not suggest changing your assertion that any set of bits > > may be set in the > > > > >keyUsage extension of "CA" certificates. > > > > > > > > > >Terry > > > > > > > > > >Tim Polk wrote: > > > > > > > > > >>Folks, > > > > >> > > > > >>I have been reading the email messages on the list about the > > > > >>relationships between basic constraints, key usage, and > > the schema. > > > > >>After mulling over the problem. I would like to > > propose a solution - the > > > > >>only solution, as far as I can tell... > > > > >> > > > > >>The solution is to simplify and separate the semantics > > of the basic > > > > >>constraints and key usage extension. This has positive > > implications for > > > > >>the PKIX LDAP schema as well. > > > > >> > > > > >>Basic Constraints > > > > >> > > > > >>As stated in the current text for Basic Constraints (in > > 2459): "The > > > > >>basic constraints extension identifies whether the > > subject of the > > > > >>certificate is a CA and how deep a certification path > > may exist through > > > > >>that CA." > > > > >> > > > > >>I believe this is the right semantics, and that basic > > constraints should > > > > >>be included and cA should be asserted in *any* > > certificate issued to a > > > > >>CA, regardless of the type or role associated with the > > public key in the > > > > >>certificate. > > > > >> > > > > >>Key Usage > > > > >> > > > > >>The issuer should use the Key Usage extension to > > disambiguate the > > > > >>subject's key pairs: > > > > >>(a) The issuer indicates this public key may be used to > > verify the > > > > >>signature on a public key certificate by asserting > > keyCertSign. (b) The > > > > >>issuer indicates this public key may be used to verify > > the signature on > > > > >>CRLs by asserting cRLSign. (c) The issuer indicates > > that this public key > > > > >>may be used to establish symmetric keys with the > > subject by asserting > > > > >>either keyEncipherment or keyAgreement. (d) The issuer > > indicates that > > > > >>this public key may be used to verify signatures on > > objects other than > > > > >>public key certificates and CRLs by asserting > nonRerpuidation or > > > > >>digitalSignature. > > > > >> > > > > >>Of course, if a key pair is used for multiple purposes, > > multiple key > > > > >>usages may be asserted. > > > > >> > > > > >>In each of these cases, the basic constraints extension > > also appears in > > > > >>the certificate and asserts that the subject is a CA. > > > > >> > > > > >>LDAP Schema > > > > >> > > > > >>All certificates issued to CAs would be considered CA > > certificates since > > > > >>the basic constraints extension is present and asserts > > that the subject > > > > >>is a CA. As a result, each of these could appear in > > the cACertificate > > > > >>attribute or crossCertificatePair attribute. They > > would *not* appear in > > > > >>the userCertificate attribute. (That would include all > > types (a) through > > > > >>(d) above). > > > > >> > > > > >>------------------ > > > > >> > > > > >>The implications of this strategy are as follows: (1) > > when a client is > > > > >>searching for a CA certificate, they will not have to > check the > > > > >>userCertificate attribute; (2) the issuer can indicate > > that the subject > > > > >>is a CA regardless of the key usage; and (3) minimal > > changes to the text > > > > >>(my favorite!). > > > > >> > > > > >>What do you think? > > > > >> > > > > >>Thanks, > > > > >> > > > > >>Tim Polk > > > > >> > > > > >> > > > > > > > > > > > > > > > ------_=_NextPart_001_01C0D3EE.A5514DA0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <TITLE>RE: Basic constraints, key usage, and LDAP schema</TITLE> <META content="MSHTML 5.00.2014.210" name=GENERATOR></HEAD> <BODY> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001>Sharon:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001>One reason a CA may issue itself a CRL signing certificate is the scenario as follows:</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001>1. The CA is a trust anchor for some relying parties, and</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001>2. The CA wants to use different key for CRL signing for operational security, and</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001>3. The CA wants to only provide one trust anchor (i.e., the certificate signature verification public key).</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001>In that scenario, the CA will issue itself a certificate for the CRL signature verification public key.</SPAN></FONT></DIV> <DIV><FONT color=#0000ff face=Arial size=2><SPAN class=485393616-03052001></SPAN></FONT> </DIV> <DIV class=OutlookMessageHeader><FONT face="Times New Roman" size=2>-----Original Message-----<BR><B>From:</B> Sharon Boeyen [mailto:sharon.boeyen@entrust.com]<BR><B>Sent:</B> Thursday, May 03, 2001 10:35 AM<BR><B>To:</B> 'Tom Gindin'; Sharon Boeyen<BR><B>Cc:</B> 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org<BR><B>Subject:</B> RE: Basic constraints, key usage, and LDAP schema<BR><BR></FONT></DIV> <P><FONT size=2>I see your point - I was missing the point that they are self-issued and was </FONT><BR><FONT size=2>thinking of the case where you are delegating authority to an indirect </FONT><BR><FONT size=2>issuer. In the indirect case the cert would need to be in the cross-cert pairs</FONT> <BR><FONT size=2>attribute and may also appear in the caCerts attribute.</FONT> </P> <P><FONT size=2>On the self issued ones, why are they needed at all? Why would a CA issue </FONT><BR><FONT size=2>a cert to itself indicating that it can sign CRLs? Why do we need that?</FONT> </P> <P><FONT size=2>Sharon</FONT> </P> <P><FONT size=2>> -----Original Message-----</FONT> <BR><FONT size=2>> From: Tom Gindin [<A href="mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT> <BR><FONT size=2>> Sent: Wednesday, May 02, 2001 5:43 PM</FONT> <BR><FONT size=2>> To: Sharon Boeyen</FONT> <BR><FONT size=2>> Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: RE: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> In the current draft of X.509v4, "self-issued" means something</FONT> <BR><FONT size=2>> different than "self-signed". "self-issued" appears to be </FONT><BR><FONT size=2>> the condition</FONT> <BR><FONT size=2>> "the certificate's subject name can be matched to its own issuer name,</FONT> <BR><FONT size=2>> which is that of a CA", while "self-signed" is that with the added</FONT> <BR><FONT size=2>> condition "the certificate signature is verifiable with the public key</FONT> <BR><FONT size=2>> contained in the message". Most of these CRL signing certificates are</FONT> <BR><FONT size=2>> "self-issued" in this sense, although not "self-signed".</FONT> <BR><FONT size=2>> One other reason why such CRL signing certificates would </FONT><BR><FONT size=2>> legitimately</FONT> <BR><FONT size=2>> not go into the CC Pair attribute would be that there is no </FONT><BR><FONT size=2>> other directory</FONT> <BR><FONT size=2>> entry where the CA certificate to verify the signature on </FONT><BR><FONT size=2>> this certificate</FONT> <BR><FONT size=2>> could be found, unlike any other certificates in CC Pair.</FONT> <BR><FONT size=2>> Lastly, if a CRL signing certificate were issued by a CA </FONT><BR><FONT size=2>> certificate</FONT> <BR><FONT size=2>> with the same DN, it would certainly belong in the same realm, if that</FONT> <BR><FONT size=2>> concept has any meaning at all.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> Tom Gindin</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas</FONT> <BR><FONT size=2>> <Denis.Pinkas@bull.net></FONT> <BR><FONT size=2>> cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> Subject: RE: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Hi Tim,</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> I just want to clarify the directory attributes. All certs </FONT><BR><FONT size=2>> that are not</FONT> <BR><FONT size=2>> self issued must go in the cross certificates attribute. All </FONT><BR><FONT size=2>> self issued</FONT> <BR><FONT size=2>> certs must go in the caCertificates attribute. A subset of </FONT><BR><FONT size=2>> the certificates</FONT> <BR><FONT size=2>> in the cross certificate pairs attributes may also be present in the</FONT> <BR><FONT size=2>> caCertificates attribute (those issued within the same realm, </FONT><BR><FONT size=2>> a term left</FONT> <BR><FONT size=2>> undefined). Lets not go back down that rathole :-) The two </FONT><BR><FONT size=2>> attributes are</FONT> <BR><FONT size=2>> not interchangeable. Given that the certs you are talking </FONT><BR><FONT size=2>> about are not</FONT> <BR><FONT size=2>> self issued then they must go in the cross certificate pairs </FONT><BR><FONT size=2>> attribute and</FONT> <BR><FONT size=2>> may also be placed in the caCertificate attribute if issued </FONT><BR><FONT size=2>> within the same</FONT> <BR><FONT size=2>> realm.</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> Sharon</FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> > -----Original Message-----</FONT> <BR><FONT size=2>> > From: Tim Polk [<A href="mailto:tim.polk@nist.gov">mailto:tim.polk@nist.gov</A>]</FONT> <BR><FONT size=2>> > Sent: Wednesday, May 02, 2001 10:43 AM</FONT> <BR><FONT size=2>> > To: Denis Pinkas</FONT> <BR><FONT size=2>> > Cc: ietf-pkix@imc.org</FONT> <BR><FONT size=2>> > Subject: Re: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Denis,</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > These messages have been flying fast and furious under several topic</FONT> <BR><FONT size=2>> > lines. I don't believe I caught them all either! As they</FONT> <BR><FONT size=2>> > are all related,</FONT> <BR><FONT size=2>> > it is difficult to resolve the issues one-by-one. The</FONT> <BR><FONT size=2>> > separate solutions</FONT> <BR><FONT size=2>> > may combine to present new problems. That was the rationale</FONT> <BR><FONT size=2>> > for the single</FONT> <BR><FONT size=2>> > comprehensive posting.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > The real problems, in my opinion, are as follows:</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > (1) Consider a PKIX client, searching for a certificate to </FONT><BR><FONT size=2>> validate a</FONT> <BR><FONT size=2>> > particular CRL. Under 2459, the client cannot guess whether</FONT> <BR><FONT size=2>> > the basic</FONT> <BR><FONT size=2>> > constraints extension will be present with the CA bit asserted.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > If the key used to validate the CRL is also used to validate</FONT> <BR><FONT size=2>> > certificates,</FONT> <BR><FONT size=2>> > it will have basic constraints and assert cA is TRUE. In</FONT> <BR><FONT size=2>> > this case, the</FONT> <BR><FONT size=2>> > certificate should be in the ca certificate attribute (or</FONT> <BR><FONT size=2>> > perhaps the cross</FONT> <BR><FONT size=2>> > certificate pairs).</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > If the key is not used to validate certificates, basic</FONT> <BR><FONT size=2>> > constraints will be</FONT> <BR><FONT size=2>> > omitted and the certificate will be stored in the user</FONT> <BR><FONT size=2>> > certificate attribute.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > (2) If a PKIX client wishes to communicate with a CA for certificate</FONT> <BR><FONT size=2>> > management purposes (e.g., to request a new certificate, request</FONT> <BR><FONT size=2>> > revocation, or perhaps centralized key generation for key</FONT> <BR><FONT size=2>> > escrow scenarios)</FONT> <BR><FONT size=2>> > the client will need to validate the CA's signature and</FONT> <BR><FONT size=2>> > perhaps make use of</FONT> <BR><FONT size=2>> > the CA's key management key. If the keys used for these</FONT> <BR><FONT size=2>> > transactions are</FONT> <BR><FONT size=2>> > also used to sign PKCs, the certs will be in the CA certificate</FONT> <BR><FONT size=2>> > attribute. If the keys used for these purposes are not used</FONT> <BR><FONT size=2>> > to sign PKCs,</FONT> <BR><FONT size=2>> > there will be no indication that this entity is a CA and the</FONT> <BR><FONT size=2>> > certs will be</FONT> <BR><FONT size=2>> > stored in the user certificate attribute.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > As above, the PKIX client does not know where to look for these</FONT> <BR><FONT size=2>> > certificates. Where they are not used to sign PKCs, there </FONT><BR><FONT size=2>> will be no</FONT> <BR><FONT size=2>> > indication in the certificate that this entity is a CA at all.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > (3) The attribute certificate profile is very clear regarding</FONT> <BR><FONT size=2>> > AC issuers</FONT> <BR><FONT size=2>> > versus PKC issuers. Section 4.5 states "the AC issuer's PKC</FONT> <BR><FONT size=2>> > MUST NOT have a</FONT> <BR><FONT size=2>> > basicConstraints extension with the cA BOOLEAN set to TRUE."</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > However, the combination of RFC 2459 and the attribute</FONT> <BR><FONT size=2>> > certificate profile</FONT> <BR><FONT size=2>> > does not permit an issuer to specify whether a subject can </FONT><BR><FONT size=2>> issue CRLs</FONT> <BR><FONT size=2>> > for PKCs, ACs, or both. This would provide us with an</FONT> <BR><FONT size=2>> > analogous solution:</FONT> <BR><FONT size=2>> > if the CA bit is not asserted, but the cRLSign bit is set in</FONT> <BR><FONT size=2>> > key usage, the</FONT> <BR><FONT size=2>> > subject is only permitted to issue CRLs for ACs.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > To be honest, (3) is the least compelling problem. The CA</FONT> <BR><FONT size=2>> > must explicitly</FONT> <BR><FONT size=2>> > name an indirect CRL issuer in PKCs it issues *anyway*, so</FONT> <BR><FONT size=2>> > the CA bit isn't</FONT> <BR><FONT size=2>> > a big security issue. Still, I think it is nice to supply</FONT> <BR><FONT size=2>> > clients with</FONT> <BR><FONT size=2>> > this information.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Anyway, I hope this clarifies things a bit. My goal was to</FONT> <BR><FONT size=2>> > resolve all</FONT> <BR><FONT size=2>> > three problems simultaneously and consistently.</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Thanks,</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > Tim Polk</FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote:</FONT> <BR><FONT size=2>> > >Tim,</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >I stayed silent on that topic and it is quite hard to catch</FONT> <BR><FONT size=2>> > all the e-mails</FONT> <BR><FONT size=2>> > >related to it. I certainly missed or skipped missed some of them.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > > Terry,</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > I think it would be best if the client did not need to check the</FONT> <BR><FONT size=2>> > > > userCertificate attribute to validate CRLs. This adds</FONT> <BR><FONT size=2>> > complexity without</FONT> <BR><FONT size=2>> > > > any real benefit (in my opinion.) I have included some</FONT> <BR><FONT size=2>> > proposed text for</FONT> <BR><FONT size=2>> > > > the first paragraph of section 4.2.1.10 (basic</FONT> <BR><FONT size=2>> > constraints) that would</FONT> <BR><FONT size=2>> > > > clarify the issue.</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > ----------------proposed text for first paragraph of</FONT> <BR><FONT size=2>> > > 4.2.1.10----------------</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > The basic constraints extension identifies whether the</FONT> <BR><FONT size=2>> > subject of the</FONT> <BR><FONT size=2>> > > > certificate is a CA and the maximum depth of valid</FONT> <BR><FONT size=2>> > certification paths that</FONT> <BR><FONT size=2>> > > > include this certificate. A subject is considered a CA</FONT> <BR><FONT size=2>> > if it issues public</FONT> <BR><FONT size=2>> > > > key certificates or CRLs that describe the revocation</FONT> <BR><FONT size=2>> > status of public key</FONT> <BR><FONT size=2>> > > > certificates.</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > ----------------------end proposed text</FONT> <BR><FONT size=2>> > > > What do you think?</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >RFC 2459 only said:</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > The basic constraints extension identifies whether the</FONT> <BR><FONT size=2>> > subject of the</FONT> <BR><FONT size=2>> > > certificate is a CA and how deep a certification path may exist</FONT> <BR><FONT size=2>> > > through that CA.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >However, according to the new text a "CRL Issuer" is now</FONT> <BR><FONT size=2>> > also a "CA": " A</FONT> <BR><FONT size=2>> > >subject is considered a CA if it issues public key</FONT> <BR><FONT size=2>> > certificates or CRLs that</FONT> <BR><FONT size=2>> > >describe the revocation status of public key certificates."</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >The current text of new-part1-06 also goes in the same direction.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > The cA bit indicates if the certified public key may be used to</FONT> <BR><FONT size=2>> > > verify signatures on other certificates. If the cA bit</FONT> <BR><FONT size=2>> > is asserted,</FONT> <BR><FONT size=2>> > > then either the keyCertSign bit or the cRLSign bit in</FONT> <BR><FONT size=2>> > the key usage</FONT> <BR><FONT size=2>> > > extension (see 4.2.1.3) MUST also be asserted. If the cA</FONT> <BR><FONT size=2>> > bit is not</FONT> <BR><FONT size=2>> > > asserted, then both the keyCertSign bit and the cRLSign</FONT> <BR><FONT size=2>> > in the key</FONT> <BR><FONT size=2>> > > usage extension MUST NOT be asserted.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >This seems quite strange. A CRL issuer is just one way to</FONT> <BR><FONT size=2>> > make available</FONT> <BR><FONT size=2>> > >revocation status information. OCSP is another way. RFC 2560 says:</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > OCSP signing delegation SHALL be designated by the</FONT> <BR><FONT size=2>> > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage </FONT><BR><FONT size=2>> certificate</FONT> <BR><FONT size=2>> > > extension included in the OCSP response signer's</FONT> <BR><FONT size=2>> > certificate. This</FONT> <BR><FONT size=2>> > > certificate MUST be issued directly by the CA that issued the</FONT> <BR><FONT size=2>> > > certificate in question.</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >If a "CRL issuer" is a "CA", why should an OCSP responder</FONT> <BR><FONT size=2>> > designated by a CA</FONT> <BR><FONT size=2>> > >not also be a "CA" ?</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >As far as I remember, originally the cA boolean in the basic</FONT> <BR><FONT size=2>> > constraints</FONT> <BR><FONT size=2>> > >extension only allowed to make the difference between leaf</FONT> <BR><FONT size=2>> > certificates and</FONT> <BR><FONT size=2>> > >CA certificates. This boolean now seems to be be used with a</FONT> <BR><FONT size=2>> > different</FONT> <BR><FONT size=2>> > >meaning (and, maybe, we should change its meaning - not </FONT><BR><FONT size=2>> the syntax).</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >Could someone say again, why that change was requested and</FONT> <BR><FONT size=2>> > what are the real</FONT> <BR><FONT size=2>> > >benefits of that change ?</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >In other words, could someone say again what the problem was ? :-)</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >Thanks,</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > >Denis</FONT> <BR><FONT size=2>> > ></FONT> <BR><FONT size=2>> > > > Thanks,</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > Tim Polk</FONT> <BR><FONT size=2>> > > ></FONT> <BR><FONT size=2>> > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote:</FONT> <BR><FONT size=2>> > > > >Tim,</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >I agree with your proposed solution. As you have said,</FONT> <BR><FONT size=2>> > it separates the</FONT> <BR><FONT size=2>> > > > >semantics of the two extensions, and simplifies the</FONT> <BR><FONT size=2>> > rules for the LDAP</FONT> <BR><FONT size=2>> > > schema.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >There is one remaining point to address, and I believe</FONT> <BR><FONT size=2>> > it may be the main</FONT> <BR><FONT size=2>> > > > >point of discussion in the current thread.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >When a CA uses the CRLDP extension to designate another</FONT> <BR><FONT size=2>> > entity to be the</FONT> <BR><FONT size=2>> > > > >source for revocation information about some of its</FONT> <BR><FONT size=2>> > certificates, should</FONT> <BR><FONT size=2>> > > > >that entity have a "CA" certificate (with appropriate</FONT> <BR><FONT size=2>> > basicConstraints</FONT> <BR><FONT size=2>> > > > >extension)? I'm *not* suggesting that a</FONT> <BR><FONT size=2>> > basicConstraints extension is</FONT> <BR><FONT size=2>> > > > >necessary for the entity to be authorized to sign the</FONT> <BR><FONT size=2>> > CRL. Instead, the</FONT> <BR><FONT size=2>> > > > >problem is that clients that are trying to locate the</FONT> <BR><FONT size=2>> > certificate will not</FONT> <BR><FONT size=2>> > > > >know whether they should look in the cACertificate</FONT> <BR><FONT size=2>> > attribute or the</FONT> <BR><FONT size=2>> > > > >userCertificate attribute to find the appropriate certificate.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >To solve this, we can suggest that cACertificate be</FONT> <BR><FONT size=2>> > searched first,</FONT> <BR><FONT size=2>> > > > >followed by userCertificate, or we can require that</FONT> <BR><FONT size=2>> > designated entities</FONT> <BR><FONT size=2>> > > > >must always be a "CA", and the client can safely skip</FONT> <BR><FONT size=2>> > the userCertificate</FONT> <BR><FONT size=2>> > > > >attribute. This is a question of searching the</FONT> <BR><FONT size=2>> > directory only, and does</FONT> <BR><FONT size=2>> > > > >not suggest changing your assertion that any set of bits</FONT> <BR><FONT size=2>> > may be set in the</FONT> <BR><FONT size=2>> > > > >keyUsage extension of "CA" certificates.</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >Terry</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >Tim Polk wrote:</FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > >>Folks,</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>I have been reading the email messages on the list about the</FONT> <BR><FONT size=2>> > > > >>relationships between basic constraints, key usage, and</FONT> <BR><FONT size=2>> > the schema.</FONT> <BR><FONT size=2>> > > > >>After mulling over the problem. I would like to</FONT> <BR><FONT size=2>> > propose a solution - the</FONT> <BR><FONT size=2>> > > > >>only solution, as far as I can tell...</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>The solution is to simplify and separate the semantics</FONT> <BR><FONT size=2>> > of the basic</FONT> <BR><FONT size=2>> > > > >>constraints and key usage extension. This has positive</FONT> <BR><FONT size=2>> > implications for</FONT> <BR><FONT size=2>> > > > >>the PKIX LDAP schema as well.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Basic Constraints</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>As stated in the current text for Basic Constraints (in</FONT> <BR><FONT size=2>> > 2459): "The</FONT> <BR><FONT size=2>> > > > >>basic constraints extension identifies whether the</FONT> <BR><FONT size=2>> > subject of the</FONT> <BR><FONT size=2>> > > > >>certificate is a CA and how deep a certification path</FONT> <BR><FONT size=2>> > may exist through</FONT> <BR><FONT size=2>> > > > >>that CA."</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>I believe this is the right semantics, and that basic</FONT> <BR><FONT size=2>> > constraints should</FONT> <BR><FONT size=2>> > > > >>be included and cA should be asserted in *any*</FONT> <BR><FONT size=2>> > certificate issued to a</FONT> <BR><FONT size=2>> > > > >>CA, regardless of the type or role associated with the</FONT> <BR><FONT size=2>> > public key in the</FONT> <BR><FONT size=2>> > > > >>certificate.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Key Usage</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>The issuer should use the Key Usage extension to</FONT> <BR><FONT size=2>> > disambiguate the</FONT> <BR><FONT size=2>> > > > >>subject's key pairs:</FONT> <BR><FONT size=2>> > > > >>(a) The issuer indicates this public key may be used to</FONT> <BR><FONT size=2>> > verify the</FONT> <BR><FONT size=2>> > > > >>signature on a public key certificate by asserting</FONT> <BR><FONT size=2>> > keyCertSign. (b) The</FONT> <BR><FONT size=2>> > > > >>issuer indicates this public key may be used to verify</FONT> <BR><FONT size=2>> > the signature on</FONT> <BR><FONT size=2>> > > > >>CRLs by asserting cRLSign. (c) The issuer indicates</FONT> <BR><FONT size=2>> > that this public key</FONT> <BR><FONT size=2>> > > > >>may be used to establish symmetric keys with the</FONT> <BR><FONT size=2>> > subject by asserting</FONT> <BR><FONT size=2>> > > > >>either keyEncipherment or keyAgreement. (d) The issuer</FONT> <BR><FONT size=2>> > indicates that</FONT> <BR><FONT size=2>> > > > >>this public key may be used to verify signatures on</FONT> <BR><FONT size=2>> > objects other than</FONT> <BR><FONT size=2>> > > > >>public key certificates and CRLs by asserting </FONT><BR><FONT size=2>> nonRerpuidation or</FONT> <BR><FONT size=2>> > > > >>digitalSignature.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Of course, if a key pair is used for multiple purposes,</FONT> <BR><FONT size=2>> > multiple key</FONT> <BR><FONT size=2>> > > > >>usages may be asserted.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>In each of these cases, the basic constraints extension</FONT> <BR><FONT size=2>> > also appears in</FONT> <BR><FONT size=2>> > > > >>the certificate and asserts that the subject is a CA.</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>LDAP Schema</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>All certificates issued to CAs would be considered CA</FONT> <BR><FONT size=2>> > certificates since</FONT> <BR><FONT size=2>> > > > >>the basic constraints extension is present and asserts</FONT> <BR><FONT size=2>> > that the subject</FONT> <BR><FONT size=2>> > > > >>is a CA. As a result, each of these could appear in</FONT> <BR><FONT size=2>> > the cACertificate</FONT> <BR><FONT size=2>> > > > >>attribute or crossCertificatePair attribute. They</FONT> <BR><FONT size=2>> > would *not* appear in</FONT> <BR><FONT size=2>> > > > >>the userCertificate attribute. (That would include all</FONT> <BR><FONT size=2>> > types (a) through</FONT> <BR><FONT size=2>> > > > >>(d) above).</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>------------------</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>The implications of this strategy are as follows: (1)</FONT> <BR><FONT size=2>> > when a client is</FONT> <BR><FONT size=2>> > > > >>searching for a CA certificate, they will not have to </FONT><BR><FONT size=2>> check the</FONT> <BR><FONT size=2>> > > > >>userCertificate attribute; (2) the issuer can indicate</FONT> <BR><FONT size=2>> > that the subject</FONT> <BR><FONT size=2>> > > > >>is a CA regardless of the key usage; and (3) minimal</FONT> <BR><FONT size=2>> > changes to the text</FONT> <BR><FONT size=2>> > > > >>(my favorite!).</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>What do you think?</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Thanks,</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >>Tim Polk</FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > >></FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> > > > ></FONT> <BR><FONT size=2>> ></FONT> <BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT><BR><FONT size=2>> </FONT></P></BODY></HTML> ------_=_NextPart_001_01C0D3EE.A5514DA0-- Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA08847 for <ietf-pkix@imc.org>; Thu, 3 May 2001 07:49:39 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA16986; Thu, 3 May 2001 16:49:28 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id QAA17254; Thu, 3 May 2001 16:49:01 +0200 Message-ID: <3AF16FE0.B987EBE1@bull.net> Date: Thu, 03 May 2001 16:49:04 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Santosh Chokhani <chokhani@cygnacom.com> CC: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: Re: delta CRLs References: <8D7EC1912E25D411A32100D0B76953977CE603@scygmxs01.cygnacom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Santosh, Mails are crossing around, and are not necessarilly received in the same order. :-) You indicated "Also a minor technical change to your other sentence" in your response to Russ: "An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number or lower number as the base CRL." What is a "delta CRL which contains a delta CRL indicator extension with (...) lower number as the base CRL." If you pick this delta CRL then it is missing some of the information. Unless you speak of the time T and compare it with thisUpdate and nextUpdate this does not work. You also said: " Please note that the delta CRL can always be applied to a higher base than the one referenced in the delta CRL extension." You now say "higher" in that sentence. This is even more confusing. Please take note that the intent is to describe what is necessary to support the "traditional scheme" and I got the feeling that you would like this sentence to support a different scheme. On April 19, David Cooper provided some explanations making some confusing between the numering of delta-CRLs and the numbering of base CRLs. Thay have no relationships besides that the numbers should always increase. If I just re-use the text from David, then you get the effect he wanted without the need to take advantage of any new sequential numbering. Here is the corrected text: " Suppose that delta-CRLs are issued once an hour. For example, suppose that a base CRL, CRL number 5, was issued at midnight and that every hour for the next 24 hours, delta-CRLs were issued with a BaseCRLNumber of 5. If a relying party performs its first validation at 3:10am, it would the base CRL issued at midnight and the delta-CRL issued at 3:00am (e.g. CRL number 28). It would combine these to construct the freshest CRL. A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the CRL which it constructed at 3:10am. It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 42 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 28 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of the CRL which it constructed at 3:10am to obtain the freshest CRL." So the addition you were proposing is not adequate. If we were going to support variations beyond the traditional scheme, this should be in a separate sentence. Regards, Denis Received: from sottmxs02.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA08342 for <ietf-pkix@imc.org>; Thu, 3 May 2001 07:41:28 -0700 (PDT) Received: by sottmxs02.entrust.com with Internet Mail Service (5.5.2650.21) id <J432Y2B4>; Thu, 3 May 2001 10:40:57 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA401D@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tom Gindin'" <tgindin@us.ibm.com>, Sharon Boeyen <sharon.boeyen@entrust.com> Cc: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema Date: Thu, 3 May 2001 10:34:42 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D3DE.30CBFFD0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D3DE.30CBFFD0 Content-Type: text/plain I see your point - I was missing the point that they are self-issued and was thinking of the case where you are delegating authority to an indirect issuer. In the indirect case the cert would need to be in the cross-cert pairs attribute and may also appear in the caCerts attribute. On the self issued ones, why are they needed at all? Why would a CA issue a cert to itself indicating that it can sign CRLs? Why do we need that? Sharon > -----Original Message----- > From: Tom Gindin [mailto:tgindin@us.ibm.com] > Sent: Wednesday, May 02, 2001 5:43 PM > To: Sharon Boeyen > Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > > In the current draft of X.509v4, "self-issued" means something > different than "self-signed". "self-issued" appears to be > the condition > "the certificate's subject name can be matched to its own issuer name, > which is that of a CA", while "self-signed" is that with the added > condition "the certificate signature is verifiable with the public key > contained in the message". Most of these CRL signing certificates are > "self-issued" in this sense, although not "self-signed". > One other reason why such CRL signing certificates would > legitimately > not go into the CC Pair attribute would be that there is no > other directory > entry where the CA certificate to verify the signature on > this certificate > could be found, unlike any other certificates in CC Pair. > Lastly, if a CRL signing certificate were issued by a CA > certificate > with the same DN, it would certainly belong in the same realm, if that > concept has any meaning at all. > > Tom Gindin > > > Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM > > To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas > <Denis.Pinkas@bull.net> > cc: ietf-pkix@imc.org > Subject: RE: Basic constraints, key usage, and LDAP schema > > > Hi Tim, > > > I just want to clarify the directory attributes. All certs > that are not > self issued must go in the cross certificates attribute. All > self issued > certs must go in the caCertificates attribute. A subset of > the certificates > in the cross certificate pairs attributes may also be present in the > caCertificates attribute (those issued within the same realm, > a term left > undefined). Lets not go back down that rathole :-) The two > attributes are > not interchangeable. Given that the certs you are talking > about are not > self issued then they must go in the cross certificate pairs > attribute and > may also be placed in the caCertificate attribute if issued > within the same > realm. > > > Sharon > > > > -----Original Message----- > > From: Tim Polk [mailto:tim.polk@nist.gov] > > Sent: Wednesday, May 02, 2001 10:43 AM > > To: Denis Pinkas > > Cc: ietf-pkix@imc.org > > Subject: Re: Basic constraints, key usage, and LDAP schema > > > > > > Denis, > > > > These messages have been flying fast and furious under several topic > > lines. I don't believe I caught them all either! As they > > are all related, > > it is difficult to resolve the issues one-by-one. The > > separate solutions > > may combine to present new problems. That was the rationale > > for the single > > comprehensive posting. > > > > The real problems, in my opinion, are as follows: > > > > (1) Consider a PKIX client, searching for a certificate to > validate a > > particular CRL. Under 2459, the client cannot guess whether > > the basic > > constraints extension will be present with the CA bit asserted. > > > > If the key used to validate the CRL is also used to validate > > certificates, > > it will have basic constraints and assert cA is TRUE. In > > this case, the > > certificate should be in the ca certificate attribute (or > > perhaps the cross > > certificate pairs). > > > > If the key is not used to validate certificates, basic > > constraints will be > > omitted and the certificate will be stored in the user > > certificate attribute. > > > > (2) If a PKIX client wishes to communicate with a CA for certificate > > management purposes (e.g., to request a new certificate, request > > revocation, or perhaps centralized key generation for key > > escrow scenarios) > > the client will need to validate the CA's signature and > > perhaps make use of > > the CA's key management key. If the keys used for these > > transactions are > > also used to sign PKCs, the certs will be in the CA certificate > > attribute. If the keys used for these purposes are not used > > to sign PKCs, > > there will be no indication that this entity is a CA and the > > certs will be > > stored in the user certificate attribute. > > > > As above, the PKIX client does not know where to look for these > > certificates. Where they are not used to sign PKCs, there > will be no > > indication in the certificate that this entity is a CA at all. > > > > (3) The attribute certificate profile is very clear regarding > > AC issuers > > versus PKC issuers. Section 4.5 states "the AC issuer's PKC > > MUST NOT have a > > basicConstraints extension with the cA BOOLEAN set to TRUE." > > > > However, the combination of RFC 2459 and the attribute > > certificate profile > > does not permit an issuer to specify whether a subject can > issue CRLs > > for PKCs, ACs, or both. This would provide us with an > > analogous solution: > > if the CA bit is not asserted, but the cRLSign bit is set in > > key usage, the > > subject is only permitted to issue CRLs for ACs. > > > > To be honest, (3) is the least compelling problem. The CA > > must explicitly > > name an indirect CRL issuer in PKCs it issues *anyway*, so > > the CA bit isn't > > a big security issue. Still, I think it is nice to supply > > clients with > > this information. > > > > Anyway, I hope this clarifies things a bit. My goal was to > > resolve all > > three problems simultaneously and consistently. > > > > Thanks, > > > > Tim Polk > > > > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote: > > >Tim, > > > > > >I stayed silent on that topic and it is quite hard to catch > > all the e-mails > > >related to it. I certainly missed or skipped missed some of them. > > > > > > > Terry, > > > > > > > > I think it would be best if the client did not need to check the > > > > userCertificate attribute to validate CRLs. This adds > > complexity without > > > > any real benefit (in my opinion.) I have included some > > proposed text for > > > > the first paragraph of section 4.2.1.10 (basic > > constraints) that would > > > > clarify the issue. > > > > > > > > ----------------proposed text for first paragraph of > > > 4.2.1.10---------------- > > > > > > > > The basic constraints extension identifies whether the > > subject of the > > > > certificate is a CA and the maximum depth of valid > > certification paths that > > > > include this certificate. A subject is considered a CA > > if it issues public > > > > key certificates or CRLs that describe the revocation > > status of public key > > > > certificates. > > > > > > > > ----------------------end proposed text > > > > What do you think? > > > > > >RFC 2459 only said: > > > > > > The basic constraints extension identifies whether the > > subject of the > > > certificate is a CA and how deep a certification path may exist > > > through that CA. > > > > > >However, according to the new text a "CRL Issuer" is now > > also a "CA": " A > > >subject is considered a CA if it issues public key > > certificates or CRLs that > > >describe the revocation status of public key certificates." > > > > > >The current text of new-part1-06 also goes in the same direction. > > > > > > The cA bit indicates if the certified public key may be used to > > > verify signatures on other certificates. If the cA bit > > is asserted, > > > then either the keyCertSign bit or the cRLSign bit in > > the key usage > > > extension (see 4.2.1.3) MUST also be asserted. If the cA > > bit is not > > > asserted, then both the keyCertSign bit and the cRLSign > > in the key > > > usage extension MUST NOT be asserted. > > > > > >This seems quite strange. A CRL issuer is just one way to > > make available > > >revocation status information. OCSP is another way. RFC 2560 says: > > > > > > OCSP signing delegation SHALL be designated by the > > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage > certificate > > > extension included in the OCSP response signer's > > certificate. This > > > certificate MUST be issued directly by the CA that issued the > > > certificate in question. > > > > > >If a "CRL issuer" is a "CA", why should an OCSP responder > > designated by a CA > > >not also be a "CA" ? > > > > > >As far as I remember, originally the cA boolean in the basic > > constraints > > >extension only allowed to make the difference between leaf > > certificates and > > >CA certificates. This boolean now seems to be be used with a > > different > > >meaning (and, maybe, we should change its meaning - not > the syntax). > > > > > >Could someone say again, why that change was requested and > > what are the real > > >benefits of that change ? > > > > > >In other words, could someone say again what the problem was ? :-) > > > > > >Thanks, > > > > > >Denis > > > > > > > Thanks, > > > > > > > > Tim Polk > > > > > > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > > > > >Tim, > > > > > > > > > >I agree with your proposed solution. As you have said, > > it separates the > > > > >semantics of the two extensions, and simplifies the > > rules for the LDAP > > > schema. > > > > > > > > > >There is one remaining point to address, and I believe > > it may be the main > > > > >point of discussion in the current thread. > > > > > > > > > >When a CA uses the CRLDP extension to designate another > > entity to be the > > > > >source for revocation information about some of its > > certificates, should > > > > >that entity have a "CA" certificate (with appropriate > > basicConstraints > > > > >extension)? I'm *not* suggesting that a > > basicConstraints extension is > > > > >necessary for the entity to be authorized to sign the > > CRL. Instead, the > > > > >problem is that clients that are trying to locate the > > certificate will not > > > > >know whether they should look in the cACertificate > > attribute or the > > > > >userCertificate attribute to find the appropriate certificate. > > > > > > > > > >To solve this, we can suggest that cACertificate be > > searched first, > > > > >followed by userCertificate, or we can require that > > designated entities > > > > >must always be a "CA", and the client can safely skip > > the userCertificate > > > > >attribute. This is a question of searching the > > directory only, and does > > > > >not suggest changing your assertion that any set of bits > > may be set in the > > > > >keyUsage extension of "CA" certificates. > > > > > > > > > >Terry > > > > > > > > > >Tim Polk wrote: > > > > > > > > > >>Folks, > > > > >> > > > > >>I have been reading the email messages on the list about the > > > > >>relationships between basic constraints, key usage, and > > the schema. > > > > >>After mulling over the problem. I would like to > > propose a solution - the > > > > >>only solution, as far as I can tell... > > > > >> > > > > >>The solution is to simplify and separate the semantics > > of the basic > > > > >>constraints and key usage extension. This has positive > > implications for > > > > >>the PKIX LDAP schema as well. > > > > >> > > > > >>Basic Constraints > > > > >> > > > > >>As stated in the current text for Basic Constraints (in > > 2459): "The > > > > >>basic constraints extension identifies whether the > > subject of the > > > > >>certificate is a CA and how deep a certification path > > may exist through > > > > >>that CA." > > > > >> > > > > >>I believe this is the right semantics, and that basic > > constraints should > > > > >>be included and cA should be asserted in *any* > > certificate issued to a > > > > >>CA, regardless of the type or role associated with the > > public key in the > > > > >>certificate. > > > > >> > > > > >>Key Usage > > > > >> > > > > >>The issuer should use the Key Usage extension to > > disambiguate the > > > > >>subject's key pairs: > > > > >>(a) The issuer indicates this public key may be used to > > verify the > > > > >>signature on a public key certificate by asserting > > keyCertSign. (b) The > > > > >>issuer indicates this public key may be used to verify > > the signature on > > > > >>CRLs by asserting cRLSign. (c) The issuer indicates > > that this public key > > > > >>may be used to establish symmetric keys with the > > subject by asserting > > > > >>either keyEncipherment or keyAgreement. (d) The issuer > > indicates that > > > > >>this public key may be used to verify signatures on > > objects other than > > > > >>public key certificates and CRLs by asserting > nonRerpuidation or > > > > >>digitalSignature. > > > > >> > > > > >>Of course, if a key pair is used for multiple purposes, > > multiple key > > > > >>usages may be asserted. > > > > >> > > > > >>In each of these cases, the basic constraints extension > > also appears in > > > > >>the certificate and asserts that the subject is a CA. > > > > >> > > > > >>LDAP Schema > > > > >> > > > > >>All certificates issued to CAs would be considered CA > > certificates since > > > > >>the basic constraints extension is present and asserts > > that the subject > > > > >>is a CA. As a result, each of these could appear in > > the cACertificate > > > > >>attribute or crossCertificatePair attribute. They > > would *not* appear in > > > > >>the userCertificate attribute. (That would include all > > types (a) through > > > > >>(d) above). > > > > >> > > > > >>------------------ > > > > >> > > > > >>The implications of this strategy are as follows: (1) > > when a client is > > > > >>searching for a CA certificate, they will not have to > check the > > > > >>userCertificate attribute; (2) the issuer can indicate > > that the subject > > > > >>is a CA regardless of the key usage; and (3) minimal > > changes to the text > > > > >>(my favorite!). > > > > >> > > > > >>What do you think? > > > > >> > > > > >>Thanks, > > > > >> > > > > >>Tim Polk > > > > >> > > > > >> > > > > > > > > > > > > > > > ------_=_NextPart_001_01C0D3DE.30CBFFD0 Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: Basic constraints, key usage, and LDAP schema</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>I see your point - I was missing the point that they are self-issued and was </FONT> <BR><FONT SIZE=2>thinking of the case where you are delegating authority to an indirect </FONT> <BR><FONT SIZE=2>issuer. In the indirect case the cert would need to be in the cross-cert pairs</FONT> <BR><FONT SIZE=2>attribute and may also appear in the caCerts attribute.</FONT> </P> <P><FONT SIZE=2>On the self issued ones, why are they needed at all? Why would a CA issue </FONT> <BR><FONT SIZE=2>a cert to itself indicating that it can sign CRLs? Why do we need that?</FONT> </P> <P><FONT SIZE=2>Sharon</FONT> </P> <P><FONT SIZE=2>> -----Original Message-----</FONT> <BR><FONT SIZE=2>> From: Tom Gindin [<A HREF="mailto:tgindin@us.ibm.com">mailto:tgindin@us.ibm.com</A>]</FONT> <BR><FONT SIZE=2>> Sent: Wednesday, May 02, 2001 5:43 PM</FONT> <BR><FONT SIZE=2>> To: Sharon Boeyen</FONT> <BR><FONT SIZE=2>> Cc: 'Tim Polk'; Denis Pinkas; ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: RE: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> In the current draft of X.509v4, "self-issued" means something</FONT> <BR><FONT SIZE=2>> different than "self-signed". "self-issued" appears to be </FONT> <BR><FONT SIZE=2>> the condition</FONT> <BR><FONT SIZE=2>> "the certificate's subject name can be matched to its own issuer name,</FONT> <BR><FONT SIZE=2>> which is that of a CA", while "self-signed" is that with the added</FONT> <BR><FONT SIZE=2>> condition "the certificate signature is verifiable with the public key</FONT> <BR><FONT SIZE=2>> contained in the message". Most of these CRL signing certificates are</FONT> <BR><FONT SIZE=2>> "self-issued" in this sense, although not "self-signed".</FONT> <BR><FONT SIZE=2>> One other reason why such CRL signing certificates would </FONT> <BR><FONT SIZE=2>> legitimately</FONT> <BR><FONT SIZE=2>> not go into the CC Pair attribute would be that there is no </FONT> <BR><FONT SIZE=2>> other directory</FONT> <BR><FONT SIZE=2>> entry where the CA certificate to verify the signature on </FONT> <BR><FONT SIZE=2>> this certificate</FONT> <BR><FONT SIZE=2>> could be found, unlike any other certificates in CC Pair.</FONT> <BR><FONT SIZE=2>> Lastly, if a CRL signing certificate were issued by a CA </FONT> <BR><FONT SIZE=2>> certificate</FONT> <BR><FONT SIZE=2>> with the same DN, it would certainly belong in the same realm, if that</FONT> <BR><FONT SIZE=2>> concept has any meaning at all.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Tom Gindin</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas</FONT> <BR><FONT SIZE=2>> <Denis.Pinkas@bull.net></FONT> <BR><FONT SIZE=2>> cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> Subject: RE: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Hi Tim,</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> I just want to clarify the directory attributes. All certs </FONT> <BR><FONT SIZE=2>> that are not</FONT> <BR><FONT SIZE=2>> self issued must go in the cross certificates attribute. All </FONT> <BR><FONT SIZE=2>> self issued</FONT> <BR><FONT SIZE=2>> certs must go in the caCertificates attribute. A subset of </FONT> <BR><FONT SIZE=2>> the certificates</FONT> <BR><FONT SIZE=2>> in the cross certificate pairs attributes may also be present in the</FONT> <BR><FONT SIZE=2>> caCertificates attribute (those issued within the same realm, </FONT> <BR><FONT SIZE=2>> a term left</FONT> <BR><FONT SIZE=2>> undefined). Lets not go back down that rathole :-) The two </FONT> <BR><FONT SIZE=2>> attributes are</FONT> <BR><FONT SIZE=2>> not interchangeable. Given that the certs you are talking </FONT> <BR><FONT SIZE=2>> about are not</FONT> <BR><FONT SIZE=2>> self issued then they must go in the cross certificate pairs </FONT> <BR><FONT SIZE=2>> attribute and</FONT> <BR><FONT SIZE=2>> may also be placed in the caCertificate attribute if issued </FONT> <BR><FONT SIZE=2>> within the same</FONT> <BR><FONT SIZE=2>> realm.</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> Sharon</FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> > -----Original Message-----</FONT> <BR><FONT SIZE=2>> > From: Tim Polk [<A HREF="mailto:tim.polk@nist.gov">mailto:tim.polk@nist.gov</A>]</FONT> <BR><FONT SIZE=2>> > Sent: Wednesday, May 02, 2001 10:43 AM</FONT> <BR><FONT SIZE=2>> > To: Denis Pinkas</FONT> <BR><FONT SIZE=2>> > Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>> > Subject: Re: Basic constraints, key usage, and LDAP schema</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Denis,</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > These messages have been flying fast and furious under several topic</FONT> <BR><FONT SIZE=2>> > lines. I don't believe I caught them all either! As they</FONT> <BR><FONT SIZE=2>> > are all related,</FONT> <BR><FONT SIZE=2>> > it is difficult to resolve the issues one-by-one. The</FONT> <BR><FONT SIZE=2>> > separate solutions</FONT> <BR><FONT SIZE=2>> > may combine to present new problems. That was the rationale</FONT> <BR><FONT SIZE=2>> > for the single</FONT> <BR><FONT SIZE=2>> > comprehensive posting.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > The real problems, in my opinion, are as follows:</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > (1) Consider a PKIX client, searching for a certificate to </FONT> <BR><FONT SIZE=2>> validate a</FONT> <BR><FONT SIZE=2>> > particular CRL. Under 2459, the client cannot guess whether</FONT> <BR><FONT SIZE=2>> > the basic</FONT> <BR><FONT SIZE=2>> > constraints extension will be present with the CA bit asserted.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > If the key used to validate the CRL is also used to validate</FONT> <BR><FONT SIZE=2>> > certificates,</FONT> <BR><FONT SIZE=2>> > it will have basic constraints and assert cA is TRUE. In</FONT> <BR><FONT SIZE=2>> > this case, the</FONT> <BR><FONT SIZE=2>> > certificate should be in the ca certificate attribute (or</FONT> <BR><FONT SIZE=2>> > perhaps the cross</FONT> <BR><FONT SIZE=2>> > certificate pairs).</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > If the key is not used to validate certificates, basic</FONT> <BR><FONT SIZE=2>> > constraints will be</FONT> <BR><FONT SIZE=2>> > omitted and the certificate will be stored in the user</FONT> <BR><FONT SIZE=2>> > certificate attribute.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > (2) If a PKIX client wishes to communicate with a CA for certificate</FONT> <BR><FONT SIZE=2>> > management purposes (e.g., to request a new certificate, request</FONT> <BR><FONT SIZE=2>> > revocation, or perhaps centralized key generation for key</FONT> <BR><FONT SIZE=2>> > escrow scenarios)</FONT> <BR><FONT SIZE=2>> > the client will need to validate the CA's signature and</FONT> <BR><FONT SIZE=2>> > perhaps make use of</FONT> <BR><FONT SIZE=2>> > the CA's key management key. If the keys used for these</FONT> <BR><FONT SIZE=2>> > transactions are</FONT> <BR><FONT SIZE=2>> > also used to sign PKCs, the certs will be in the CA certificate</FONT> <BR><FONT SIZE=2>> > attribute. If the keys used for these purposes are not used</FONT> <BR><FONT SIZE=2>> > to sign PKCs,</FONT> <BR><FONT SIZE=2>> > there will be no indication that this entity is a CA and the</FONT> <BR><FONT SIZE=2>> > certs will be</FONT> <BR><FONT SIZE=2>> > stored in the user certificate attribute.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > As above, the PKIX client does not know where to look for these</FONT> <BR><FONT SIZE=2>> > certificates. Where they are not used to sign PKCs, there </FONT> <BR><FONT SIZE=2>> will be no</FONT> <BR><FONT SIZE=2>> > indication in the certificate that this entity is a CA at all.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > (3) The attribute certificate profile is very clear regarding</FONT> <BR><FONT SIZE=2>> > AC issuers</FONT> <BR><FONT SIZE=2>> > versus PKC issuers. Section 4.5 states "the AC issuer's PKC</FONT> <BR><FONT SIZE=2>> > MUST NOT have a</FONT> <BR><FONT SIZE=2>> > basicConstraints extension with the cA BOOLEAN set to TRUE."</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > However, the combination of RFC 2459 and the attribute</FONT> <BR><FONT SIZE=2>> > certificate profile</FONT> <BR><FONT SIZE=2>> > does not permit an issuer to specify whether a subject can </FONT> <BR><FONT SIZE=2>> issue CRLs</FONT> <BR><FONT SIZE=2>> > for PKCs, ACs, or both. This would provide us with an</FONT> <BR><FONT SIZE=2>> > analogous solution:</FONT> <BR><FONT SIZE=2>> > if the CA bit is not asserted, but the cRLSign bit is set in</FONT> <BR><FONT SIZE=2>> > key usage, the</FONT> <BR><FONT SIZE=2>> > subject is only permitted to issue CRLs for ACs.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > To be honest, (3) is the least compelling problem. The CA</FONT> <BR><FONT SIZE=2>> > must explicitly</FONT> <BR><FONT SIZE=2>> > name an indirect CRL issuer in PKCs it issues *anyway*, so</FONT> <BR><FONT SIZE=2>> > the CA bit isn't</FONT> <BR><FONT SIZE=2>> > a big security issue. Still, I think it is nice to supply</FONT> <BR><FONT SIZE=2>> > clients with</FONT> <BR><FONT SIZE=2>> > this information.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Anyway, I hope this clarifies things a bit. My goal was to</FONT> <BR><FONT SIZE=2>> > resolve all</FONT> <BR><FONT SIZE=2>> > three problems simultaneously and consistently.</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Thanks,</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > Tim Polk</FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote:</FONT> <BR><FONT SIZE=2>> > >Tim,</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >I stayed silent on that topic and it is quite hard to catch</FONT> <BR><FONT SIZE=2>> > all the e-mails</FONT> <BR><FONT SIZE=2>> > >related to it. I certainly missed or skipped missed some of them.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > > Terry,</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > > I think it would be best if the client did not need to check the</FONT> <BR><FONT SIZE=2>> > > > userCertificate attribute to validate CRLs. This adds</FONT> <BR><FONT SIZE=2>> > complexity without</FONT> <BR><FONT SIZE=2>> > > > any real benefit (in my opinion.) I have included some</FONT> <BR><FONT SIZE=2>> > proposed text for</FONT> <BR><FONT SIZE=2>> > > > the first paragraph of section 4.2.1.10 (basic</FONT> <BR><FONT SIZE=2>> > constraints) that would</FONT> <BR><FONT SIZE=2>> > > > clarify the issue.</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > > ----------------proposed text for first paragraph of</FONT> <BR><FONT SIZE=2>> > > 4.2.1.10----------------</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > > The basic constraints extension identifies whether the</FONT> <BR><FONT SIZE=2>> > subject of the</FONT> <BR><FONT SIZE=2>> > > > certificate is a CA and the maximum depth of valid</FONT> <BR><FONT SIZE=2>> > certification paths that</FONT> <BR><FONT SIZE=2>> > > > include this certificate. A subject is considered a CA</FONT> <BR><FONT SIZE=2>> > if it issues public</FONT> <BR><FONT SIZE=2>> > > > key certificates or CRLs that describe the revocation</FONT> <BR><FONT SIZE=2>> > status of public key</FONT> <BR><FONT SIZE=2>> > > > certificates.</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > > ----------------------end proposed text</FONT> <BR><FONT SIZE=2>> > > > What do you think?</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >RFC 2459 only said:</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > The basic constraints extension identifies whether the</FONT> <BR><FONT SIZE=2>> > subject of the</FONT> <BR><FONT SIZE=2>> > > certificate is a CA and how deep a certification path may exist</FONT> <BR><FONT SIZE=2>> > > through that CA.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >However, according to the new text a "CRL Issuer" is now</FONT> <BR><FONT SIZE=2>> > also a "CA": " A</FONT> <BR><FONT SIZE=2>> > >subject is considered a CA if it issues public key</FONT> <BR><FONT SIZE=2>> > certificates or CRLs that</FONT> <BR><FONT SIZE=2>> > >describe the revocation status of public key certificates."</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >The current text of new-part1-06 also goes in the same direction.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > The cA bit indicates if the certified public key may be used to</FONT> <BR><FONT SIZE=2>> > > verify signatures on other certificates. If the cA bit</FONT> <BR><FONT SIZE=2>> > is asserted,</FONT> <BR><FONT SIZE=2>> > > then either the keyCertSign bit or the cRLSign bit in</FONT> <BR><FONT SIZE=2>> > the key usage</FONT> <BR><FONT SIZE=2>> > > extension (see 4.2.1.3) MUST also be asserted. If the cA</FONT> <BR><FONT SIZE=2>> > bit is not</FONT> <BR><FONT SIZE=2>> > > asserted, then both the keyCertSign bit and the cRLSign</FONT> <BR><FONT SIZE=2>> > in the key</FONT> <BR><FONT SIZE=2>> > > usage extension MUST NOT be asserted.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >This seems quite strange. A CRL issuer is just one way to</FONT> <BR><FONT SIZE=2>> > make available</FONT> <BR><FONT SIZE=2>> > >revocation status information. OCSP is another way. RFC 2560 says:</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > OCSP signing delegation SHALL be designated by the</FONT> <BR><FONT SIZE=2>> > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage </FONT> <BR><FONT SIZE=2>> certificate</FONT> <BR><FONT SIZE=2>> > > extension included in the OCSP response signer's</FONT> <BR><FONT SIZE=2>> > certificate. This</FONT> <BR><FONT SIZE=2>> > > certificate MUST be issued directly by the CA that issued the</FONT> <BR><FONT SIZE=2>> > > certificate in question.</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >If a "CRL issuer" is a "CA", why should an OCSP responder</FONT> <BR><FONT SIZE=2>> > designated by a CA</FONT> <BR><FONT SIZE=2>> > >not also be a "CA" ?</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >As far as I remember, originally the cA boolean in the basic</FONT> <BR><FONT SIZE=2>> > constraints</FONT> <BR><FONT SIZE=2>> > >extension only allowed to make the difference between leaf</FONT> <BR><FONT SIZE=2>> > certificates and</FONT> <BR><FONT SIZE=2>> > >CA certificates. This boolean now seems to be be used with a</FONT> <BR><FONT SIZE=2>> > different</FONT> <BR><FONT SIZE=2>> > >meaning (and, maybe, we should change its meaning - not </FONT> <BR><FONT SIZE=2>> the syntax).</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >Could someone say again, why that change was requested and</FONT> <BR><FONT SIZE=2>> > what are the real</FONT> <BR><FONT SIZE=2>> > >benefits of that change ?</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >In other words, could someone say again what the problem was ? :-)</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >Thanks,</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > >Denis</FONT> <BR><FONT SIZE=2>> > ></FONT> <BR><FONT SIZE=2>> > > > Thanks,</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > > Tim Polk</FONT> <BR><FONT SIZE=2>> > > ></FONT> <BR><FONT SIZE=2>> > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote:</FONT> <BR><FONT SIZE=2>> > > > >Tim,</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >I agree with your proposed solution. As you have said,</FONT> <BR><FONT SIZE=2>> > it separates the</FONT> <BR><FONT SIZE=2>> > > > >semantics of the two extensions, and simplifies the</FONT> <BR><FONT SIZE=2>> > rules for the LDAP</FONT> <BR><FONT SIZE=2>> > > schema.</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >There is one remaining point to address, and I believe</FONT> <BR><FONT SIZE=2>> > it may be the main</FONT> <BR><FONT SIZE=2>> > > > >point of discussion in the current thread.</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >When a CA uses the CRLDP extension to designate another</FONT> <BR><FONT SIZE=2>> > entity to be the</FONT> <BR><FONT SIZE=2>> > > > >source for revocation information about some of its</FONT> <BR><FONT SIZE=2>> > certificates, should</FONT> <BR><FONT SIZE=2>> > > > >that entity have a "CA" certificate (with appropriate</FONT> <BR><FONT SIZE=2>> > basicConstraints</FONT> <BR><FONT SIZE=2>> > > > >extension)? I'm *not* suggesting that a</FONT> <BR><FONT SIZE=2>> > basicConstraints extension is</FONT> <BR><FONT SIZE=2>> > > > >necessary for the entity to be authorized to sign the</FONT> <BR><FONT SIZE=2>> > CRL. Instead, the</FONT> <BR><FONT SIZE=2>> > > > >problem is that clients that are trying to locate the</FONT> <BR><FONT SIZE=2>> > certificate will not</FONT> <BR><FONT SIZE=2>> > > > >know whether they should look in the cACertificate</FONT> <BR><FONT SIZE=2>> > attribute or the</FONT> <BR><FONT SIZE=2>> > > > >userCertificate attribute to find the appropriate certificate.</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >To solve this, we can suggest that cACertificate be</FONT> <BR><FONT SIZE=2>> > searched first,</FONT> <BR><FONT SIZE=2>> > > > >followed by userCertificate, or we can require that</FONT> <BR><FONT SIZE=2>> > designated entities</FONT> <BR><FONT SIZE=2>> > > > >must always be a "CA", and the client can safely skip</FONT> <BR><FONT SIZE=2>> > the userCertificate</FONT> <BR><FONT SIZE=2>> > > > >attribute. This is a question of searching the</FONT> <BR><FONT SIZE=2>> > directory only, and does</FONT> <BR><FONT SIZE=2>> > > > >not suggest changing your assertion that any set of bits</FONT> <BR><FONT SIZE=2>> > may be set in the</FONT> <BR><FONT SIZE=2>> > > > >keyUsage extension of "CA" certificates.</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >Terry</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >Tim Polk wrote:</FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > >>Folks,</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>I have been reading the email messages on the list about the</FONT> <BR><FONT SIZE=2>> > > > >>relationships between basic constraints, key usage, and</FONT> <BR><FONT SIZE=2>> > the schema.</FONT> <BR><FONT SIZE=2>> > > > >>After mulling over the problem. I would like to</FONT> <BR><FONT SIZE=2>> > propose a solution - the</FONT> <BR><FONT SIZE=2>> > > > >>only solution, as far as I can tell...</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>The solution is to simplify and separate the semantics</FONT> <BR><FONT SIZE=2>> > of the basic</FONT> <BR><FONT SIZE=2>> > > > >>constraints and key usage extension. This has positive</FONT> <BR><FONT SIZE=2>> > implications for</FONT> <BR><FONT SIZE=2>> > > > >>the PKIX LDAP schema as well.</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>Basic Constraints</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>As stated in the current text for Basic Constraints (in</FONT> <BR><FONT SIZE=2>> > 2459): "The</FONT> <BR><FONT SIZE=2>> > > > >>basic constraints extension identifies whether the</FONT> <BR><FONT SIZE=2>> > subject of the</FONT> <BR><FONT SIZE=2>> > > > >>certificate is a CA and how deep a certification path</FONT> <BR><FONT SIZE=2>> > may exist through</FONT> <BR><FONT SIZE=2>> > > > >>that CA."</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>I believe this is the right semantics, and that basic</FONT> <BR><FONT SIZE=2>> > constraints should</FONT> <BR><FONT SIZE=2>> > > > >>be included and cA should be asserted in *any*</FONT> <BR><FONT SIZE=2>> > certificate issued to a</FONT> <BR><FONT SIZE=2>> > > > >>CA, regardless of the type or role associated with the</FONT> <BR><FONT SIZE=2>> > public key in the</FONT> <BR><FONT SIZE=2>> > > > >>certificate.</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>Key Usage</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>The issuer should use the Key Usage extension to</FONT> <BR><FONT SIZE=2>> > disambiguate the</FONT> <BR><FONT SIZE=2>> > > > >>subject's key pairs:</FONT> <BR><FONT SIZE=2>> > > > >>(a) The issuer indicates this public key may be used to</FONT> <BR><FONT SIZE=2>> > verify the</FONT> <BR><FONT SIZE=2>> > > > >>signature on a public key certificate by asserting</FONT> <BR><FONT SIZE=2>> > keyCertSign. (b) The</FONT> <BR><FONT SIZE=2>> > > > >>issuer indicates this public key may be used to verify</FONT> <BR><FONT SIZE=2>> > the signature on</FONT> <BR><FONT SIZE=2>> > > > >>CRLs by asserting cRLSign. (c) The issuer indicates</FONT> <BR><FONT SIZE=2>> > that this public key</FONT> <BR><FONT SIZE=2>> > > > >>may be used to establish symmetric keys with the</FONT> <BR><FONT SIZE=2>> > subject by asserting</FONT> <BR><FONT SIZE=2>> > > > >>either keyEncipherment or keyAgreement. (d) The issuer</FONT> <BR><FONT SIZE=2>> > indicates that</FONT> <BR><FONT SIZE=2>> > > > >>this public key may be used to verify signatures on</FONT> <BR><FONT SIZE=2>> > objects other than</FONT> <BR><FONT SIZE=2>> > > > >>public key certificates and CRLs by asserting </FONT> <BR><FONT SIZE=2>> nonRerpuidation or</FONT> <BR><FONT SIZE=2>> > > > >>digitalSignature.</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>Of course, if a key pair is used for multiple purposes,</FONT> <BR><FONT SIZE=2>> > multiple key</FONT> <BR><FONT SIZE=2>> > > > >>usages may be asserted.</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>In each of these cases, the basic constraints extension</FONT> <BR><FONT SIZE=2>> > also appears in</FONT> <BR><FONT SIZE=2>> > > > >>the certificate and asserts that the subject is a CA.</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>LDAP Schema</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>All certificates issued to CAs would be considered CA</FONT> <BR><FONT SIZE=2>> > certificates since</FONT> <BR><FONT SIZE=2>> > > > >>the basic constraints extension is present and asserts</FONT> <BR><FONT SIZE=2>> > that the subject</FONT> <BR><FONT SIZE=2>> > > > >>is a CA. As a result, each of these could appear in</FONT> <BR><FONT SIZE=2>> > the cACertificate</FONT> <BR><FONT SIZE=2>> > > > >>attribute or crossCertificatePair attribute. They</FONT> <BR><FONT SIZE=2>> > would *not* appear in</FONT> <BR><FONT SIZE=2>> > > > >>the userCertificate attribute. (That would include all</FONT> <BR><FONT SIZE=2>> > types (a) through</FONT> <BR><FONT SIZE=2>> > > > >>(d) above).</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>------------------</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>The implications of this strategy are as follows: (1)</FONT> <BR><FONT SIZE=2>> > when a client is</FONT> <BR><FONT SIZE=2>> > > > >>searching for a CA certificate, they will not have to </FONT> <BR><FONT SIZE=2>> check the</FONT> <BR><FONT SIZE=2>> > > > >>userCertificate attribute; (2) the issuer can indicate</FONT> <BR><FONT SIZE=2>> > that the subject</FONT> <BR><FONT SIZE=2>> > > > >>is a CA regardless of the key usage; and (3) minimal</FONT> <BR><FONT SIZE=2>> > changes to the text</FONT> <BR><FONT SIZE=2>> > > > >>(my favorite!).</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>What do you think?</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>Thanks,</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >>Tim Polk</FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > >></FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> > > > ></FONT> <BR><FONT SIZE=2>> ></FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> <BR><FONT SIZE=2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D3DE.30CBFFD0-- Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA08016 for <ietf-pkix@imc.org>; Thu, 3 May 2001 07:38:56 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id KAA482634; Thu, 3 May 2001 10:36:37 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id KAA81102; Thu, 3 May 2001 10:33:02 -0400 Importance: Normal Subject: RE: delta CRLs To: Santosh Chokhani <chokhani@cygnacom.com> Cc: "Housley, Russ" <rhousley@rsasecurity.com>, Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OFAC53669D.E1175E4C-ON85256A41.004FABA4@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Thu, 3 May 2001 10:33:39 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/03/2001 10:38:06 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Why should PKIX drop the "hold" feature? The only feature which involves any extra work for the client is "removeFromCRL". We might want to make "removeFromCRL" optional to implement and suggest that CA's which issue delta CRL's SHOULD not use the certificateHold and removeFromCRL reason codes, but CA's which don't issue deltas aren't imposing any greater difficulties on the client by using "hold", are they? Tom Gindin Santosh Chokhani <chokhani@cygnacom.com> on 05/03/2001 09:23:56 AM To: "Housley, Russ" <rhousley@rsasecurity.com>, Denis Pinkas <Denis.Pinkas@bull.net> cc: ietf-pkix@imc.org Subject: RE: delta CRLs Russ: Please note minor word smithing for grammar and for technical accuracy. The sentences should read as follows. "A delta CRL provides an update to a previously issued complete CRL. A delta CRL only includes entries for certificates that have changed status since the complete CRL referenced in the delta CRL extension was issued." Also a minor technical change to your other sentence: "An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number or lower number as the base CRL." Please note that the delta CRL can always be applied to a higher base than the one referenced in the delta CRL extension. I also agree with Russ that PKIX need not include the "hold" feature. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Wednesday, May 02, 2001 9:20 PM To: Denis Pinkas Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Denis: For the most part, the text that you provide is an improvement; however, I MUST object to a few things. >5.2.4 Delta CRL Indicator > > The delta CRL indicator is a critical CRL extension that identifies > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > information about certificates who statuses have changed since the > issuance of a specific, previously issued CRL. The use of delta I do not like the second sentence any better than the original. How about: A delta CRL provides an updates a previously issued complete CRL. A delta CRL only includes entries for certificates that have changed status since the complete CRL was issued. > CRLs can significantly reduce network load and processing time in > some environments. Delta CRLs are generally much smaller than the > CRLs they update, so applications that obtain delta CRLs consume > less network bandwidth than applications that obtain the > corresponding complete CRLs. > > The delta CRL indicator extension contains a single value of type > BaseCRLNumber. This value identifies the CRL number of the base CRL > that was used as the foundation in the generation of this delta CRL. > The referenced base CRL is a CRL that was explicitly issued as a CRL > that is complete for a given scope (e.g., a set of revocation reasons > or a particular distribution point.) The CRL containing the delta CRL > indicator extension contains all updates to the certificate > revocation status for that same scope. > > When a delta CRL is issued, it MUST cover the same set of reasons > and same set of certificates that were covered by the base CRL it > references. > > When a conforming CA issues a delta CRL, the delta CRL MUST include > a critical delta CRL indicator extension. > > An application can construct a CRL that is the most current for > a given scope, for a specific date, by retrieving the appropriate > base CRL for that scope, and combining it with a delta-CRL which > contains a Delta CRL Indicator equal to the cRLNumber of the base > CRL and where the date for which the construction is being made is > between thisUpdate and nextUpdate as indicated the delta CRL. Can we focus on the most common case? How about: An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. > Conforming implementations of this specification are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. No. We do not presently require CRL implementation. The paragraph would seem to change that situation, and require CRL and delta CRL implelmentation. I suggest that the previous paragraph be omitted. > CAs must ensure that application of a delta CRL to the referenced Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs MUST". > base revocation information accurately reflects the current status of > revocation. If a CA supports the certificateHold revocation reason > the following rules must be applied when generating delta CRLs: I argued against the inclusion of support for certificate hold in RFC 2459. Your text demonstrates the complexity of supporting this feature. I am quite concerned that this topic is being raised so late in the process. We are in WG Last Call ... [Denis, you will recall that you made a similar response to a comment that I made regarding TSP.] I am still concerned about the significant complexity that certificate hold adds. It makes non-repudiation even more difficult. Further, I am not convinced that there is really a constituency for this feature. I would be very happy if we changed the profile to say that conforming CAs MUST NOT use certificateHold. I would be happy if we changed the profile to say that conforming CAs SHOULD NOT use certificateHold. I would be quite upset if we require clients to support certificateHold in any manner other than simply revoked. (Note that section 5.3.2 provides the conformant application the alternative of simply rejecting the certificate.) What do others think? > (a) If a certificate was listed as revoked with revocation reason > certificateHold on a CRL (either a delta CRL or a CRL that is > complete for a given scope), and the hold is subsequently > released, the certificate must be listed with revocation reason > removeFromCRL until the next base CRL is issued. > > Note: Should the certificate be subsequently revoked again for > one of the revocation reasons covered by the delta CRL, > then the certificate must be listed with the revocation > reason appropriate for the subsequent revocation. > > (b) If the certificate was not removed from hold, but was > permanently revoked, then it must be listed as such on all > subsequent delta CRLs until the next base CRL is issued . > > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } > > BaseCRLNumber ::= CRLNumber Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA05435 for <ietf-pkix@imc.org>; Thu, 3 May 2001 06:59:35 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KGKQ8DXF>; Thu, 3 May 2001 09:59:06 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE609@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: Stephen Kent <kent@bbn.com>, Santosh Chokhani <chokhani@cygnacom.com> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 3 May 2001 09:50:01 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D3D7.F3430920" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D3D7.F3430920 Content-Type: text/plain; charset="iso-8859-1" Agreed. Also, per Denis comment, the term "complete" should be replaced with "base". -----Original Message----- From: Stephen Kent [mailto:kent@bbn.com] Sent: Thursday, May 03, 2001 9:48 AM To: Santosh Chokhani Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Santosh, if we want the grammar to be correct, then the second sentence should read: "A delta CRL includes entries only for certificates that have changed status since the complete CRL referenced in the delta CRL extension was issued." Steve ------_=_NextPart_001_01C0D3D7.F3430920 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=2>Agreed. Also, per Denis comment, the term "complete" should be replaced with "base".</FONT> </P> <P><FONT SIZE=2>-----Original Message-----</FONT> <BR><FONT SIZE=2>From: Stephen Kent [<A HREF="mailto:kent@bbn.com">mailto:kent@bbn.com</A>]</FONT> <BR><FONT SIZE=2>Sent: Thursday, May 03, 2001 9:48 AM</FONT> <BR><FONT SIZE=2>To: Santosh Chokhani</FONT> <BR><FONT SIZE=2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=2>Subject: RE: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=2>Santosh,</FONT> </P> <P><FONT SIZE=2>if we want the grammar to be correct, then the second sentence should read:</FONT> </P> <P><FONT SIZE=2>"A delta CRL includes entries only for certificates that have changed </FONT> <BR><FONT SIZE=2>status since the complete CRL referenced in the delta CRL extension </FONT> <BR><FONT SIZE=2>was issued."</FONT> </P> <P><FONT SIZE=2>Steve</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D3D7.F3430920-- Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA04263 for <ietf-pkix@imc.org>; Thu, 3 May 2001 06:52:15 -0700 (PDT) Received: from [128.33.4.39] (comsec.bbn.com [128.33.4.39]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id JAA20563; Thu, 3 May 2001 09:52:10 -0400 (EDT) Mime-Version: 1.0 X-Sender: kent@po1.bbn.com Message-Id: <p05010404b71711abe7a0@[128.33.4.39]> In-Reply-To: <8D7EC1912E25D411A32100D0B76953977CE603@scygmxs01.cygnacom.com> References: <8D7EC1912E25D411A32100D0B76953977CE603@scygmxs01.cygnacom.com> Date: Thu, 3 May 2001 09:48:19 -0400 To: Santosh Chokhani <chokhani@cygnacom.com> From: Stephen Kent <kent@bbn.com> Subject: RE: delta CRLs Cc: ietf-pkix@imc.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Santosh, if we want the grammar to be correct, then the second sentence should read: "A delta CRL includes entries only for certificates that have changed status since the complete CRL referenced in the delta CRL extension was issued." Steve Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA03939 for <ietf-pkix@imc.org>; Thu, 3 May 2001 06:50:26 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA16946; Thu, 3 May 2001 15:50:17 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id PAA13212; Thu, 3 May 2001 15:49:51 +0200 Message-ID: <3AF16202.AF399E78@bull.net> Date: Thu, 03 May 2001 15:49:54 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "Housley, Russ" <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: delta CRLs References: <5.0.1.4.2.20010502204050.00b1ced0@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, Thank you for your response. > Denis: > > For the most part, the text that you provide is an improvement; however, I > MUST object to a few things. :-) > >5.2.4 Delta CRL Indicator > > > > The delta CRL indicator is a critical CRL extension that identifies > > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > > information about certificates who statuses have changed since the > > issuance of a specific, previously issued CRL. The use of delta > > I do not like the second sentence any better than the original. How about: > > A delta CRL provides an updates a previously issued complete CRL. > A delta CRL only includes entries for certificates that have changed > status since the complete CRL was issued. This sentence was nearly a copy and paste from a sentence written by David Cooper in his paper. I would have no problem to have two short sentences instead of a long one. I would however like to make an observation. I have been using the term "base CRL" when it is a CRL that is advertised to support delta CRLs. I have ben using the term "complete" CRL for a CRL that does NOT support delta CRLs. According to this convention, I would change "complete" into "base". This would lead to: A delta CRL provides an updates a previously issued base CRL. A delta CRL only includes entries for certificates that have changed status since the base CRL was issued. > > CRLs can significantly reduce network load and processing time in > > some environments. Delta CRLs are generally much smaller than the > > CRLs they update, so applications that obtain delta CRLs consume > > less network bandwidth than applications that obtain the > > corresponding complete CRLs. > > > > The delta CRL indicator extension contains a single value of type > > BaseCRLNumber. This value identifies the CRL number of the base CRL > > that was used as the foundation in the generation of this delta CRL. > > The referenced base CRL is a CRL that was explicitly issued as a CRL > > that is complete for a given scope (e.g., a set of revocation reasons > > or a particular distribution point.) The CRL containing the delta CRL > > indicator extension contains all updates to the certificate > > revocation status for that same scope. > > > > When a delta CRL is issued, it MUST cover the same set of reasons > > and same set of certificates that were covered by the base CRL it > > references. > > > > When a conforming CA issues a delta CRL, the delta CRL MUST include > > a critical delta CRL indicator extension. > > > > An application can construct a CRL that is the most current for > > a given scope, for a specific date, by retrieving the appropriate > > base CRL for that scope, and combining it with a delta-CRL which > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > CRL and where the date for which the construction is being made is > > between thisUpdate and nextUpdate as indicated the delta CRL. > Can we focus on the most common case? How about: > An application can construct an updated CRL by retrieving the > appropriate base CRL for that scope, and combining it with a delta > CRL which contains a delta CRL indicator extension with the same > CRL number as the base CRL. This does not work, since the sentence does not speak anymore about the time and thus there is no guaranty that what you get is the "freshest". Remember that the extension for advertising delta is (mis-)named freshestCRL ! I would have no problem to have two short sentences instead of a long one. How about: An application can construct an updated CRL, for a specific time T, by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. Time T MUST fall between thisUpdate and nextUpdate for both the base CRL and the delta CRL. > > Conforming implementations of this specification are not required > > to implement the above algorithm, but MUST provide functionality > > equivalent to the external behavior resulting from this procedure. > No. We do not presently require CRL implementation. The paragraph would > seem to change that situation, and require CRL and delta CRL > implelmentation. I suggest that the previous paragraph be omitted. I understand what you mean, but this was not the intent. How about: Conforming implementations supporting delta-CRLs are not required to implement the above algorithm, but MUST provide functionality equivalent to the external behavior resulting from this procedure. > > CAs must ensure that application of a delta CRL to the referenced > > Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs MUST". Fine. > > base revocation information accurately reflects the current status of > > revocation. If a CA supports the certificateHold revocation reason > > the following rules must be applied when generating delta CRLs: > I argued against the inclusion of support for certificate hold in RFC > 2459. Your text demonstrates the complexity of supporting this feature. I > am quite concerned that this topic is being raised so late in the > process. We are in WG Last Call ... [Denis, you will recall that you made > a similar response to a comment that I made regarding TSP.] The text was there, it has not been added now. I have only corrected the text. So I am not advocating the addition of on hold now. I could reverse the argument saying that I am surprised that in WG last call, *you* now would like certificate hold to be removed everywhere in the document. Coming back to the technical arguments only, when "on hold" was introduced (many years ago) I originally believed that there could be some problems when being used in the context of a non repudiation service. I have not been able to find a single case where there would be a problem. > I am still concerned about the significant complexity that certificate hold > adds. It makes non-repudiation even more difficult. Further, I am not > convinced that there is really a constituency for this feature. > > I would be very happy if we changed the profile to say that conforming CAs > MUST NOT use certificateHold. I would be happy if we changed the profile > to say that conforming CAs SHOULD NOT use certificateHold. I would be quite > upset if we require clients to support certificateHold in any manner other > than simply revoked. (Note that section 5.3.2 provides the conformant > application the alternative of simply rejecting the certificate.) This is clearly a much wider topic, that is not solely directed to delta-CRLs. So I would request that people interresting to debate along this topic change the title of the thread to someting like: "certificate hold". As far as I am concerned, until I will see an argument where the use of hold creates more problems than its non-use, I see no reason why we should make a change to the document. Regards, Denis > > What do others think? > > > (a) If a certificate was listed as revoked with revocation reason > > certificateHold on a CRL (either a delta CRL or a CRL that is > > complete for a given scope), and the hold is subsequently > > released, the certificate must be listed with revocation reason > > removeFromCRL until the next base CRL is issued. > > > > Note: Should the certificate be subsequently revoked again for > > one of the revocation reasons covered by the delta CRL, > > then the certificate must be listed with the revocation > > reason appropriate for the subsequent revocation. > > > > (b) If the certificate was not removed from hold, but was > > permanently revoked, then it must be listed as such on all > > subsequent delta CRLs until the next base CRL is issued . > > > > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } > > > > BaseCRLNumber ::= CRLNumber > > Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA01412 for <ietf-pkix@imc.org>; Thu, 3 May 2001 06:33:30 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <KGKQ8DGM>; Thu, 3 May 2001 09:33:00 -0400 Message-ID: <8D7EC1912E25D411A32100D0B76953977CE603@scygmxs01.cygnacom.com> From: Santosh Chokhani <chokhani@cygnacom.com> To: "Housley, Russ" <rhousley@rsasecurity.com>, Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Subject: RE: delta CRLs Date: Thu, 3 May 2001 09:23:56 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D3D4.4DEFC2E0" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D3D4.4DEFC2E0 Content-Type: text/plain; charset="iso-8859-1" Russ: Please note minor word smithing for grammar and for technical accuracy. The sentences should read as follows. "A delta CRL provides an update to a previously issued complete CRL. A delta CRL only includes entries for certificates that have changed status since the complete CRL referenced in the delta CRL extension was issued." Also a minor technical change to your other sentence: "An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number or lower number as the base CRL." Please note that the delta CRL can always be applied to a higher base than the one referenced in the delta CRL extension. I also agree with Russ that PKIX need not include the "hold" feature. -----Original Message----- From: Housley, Russ [mailto:rhousley@rsasecurity.com] Sent: Wednesday, May 02, 2001 9:20 PM To: Denis Pinkas Cc: ietf-pkix@imc.org Subject: Re: delta CRLs Denis: For the most part, the text that you provide is an improvement; however, I MUST object to a few things. >5.2.4 Delta CRL Indicator > > The delta CRL indicator is a critical CRL extension that identifies > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > information about certificates who statuses have changed since the > issuance of a specific, previously issued CRL. The use of delta I do not like the second sentence any better than the original. How about: A delta CRL provides an updates a previously issued complete CRL. A delta CRL only includes entries for certificates that have changed status since the complete CRL was issued. > CRLs can significantly reduce network load and processing time in > some environments. Delta CRLs are generally much smaller than the > CRLs they update, so applications that obtain delta CRLs consume > less network bandwidth than applications that obtain the > corresponding complete CRLs. > > The delta CRL indicator extension contains a single value of type > BaseCRLNumber. This value identifies the CRL number of the base CRL > that was used as the foundation in the generation of this delta CRL. > The referenced base CRL is a CRL that was explicitly issued as a CRL > that is complete for a given scope (e.g., a set of revocation reasons > or a particular distribution point.) The CRL containing the delta CRL > indicator extension contains all updates to the certificate > revocation status for that same scope. > > When a delta CRL is issued, it MUST cover the same set of reasons > and same set of certificates that were covered by the base CRL it > references. > > When a conforming CA issues a delta CRL, the delta CRL MUST include > a critical delta CRL indicator extension. > > An application can construct a CRL that is the most current for > a given scope, for a specific date, by retrieving the appropriate > base CRL for that scope, and combining it with a delta-CRL which > contains a Delta CRL Indicator equal to the cRLNumber of the base > CRL and where the date for which the construction is being made is > between thisUpdate and nextUpdate as indicated the delta CRL. Can we focus on the most common case? How about: An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. > Conforming implementations of this specification are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. No. We do not presently require CRL implementation. The paragraph would seem to change that situation, and require CRL and delta CRL implelmentation. I suggest that the previous paragraph be omitted. > CAs must ensure that application of a delta CRL to the referenced Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs MUST". > base revocation information accurately reflects the current status of > revocation. If a CA supports the certificateHold revocation reason > the following rules must be applied when generating delta CRLs: I argued against the inclusion of support for certificate hold in RFC 2459. Your text demonstrates the complexity of supporting this feature. I am quite concerned that this topic is being raised so late in the process. We are in WG Last Call ... [Denis, you will recall that you made a similar response to a comment that I made regarding TSP.] I am still concerned about the significant complexity that certificate hold adds. It makes non-repudiation even more difficult. Further, I am not convinced that there is really a constituency for this feature. I would be very happy if we changed the profile to say that conforming CAs MUST NOT use certificateHold. I would be happy if we changed the profile to say that conforming CAs SHOULD NOT use certificateHold. I would be quite upset if we require clients to support certificateHold in any manner other than simply revoked. (Note that section 5.3.2 provides the conformant application the alternative of simply rejecting the certificate.) What do others think? > (a) If a certificate was listed as revoked with revocation reason > certificateHold on a CRL (either a delta CRL or a CRL that is > complete for a given scope), and the hold is subsequently > released, the certificate must be listed with revocation reason > removeFromCRL until the next base CRL is issued. > > Note: Should the certificate be subsequently revoked again for > one of the revocation reasons covered by the delta CRL, > then the certificate must be listed with the revocation > reason appropriate for the subsequent revocation. > > (b) If the certificate was not removed from hold, but was > permanently revoked, then it must be listed as such on all > subsequent delta CRLs until the next base CRL is issued . > > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } > > BaseCRLNumber ::= CRLNumber Russ ------_=_NextPart_001_01C0D3D4.4DEFC2E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: delta CRLs</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Russ: Please note minor word smithing for grammar and = for technical accuracy. The sentences should read as = follows.</FONT> </P> <P><FONT SIZE=3D2>"A delta CRL provides an update to a previously = issued complete CRL. A delta CRL only includes entries for = certificates that have changed status since the complete CRL referenced = in the delta CRL extension was issued."</FONT></P> <P><FONT SIZE=3D2>Also a minor technical change to your other = sentence:</FONT> </P> <P><FONT SIZE=3D2>"An application can construct an updated CRL by = retrieving the appropriate base CRL for that scope, and combining it = with a delta CRL which contains a delta CRL indicator extension with = the same CRL number or lower number as the base CRL."</FONT></P> <P><FONT SIZE=3D2>Please note that the delta CRL can always be applied = to a higher base than the one referenced in the delta CRL = extension.</FONT></P> <P><FONT SIZE=3D2>I also agree with Russ that PKIX need not include the = "hold" feature.</FONT> <BR><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Housley, Russ [<A = HREF=3D"mailto:rhousley@rsasecurity.com">mailto:rhousley@rsasecurity.com= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Wednesday, May 02, 2001 9:20 PM</FONT> <BR><FONT SIZE=3D2>To: Denis Pinkas</FONT> <BR><FONT SIZE=3D2>Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>Subject: Re: delta CRLs</FONT> </P> <BR> <P><FONT SIZE=3D2>Denis:</FONT> </P> <P><FONT SIZE=3D2>For the most part, the text that you provide is an = improvement; however, I </FONT> <BR><FONT SIZE=3D2>MUST object to a few things.</FONT> </P> <P><FONT SIZE=3D2>>5.2.4 Delta CRL Indicator</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> The delta CRL indicator is a = critical CRL extension that identifies</FONT> <BR><FONT SIZE=3D2>> a CRL as being a delta CRL. A = delta-CRL is a CRL that only provides</FONT> <BR><FONT SIZE=3D2>> information about = certificates who statuses have changed since the</FONT> <BR><FONT SIZE=3D2>> issuance of a specific, = previously issued CRL. The use of delta</FONT> </P> <P><FONT SIZE=3D2>I do not like the second sentence any better than the = original. How about:</FONT> </P> <P><FONT SIZE=3D2> A delta CRL provides an updates a = previously issued complete CRL.</FONT> <BR><FONT SIZE=3D2> A delta CRL only includes entries = for certificates that have changed</FONT> <BR><FONT SIZE=3D2> status since the complete CRL was = issued.</FONT> </P> <P><FONT SIZE=3D2>> CRLs can significantly reduce = network load and processing time in</FONT> <BR><FONT SIZE=3D2>> some environments. = Delta CRLs are generally much smaller than the</FONT> <BR><FONT SIZE=3D2>> CRLs they update, so = applications that obtain delta CRLs consume</FONT> <BR><FONT SIZE=3D2>> less network bandwidth than = applications that obtain the</FONT> <BR><FONT SIZE=3D2>> corresponding complete = CRLs.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> The delta CRL indicator = extension contains a single value of type</FONT> <BR><FONT SIZE=3D2>> BaseCRLNumber. This = value identifies the CRL number of the base CRL</FONT> <BR><FONT SIZE=3D2>> that was used as the = foundation in the generation of this delta CRL.</FONT> <BR><FONT SIZE=3D2>> The referenced base CRL is a = CRL that was explicitly issued as a CRL</FONT> <BR><FONT SIZE=3D2>> that is complete for a given = scope (e.g., a set of revocation reasons</FONT> <BR><FONT SIZE=3D2>> or a particular distribution = point.) The CRL containing the delta CRL</FONT> <BR><FONT SIZE=3D2>> indicator extension contains = all updates to the certificate</FONT> <BR><FONT SIZE=3D2>> revocation status for that = same scope.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> When a delta CRL is issued, = it MUST cover the same set of reasons</FONT> <BR><FONT SIZE=3D2>> and same set of certificates = that were covered by the base CRL it</FONT> <BR><FONT SIZE=3D2>> references.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> When a conforming CA issues a = delta CRL, the delta CRL MUST include</FONT> <BR><FONT SIZE=3D2>> a critical delta CRL = indicator extension.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> An application can construct = a CRL that is the most current for</FONT> <BR><FONT SIZE=3D2>> a given scope, for a specific = date, by retrieving the appropriate</FONT> <BR><FONT SIZE=3D2>> base CRL for that scope, and = combining it with a delta-CRL which</FONT> <BR><FONT SIZE=3D2>> contains a Delta CRL = Indicator equal to the cRLNumber of the base</FONT> <BR><FONT SIZE=3D2>> CRL and where the date for = which the construction is being made is</FONT> <BR><FONT SIZE=3D2>> between thisUpdate and = nextUpdate as indicated the delta CRL.</FONT> </P> <P><FONT SIZE=3D2>Can we focus on the most common case? How = about:</FONT> </P> <P><FONT SIZE=3D2> An application can construct an = updated CRL by retrieving the</FONT> <BR><FONT SIZE=3D2> appropriate base CRL for that = scope, and combining it with a delta</FONT> <BR><FONT SIZE=3D2> CRL which contains a delta CRL = indicator extension with the same</FONT> <BR><FONT SIZE=3D2> CRL number as the base = CRL.</FONT> </P> <BR> <P><FONT SIZE=3D2>> Conforming implementations of = this specification are not required</FONT> <BR><FONT SIZE=3D2>> to implement the above = algorithm, but MUST provide functionality</FONT> <BR><FONT SIZE=3D2>> equivalent to the external = behavior resulting from this procedure.</FONT> </P> <P><FONT SIZE=3D2>No. We do not presently require CRL = implementation. The paragraph would </FONT> <BR><FONT SIZE=3D2>seem to change that situation, and require CRL and = delta CRL </FONT> <BR><FONT SIZE=3D2>implelmentation. I suggest that the previous = paragraph be omitted.</FONT> </P> <BR> <P><FONT SIZE=3D2>> CAs must ensure that = application of a delta CRL to the referenced</FONT> </P> <P><FONT SIZE=3D2>Change "CAs must" to "Conforming CAs = that support CRLs and delta CRLs MUST".</FONT> </P> <P><FONT SIZE=3D2>> base revocation information = accurately reflects the current status of</FONT> <BR><FONT SIZE=3D2>> revocation. If a CA = supports the certificateHold revocation reason</FONT> <BR><FONT SIZE=3D2>> the following rules must be = applied when generating delta CRLs:</FONT> </P> <P><FONT SIZE=3D2>I argued against the inclusion of support for = certificate hold in RFC </FONT> <BR><FONT SIZE=3D2>2459. Your text demonstrates the complexity of = supporting this feature. I </FONT> <BR><FONT SIZE=3D2>am quite concerned that this topic is being raised = so late in the </FONT> <BR><FONT SIZE=3D2>process. We are in WG Last Call ... = [Denis, you will recall that you made </FONT> <BR><FONT SIZE=3D2>a similar response to a comment that I made = regarding TSP.]</FONT> </P> <P><FONT SIZE=3D2>I am still concerned about the significant complexity = that certificate hold </FONT> <BR><FONT SIZE=3D2>adds. It makes non-repudiation even more = difficult. Further, I am not </FONT> <BR><FONT SIZE=3D2>convinced that there is really a constituency for = this feature.</FONT> </P> <P><FONT SIZE=3D2>I would be very happy if we changed the profile to = say that conforming CAs </FONT> <BR><FONT SIZE=3D2>MUST NOT use certificateHold. I would be = happy if we changed the profile </FONT> <BR><FONT SIZE=3D2>to say that conforming CAs SHOULD NOT use = certificateHold. I would be quite </FONT> <BR><FONT SIZE=3D2>upset if we require clients to support = certificateHold in any manner other </FONT> <BR><FONT SIZE=3D2>than simply revoked. (Note that section 5.3.2 = provides the conformant </FONT> <BR><FONT SIZE=3D2>application the alternative of simply rejecting the = certificate.)</FONT> </P> <P><FONT SIZE=3D2>What do others think?</FONT> </P> <BR> <P><FONT SIZE=3D2>> (a) If a = certificate was listed as revoked with revocation reason</FONT> <BR><FONT SIZE=3D2>> = certificateHold on a CRL (either a delta CRL or a CRL that is</FONT> <BR><FONT SIZE=3D2>> complete = for a given scope), and the hold is subsequently</FONT> <BR><FONT SIZE=3D2>> released, = the certificate must be listed with revocation reason</FONT> <BR><FONT SIZE=3D2>> = removeFromCRL until the next base CRL is issued.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> Note: = Should the certificate be subsequently revoked again for</FONT> <BR><FONT = SIZE=3D2>>  = ; one of the revocation reasons covered by the delta = CRL,</FONT> <BR><FONT = SIZE=3D2>>  = ; then the certificate must be listed with the = revocation</FONT> <BR><FONT = SIZE=3D2>>  = ; reason appropriate for the subsequent revocation.</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> (b) If the = certificate was not removed from hold, but was</FONT> <BR><FONT SIZE=3D2>> permanently = revoked, then it must be listed as such on all</FONT> <BR><FONT SIZE=3D2>> subsequent = delta CRLs until the next base CRL is issued .</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> id-ce-deltaCRLIndicator = OBJECT IDENTIFIER ::=3D { id-ce 27 }</FONT> <BR><FONT SIZE=3D2>></FONT> <BR><FONT SIZE=3D2>> BaseCRLNumber ::=3D = CRLNumber</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D3D4.4DEFC2E0-- Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id FAA27746 for <ietf-pkix@imc.org>; Thu, 3 May 2001 05:58:59 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 3 May 2001 12:58:48 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id IAA29797 for <ietf-pkix@imc.org>; Thu, 3 May 2001 08:58:59 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NT0YY>; Thu, 3 May 2001 08:58:59 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (housley-lap.securitydynamics.com [10.100.23.218]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NT0YT; Thu, 3 May 2001 08:58:58 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010502204050.00b1ced0@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 02 May 2001 21:20:13 -0400 Subject: Re: delta CRLs In-Reply-To: <3AF01CF6.78789733@bull.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: For the most part, the text that you provide is an improvement; however, I MUST object to a few things. >5.2.4 Delta CRL Indicator > > The delta CRL indicator is a critical CRL extension that identifies > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > information about certificates who statuses have changed since the > issuance of a specific, previously issued CRL. The use of delta I do not like the second sentence any better than the original. How about: A delta CRL provides an updates a previously issued complete CRL. A delta CRL only includes entries for certificates that have changed status since the complete CRL was issued. > CRLs can significantly reduce network load and processing time in > some environments. Delta CRLs are generally much smaller than the > CRLs they update, so applications that obtain delta CRLs consume > less network bandwidth than applications that obtain the > corresponding complete CRLs. > > The delta CRL indicator extension contains a single value of type > BaseCRLNumber. This value identifies the CRL number of the base CRL > that was used as the foundation in the generation of this delta CRL. > The referenced base CRL is a CRL that was explicitly issued as a CRL > that is complete for a given scope (e.g., a set of revocation reasons > or a particular distribution point.) The CRL containing the delta CRL > indicator extension contains all updates to the certificate > revocation status for that same scope. > > When a delta CRL is issued, it MUST cover the same set of reasons > and same set of certificates that were covered by the base CRL it > references. > > When a conforming CA issues a delta CRL, the delta CRL MUST include > a critical delta CRL indicator extension. > > An application can construct a CRL that is the most current for > a given scope, for a specific date, by retrieving the appropriate > base CRL for that scope, and combining it with a delta-CRL which > contains a Delta CRL Indicator equal to the cRLNumber of the base > CRL and where the date for which the construction is being made is > between thisUpdate and nextUpdate as indicated the delta CRL. Can we focus on the most common case? How about: An application can construct an updated CRL by retrieving the appropriate base CRL for that scope, and combining it with a delta CRL which contains a delta CRL indicator extension with the same CRL number as the base CRL. > Conforming implementations of this specification are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. No. We do not presently require CRL implementation. The paragraph would seem to change that situation, and require CRL and delta CRL implelmentation. I suggest that the previous paragraph be omitted. > CAs must ensure that application of a delta CRL to the referenced Change "CAs must" to "Conforming CAs that support CRLs and delta CRLs MUST". > base revocation information accurately reflects the current status of > revocation. If a CA supports the certificateHold revocation reason > the following rules must be applied when generating delta CRLs: I argued against the inclusion of support for certificate hold in RFC 2459. Your text demonstrates the complexity of supporting this feature. I am quite concerned that this topic is being raised so late in the process. We are in WG Last Call ... [Denis, you will recall that you made a similar response to a comment that I made regarding TSP.] I am still concerned about the significant complexity that certificate hold adds. It makes non-repudiation even more difficult. Further, I am not convinced that there is really a constituency for this feature. I would be very happy if we changed the profile to say that conforming CAs MUST NOT use certificateHold. I would be happy if we changed the profile to say that conforming CAs SHOULD NOT use certificateHold. I would be quite upset if we require clients to support certificateHold in any manner other than simply revoked. (Note that section 5.3.2 provides the conformant application the alternative of simply rejecting the certificate.) What do others think? > (a) If a certificate was listed as revoked with revocation reason > certificateHold on a CRL (either a delta CRL or a CRL that is > complete for a given scope), and the hold is subsequently > released, the certificate must be listed with revocation reason > removeFromCRL until the next base CRL is issued. > > Note: Should the certificate be subsequently revoked again for > one of the revocation reasons covered by the delta CRL, > then the certificate must be listed with the revocation > reason appropriate for the subsequent revocation. > > (b) If the certificate was not removed from hold, but was > permanently revoked, then it must be listed as such on all > subsequent delta CRLs until the next base CRL is issued . > > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } > > BaseCRLNumber ::= CRLNumber Russ Received: from server ([211.181.218.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA05956; Wed, 2 May 2001 16:55:32 -0700 (PDT) From: customercare217@fine-view.com Message-ID: <00002b9e68dc$00004044$00005579@fine-view.com> To: <Bizzops@salesgroupint.net> Subject: write back when you can 21881 Date: Wed, 02 May 2001 04:26:07 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal <HTML><HEAD><TITLE>Take Control Of Your Conference Calls</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12= 52"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY vLink=3D#c0c0c0 link=3D#c0c0c0 bgColor=3D#ffffff leftMargin=3D0><FON= T face=3Darial,helvetica> <P> <CENTER> <TABLE width=3D600 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><B><FONT color=3D#000066 size=3D6>Long Distance Conferencing<BR>Only <U>18 Cents</U> Per Minute</B></FONT></TD></TR></TBODY></TABLE> <P><FONT color=3D#ff0000 size=3D5><B>Connects Up To 100 Participants!</B><= /FONT> <P> <TABLE width=3D350 border=3D0> <TBODY> <TR> <TD><FONT size=3D3><B> <LI>No setup fees <LI>No contracts or monthly fees <LI>Call anytime, from anywhere, to anywhere <LI>International Dial In 18 cents per minute <LI>Simplicity in set up and administration <LI>Operator Help available 24/7 </B></FONT></LI></TD></TR></TBODY><= /TABLE> <P> <TABLE width=3D500 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><FONT color=3D#ff0000 size=3D60><B><FONT size=3D5>G= et the best quality, the easiest to use, and lowest rate in the industry.</B></FONT></FONT></TD></TR></TBODY></TABLE> <P> <TABLE width=3D400 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><FONT color=3D#000066 size=3D4>If you like saving m= oney, fill out the form below and one of our consultants will contact you.</FONT></TD></TR></TBODY></TABLE> <P><FONT color=3D#000066 size=3D2>Required Input Field<FONT color=3D#ff000= 0 size=3D2>*</FONT></FONT> <P> <TABLE cellSpacing=3D0 borderColorDark=3D#333300 cellPadding=3D3 width=3D6= 00 borderColorLight=3D#ffffcc> <TBODY> <TR> <TD align=3Dmiddle> <FORM action=3Dmailto:inboxx8@excite.com?subject=3DConference_Inquir= y method=3Dpost encType=3Dtext/plain> <TABLE width=3D"100%"> <TBODY> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2>Name*</FONT></TD> <TD><INPUT name=3DNAME></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Web Address*</FONT></TD> <TD><INPUT value=3Dhttp:// name=3DURL></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Company Name*</FONT></TD> <TD><INPUT name=3DCOMPANY_NAME></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Web Address*</FONT></TD> <TD><INPUT size=3D2 name=3DSTATE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Business Phone*</FONT></TD> <TD><INPUT name=3DBUS_PHONE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Home Phone</FONT></TD> <TD><INPUT name=3DHOME_PHONE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Email Address*</FONT></TD> <TD><INPUT name=3DEMAIL></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Type of Business</FONT></TD> <TD><INPUT name=3DTYPE_OF_BUSINESS></TD></TR></TBODY></TABLE> <P><INPUT type=3Dsubmit value=3D"Submit Information" name=3Dsubmit> </FORM></P></TD></TR></TBODY></TABLE> <P> <TABLE width=3D500> <TBODY> <TR> <TD align=3Dmiddle><FONT face=3D"Arial, Helvetica, sans-serif" color=3D= #000000 size=3D1>This email is to those persons that have contacted Conferen= ce Calls for Less regarding available services or product information. If thi= s email is reaching you in error and you feel that you have not contac= ted us, <FONT color=3D#666666><A href=3D"mailto:rem0ve424@excite.com?subject=3DRemove_Conferencing">C= lick here</A></FONT>. We will gladly remove you from our mailing list.</FONT><BR></TD></TR></TBODY></TABLE></P></CENTER></FONT></BODY= ></HTML> Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA28833 for <ietf-pkix@imc.org>; Wed, 2 May 2001 14:43:39 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id RAA236666; Wed, 2 May 2001 17:41:30 -0400 Received: from d02ml237.somers.hqregion.ibm.com (d02ml237.sby.ibm.com [9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id RAA26638; Wed, 2 May 2001 17:37:56 -0400 Importance: Normal Subject: RE: Basic constraints, key usage, and LDAP schema To: Sharon Boeyen <sharon.boeyen@entrust.com> Cc: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas <Denis.Pinkas@bull.net>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF16F66368.3DFD13E5-ON85256A40.00755FBC@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Wed, 2 May 2001 17:43:04 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/02/2001 05:42:59 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii In the current draft of X.509v4, "self-issued" means something different than "self-signed". "self-issued" appears to be the condition "the certificate's subject name can be matched to its own issuer name, which is that of a CA", while "self-signed" is that with the added condition "the certificate signature is verifiable with the public key contained in the message". Most of these CRL signing certificates are "self-issued" in this sense, although not "self-signed". One other reason why such CRL signing certificates would legitimately not go into the CC Pair attribute would be that there is no other directory entry where the CA certificate to verify the signature on this certificate could be found, unlike any other certificates in CC Pair. Lastly, if a CRL signing certificate were issued by a CA certificate with the same DN, it would certainly belong in the same realm, if that concept has any meaning at all. Tom Gindin Sharon Boeyen <sharon.boeyen@entrust.com> on 05/02/2001 04:05:54 PM To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas <Denis.Pinkas@bull.net> cc: ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema Hi Tim, I just want to clarify the directory attributes. All certs that are not self issued must go in the cross certificates attribute. All self issued certs must go in the caCertificates attribute. A subset of the certificates in the cross certificate pairs attributes may also be present in the caCertificates attribute (those issued within the same realm, a term left undefined). Lets not go back down that rathole :-) The two attributes are not interchangeable. Given that the certs you are talking about are not self issued then they must go in the cross certificate pairs attribute and may also be placed in the caCertificate attribute if issued within the same realm. Sharon > -----Original Message----- > From: Tim Polk [mailto:tim.polk@nist.gov] > Sent: Wednesday, May 02, 2001 10:43 AM > To: Denis Pinkas > Cc: ietf-pkix@imc.org > Subject: Re: Basic constraints, key usage, and LDAP schema > > > Denis, > > These messages have been flying fast and furious under several topic > lines. I don't believe I caught them all either! As they > are all related, > it is difficult to resolve the issues one-by-one. The > separate solutions > may combine to present new problems. That was the rationale > for the single > comprehensive posting. > > The real problems, in my opinion, are as follows: > > (1) Consider a PKIX client, searching for a certificate to validate a > particular CRL. Under 2459, the client cannot guess whether > the basic > constraints extension will be present with the CA bit asserted. > > If the key used to validate the CRL is also used to validate > certificates, > it will have basic constraints and assert cA is TRUE. In > this case, the > certificate should be in the ca certificate attribute (or > perhaps the cross > certificate pairs). > > If the key is not used to validate certificates, basic > constraints will be > omitted and the certificate will be stored in the user > certificate attribute. > > (2) If a PKIX client wishes to communicate with a CA for certificate > management purposes (e.g., to request a new certificate, request > revocation, or perhaps centralized key generation for key > escrow scenarios) > the client will need to validate the CA's signature and > perhaps make use of > the CA's key management key. If the keys used for these > transactions are > also used to sign PKCs, the certs will be in the CA certificate > attribute. If the keys used for these purposes are not used > to sign PKCs, > there will be no indication that this entity is a CA and the > certs will be > stored in the user certificate attribute. > > As above, the PKIX client does not know where to look for these > certificates. Where they are not used to sign PKCs, there will be no > indication in the certificate that this entity is a CA at all. > > (3) The attribute certificate profile is very clear regarding > AC issuers > versus PKC issuers. Section 4.5 states "the AC issuer's PKC > MUST NOT have a > basicConstraints extension with the cA BOOLEAN set to TRUE." > > However, the combination of RFC 2459 and the attribute > certificate profile > does not permit an issuer to specify whether a subject can issue CRLs > for PKCs, ACs, or both. This would provide us with an > analogous solution: > if the CA bit is not asserted, but the cRLSign bit is set in > key usage, the > subject is only permitted to issue CRLs for ACs. > > To be honest, (3) is the least compelling problem. The CA > must explicitly > name an indirect CRL issuer in PKCs it issues *anyway*, so > the CA bit isn't > a big security issue. Still, I think it is nice to supply > clients with > this information. > > Anyway, I hope this clarifies things a bit. My goal was to > resolve all > three problems simultaneously and consistently. > > Thanks, > > Tim Polk > > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote: > >Tim, > > > >I stayed silent on that topic and it is quite hard to catch > all the e-mails > >related to it. I certainly missed or skipped missed some of them. > > > > > Terry, > > > > > > I think it would be best if the client did not need to check the > > > userCertificate attribute to validate CRLs. This adds > complexity without > > > any real benefit (in my opinion.) I have included some > proposed text for > > > the first paragraph of section 4.2.1.10 (basic > constraints) that would > > > clarify the issue. > > > > > > ----------------proposed text for first paragraph of > > 4.2.1.10---------------- > > > > > > The basic constraints extension identifies whether the > subject of the > > > certificate is a CA and the maximum depth of valid > certification paths that > > > include this certificate. A subject is considered a CA > if it issues public > > > key certificates or CRLs that describe the revocation > status of public key > > > certificates. > > > > > > ----------------------end proposed text > > > What do you think? > > > >RFC 2459 only said: > > > > The basic constraints extension identifies whether the > subject of the > > certificate is a CA and how deep a certification path may exist > > through that CA. > > > >However, according to the new text a "CRL Issuer" is now > also a "CA": " A > >subject is considered a CA if it issues public key > certificates or CRLs that > >describe the revocation status of public key certificates." > > > >The current text of new-part1-06 also goes in the same direction. > > > > The cA bit indicates if the certified public key may be used to > > verify signatures on other certificates. If the cA bit > is asserted, > > then either the keyCertSign bit or the cRLSign bit in > the key usage > > extension (see 4.2.1.3) MUST also be asserted. If the cA > bit is not > > asserted, then both the keyCertSign bit and the cRLSign > in the key > > usage extension MUST NOT be asserted. > > > >This seems quite strange. A CRL issuer is just one way to > make available > >revocation status information. OCSP is another way. RFC 2560 says: > > > > OCSP signing delegation SHALL be designated by the > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate > > extension included in the OCSP response signer's > certificate. This > > certificate MUST be issued directly by the CA that issued the > > certificate in question. > > > >If a "CRL issuer" is a "CA", why should an OCSP responder > designated by a CA > >not also be a "CA" ? > > > >As far as I remember, originally the cA boolean in the basic > constraints > >extension only allowed to make the difference between leaf > certificates and > >CA certificates. This boolean now seems to be be used with a > different > >meaning (and, maybe, we should change its meaning - not the syntax). > > > >Could someone say again, why that change was requested and > what are the real > >benefits of that change ? > > > >In other words, could someone say again what the problem was ? :-) > > > >Thanks, > > > >Denis > > > > > Thanks, > > > > > > Tim Polk > > > > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > > > >Tim, > > > > > > > >I agree with your proposed solution. As you have said, > it separates the > > > >semantics of the two extensions, and simplifies the > rules for the LDAP > > schema. > > > > > > > >There is one remaining point to address, and I believe > it may be the main > > > >point of discussion in the current thread. > > > > > > > >When a CA uses the CRLDP extension to designate another > entity to be the > > > >source for revocation information about some of its > certificates, should > > > >that entity have a "CA" certificate (with appropriate > basicConstraints > > > >extension)? I'm *not* suggesting that a > basicConstraints extension is > > > >necessary for the entity to be authorized to sign the > CRL. Instead, the > > > >problem is that clients that are trying to locate the > certificate will not > > > >know whether they should look in the cACertificate > attribute or the > > > >userCertificate attribute to find the appropriate certificate. > > > > > > > >To solve this, we can suggest that cACertificate be > searched first, > > > >followed by userCertificate, or we can require that > designated entities > > > >must always be a "CA", and the client can safely skip > the userCertificate > > > >attribute. This is a question of searching the > directory only, and does > > > >not suggest changing your assertion that any set of bits > may be set in the > > > >keyUsage extension of "CA" certificates. > > > > > > > >Terry > > > > > > > >Tim Polk wrote: > > > > > > > >>Folks, > > > >> > > > >>I have been reading the email messages on the list about the > > > >>relationships between basic constraints, key usage, and > the schema. > > > >>After mulling over the problem. I would like to > propose a solution - the > > > >>only solution, as far as I can tell... > > > >> > > > >>The solution is to simplify and separate the semantics > of the basic > > > >>constraints and key usage extension. This has positive > implications for > > > >>the PKIX LDAP schema as well. > > > >> > > > >>Basic Constraints > > > >> > > > >>As stated in the current text for Basic Constraints (in > 2459): "The > > > >>basic constraints extension identifies whether the > subject of the > > > >>certificate is a CA and how deep a certification path > may exist through > > > >>that CA." > > > >> > > > >>I believe this is the right semantics, and that basic > constraints should > > > >>be included and cA should be asserted in *any* > certificate issued to a > > > >>CA, regardless of the type or role associated with the > public key in the > > > >>certificate. > > > >> > > > >>Key Usage > > > >> > > > >>The issuer should use the Key Usage extension to > disambiguate the > > > >>subject's key pairs: > > > >>(a) The issuer indicates this public key may be used to > verify the > > > >>signature on a public key certificate by asserting > keyCertSign. (b) The > > > >>issuer indicates this public key may be used to verify > the signature on > > > >>CRLs by asserting cRLSign. (c) The issuer indicates > that this public key > > > >>may be used to establish symmetric keys with the > subject by asserting > > > >>either keyEncipherment or keyAgreement. (d) The issuer > indicates that > > > >>this public key may be used to verify signatures on > objects other than > > > >>public key certificates and CRLs by asserting nonRerpuidation or > > > >>digitalSignature. > > > >> > > > >>Of course, if a key pair is used for multiple purposes, > multiple key > > > >>usages may be asserted. > > > >> > > > >>In each of these cases, the basic constraints extension > also appears in > > > >>the certificate and asserts that the subject is a CA. > > > >> > > > >>LDAP Schema > > > >> > > > >>All certificates issued to CAs would be considered CA > certificates since > > > >>the basic constraints extension is present and asserts > that the subject > > > >>is a CA. As a result, each of these could appear in > the cACertificate > > > >>attribute or crossCertificatePair attribute. They > would *not* appear in > > > >>the userCertificate attribute. (That would include all > types (a) through > > > >>(d) above). > > > >> > > > >>------------------ > > > >> > > > >>The implications of this strategy are as follows: (1) > when a client is > > > >>searching for a CA certificate, they will not have to check the > > > >>userCertificate attribute; (2) the issuer can indicate > that the subject > > > >>is a CA regardless of the key usage; and (3) minimal > changes to the text > > > >>(my favorite!). > > > >> > > > >>What do you think? > > > >> > > > >>Thanks, > > > >> > > > >>Tim Polk > > > >> > > > >> > > > > > > > > > Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA27272 for <ietf-pkix@imc.org>; Wed, 2 May 2001 14:28:39 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 2 May 2001 21:28:30 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id RAA27330 for <ietf-pkix@imc.org>; Wed, 2 May 2001 17:28:41 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NT5QW>; Wed, 2 May 2001 17:28:41 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (housley-lap.securitydynamics.com [10.100.23.218]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NT5QS; Wed, 2 May 2001 17:28:36 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010502115910.01d12240@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 02 May 2001 12:00:24 -0400 Subject: Re: keyCertSign and cRLSign Key Usage Bits In-Reply-To: <3AEFE3EA.93E672A4@bull.net> References: <5.0.1.4.2.20010424150514.01b30eb8@exna07.securitydynamics.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis: I know that you have been away and that you are trying to catch up on your mail. This approach is not longer being pursued. The issuingDistributionPoint text remains unchanged. Russ At 12:39 PM 5/2/2001 +0200, Denis Pinkas wrote: >Russ, > >In a reply to Santosh (April 24), you said: > > > The IDP syntax is: > > > > issuingDistributionPoint ::= SEQUENCE { > > distributionPoint [0] DistributionPointName OPTIONAL, > > onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, > > onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, > > onlySomeReasons [3] ReasonFlags OPTIONAL, > > indirectCRL [4] BOOLEAN DEFAULT FALSE } > > > > I was simply suggesting that this extension be present if the CRL is signed > > with a key other than the one used to sign the certificate. > >The current text says (in section 5.2.5): > >" 5.2.5 Issuing Distribution Point > > The issuing distribution point is a critical CRL extension that > identifies the CRL distribution point for a particular CRL, and it > indicates whether the CRL covers revocation for end entity > certificates only, CA certificates only, or a limited set of reason > codes. Although the extension is critical, conforming > implementations are not required to support this extension. > > The CRL is signed using the CA's private key." > >I would guess that the last sentence would thus need to be changed. So would >you have a text proposal to fix it ? > >Regards, > >Denis > > > > I would expect > > the distributionPoint field to be present (probably with a URL > > (ldap://...)). The boolean flags would be set based on the contents of the > > CRL (probably all FALSE). The reason codes would also be set based on the > > contents of the CRL (probably absent). > > > Russ Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA27228 for <ietf-pkix@imc.org>; Wed, 2 May 2001 14:28:24 -0700 (PDT) Received: from sunlabs.East.Sun.COM ([129.148.75.250]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id OAA25529; Wed, 2 May 2001 14:28:21 -0700 (PDT) Received: from sun.com (dhcp75-155 [129.148.75.155]) by sunlabs.East.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id RAA01097; Wed, 2 May 2001 17:28:15 -0400 (EDT) Message-ID: <3AF07AEE.2D06C35D@sun.com> Date: Wed, 02 May 2001 17:23:58 -0400 From: Steve Hanna <steve.hanna@sun.com> Organization: Sun Microsystems, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Denis Pinkas <Denis.Pinkas@bull.net> CC: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <5.0.1.4.2.20010424092659.01af9748@exna07.securitydynamics.com> <3AF031FD.CD4034C9@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is fine with me. -Steve Denis Pinkas wrote: > This is fine in general. I would however prefer to move the two first > sentences from 6.1 at the end of 6.1. This would lead to: > > The path validation process determines the set of certificate policies > that are valid for this path, based on the certificate policies > extension, policy mapping extension, policy constraints extension, > and inhibit any-policy extension. To achieve this, the path > validation algorithm constructs a valid policy tree. If the set of > certificate policies that are valid for this path is not empty, then > the result will be a valid policy tree of depth n, otherwise the > result will be a null valid policy tree. A particular certification > path may not, however, be appropriate for all applications. > Therefore, an application MAY augment this algorithm to further > limit the set of valid paths. > > Regards, > > Denis > > > Denis: > > > > I agree with Steve Hanna's observation. However, I think that we can > > include a bit of notice in section 6.1. I propose the following > > replacement paragraph: > > > > A particular certification path may not, however, be appropriate for > > all applications. Therefore, an application MAY augment this > > algorithm to further limit the set of valid paths. The path > > validation process also determines the set of certificate policies > > that are valid for this path, based on the certificate policies > > extension, policy mapping extension, policy constraints extension, > > and inhibit any-policy extension. To achieve this, the path > > validation algorithm constructs a valid policy tree. If the set of > > certificate policies that are valid for this path is not empty, then > > the result will be a valid policy tree of depth n, otherwise the > > result will be a null valid policy tree. > > > > I suggest that we replace the first paragraph of section 6.2. with: > > > > The path validation algorithm describes the process of validating a > > single certification path. While each certification path begins with > > a specific trust anchor, there is no requirement that all > > certification paths validated by a particular system share a single > > trust anchor. An implementation that supports multiple trust anchors > > MAY augment the algorithm presented in section 6.1 to further limit > > the set of valid certification paths which begin with a particular > > trust anchor. For example, an implementation MAY modify the > > algorithm to apply name constraints to a specific trust anchor during > > the initialization phase, or the application MAY require the presence > > of a particular alternative name form in the end entity certificate, > > or the application MAY impose requirements on application-specific > > extensions. Thus, the path validation algorithm presented in section > > 6.1 defines the minimum conditions for a path to be considered valid. > > > > Russ Received: from SOTTMXS01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA20993 for <ietf-pkix@imc.org>; Wed, 2 May 2001 13:12:34 -0700 (PDT) Received: by SOTTMXS01.entrust.com with Internet Mail Service (5.5.2650.21) id <K12TNTND>; Wed, 2 May 2001 16:12:05 -0400 Message-ID: <DD62792EA182FF4E99C2FBC07E3053BD01DA401B@sottmxs09.entrust.com> From: Sharon Boeyen <sharon.boeyen@entrust.com> To: "'Tim Polk'" <tim.polk@nist.gov>, Denis Pinkas <Denis.Pinkas@bull.net> Cc: ietf-pkix@imc.org Subject: RE: Basic constraints, key usage, and LDAP schema Date: Wed, 2 May 2001 16:05:54 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C0D343.4B288470" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0D343.4B288470 Content-Type: text/plain Hi Tim, I just want to clarify the directory attributes. All certs that are not self issued must go in the cross certificates attribute. All self issued certs must go in the caCertificates attribute. A subset of the certificates in the cross certificate pairs attributes may also be present in the caCertificates attribute (those issued within the same realm, a term left undefined). Lets not go back down that rathole :-) The two attributes are not interchangeable. Given that the certs you are talking about are not self issued then they must go in the cross certificate pairs attribute and may also be placed in the caCertificate attribute if issued within the same realm. Sharon > -----Original Message----- > From: Tim Polk [mailto:tim.polk@nist.gov] > Sent: Wednesday, May 02, 2001 10:43 AM > To: Denis Pinkas > Cc: ietf-pkix@imc.org > Subject: Re: Basic constraints, key usage, and LDAP schema > > > Denis, > > These messages have been flying fast and furious under several topic > lines. I don't believe I caught them all either! As they > are all related, > it is difficult to resolve the issues one-by-one. The > separate solutions > may combine to present new problems. That was the rationale > for the single > comprehensive posting. > > The real problems, in my opinion, are as follows: > > (1) Consider a PKIX client, searching for a certificate to validate a > particular CRL. Under 2459, the client cannot guess whether > the basic > constraints extension will be present with the CA bit asserted. > > If the key used to validate the CRL is also used to validate > certificates, > it will have basic constraints and assert cA is TRUE. In > this case, the > certificate should be in the ca certificate attribute (or > perhaps the cross > certificate pairs). > > If the key is not used to validate certificates, basic > constraints will be > omitted and the certificate will be stored in the user > certificate attribute. > > (2) If a PKIX client wishes to communicate with a CA for certificate > management purposes (e.g., to request a new certificate, request > revocation, or perhaps centralized key generation for key > escrow scenarios) > the client will need to validate the CA's signature and > perhaps make use of > the CA's key management key. If the keys used for these > transactions are > also used to sign PKCs, the certs will be in the CA certificate > attribute. If the keys used for these purposes are not used > to sign PKCs, > there will be no indication that this entity is a CA and the > certs will be > stored in the user certificate attribute. > > As above, the PKIX client does not know where to look for these > certificates. Where they are not used to sign PKCs, there will be no > indication in the certificate that this entity is a CA at all. > > (3) The attribute certificate profile is very clear regarding > AC issuers > versus PKC issuers. Section 4.5 states "the AC issuer's PKC > MUST NOT have a > basicConstraints extension with the cA BOOLEAN set to TRUE." > > However, the combination of RFC 2459 and the attribute > certificate profile > does not permit an issuer to specify whether a subject can issue CRLs > for PKCs, ACs, or both. This would provide us with an > analogous solution: > if the CA bit is not asserted, but the cRLSign bit is set in > key usage, the > subject is only permitted to issue CRLs for ACs. > > To be honest, (3) is the least compelling problem. The CA > must explicitly > name an indirect CRL issuer in PKCs it issues *anyway*, so > the CA bit isn't > a big security issue. Still, I think it is nice to supply > clients with > this information. > > Anyway, I hope this clarifies things a bit. My goal was to > resolve all > three problems simultaneously and consistently. > > Thanks, > > Tim Polk > > At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote: > >Tim, > > > >I stayed silent on that topic and it is quite hard to catch > all the e-mails > >related to it. I certainly missed or skipped missed some of them. > > > > > Terry, > > > > > > I think it would be best if the client did not need to check the > > > userCertificate attribute to validate CRLs. This adds > complexity without > > > any real benefit (in my opinion.) I have included some > proposed text for > > > the first paragraph of section 4.2.1.10 (basic > constraints) that would > > > clarify the issue. > > > > > > ----------------proposed text for first paragraph of > > 4.2.1.10---------------- > > > > > > The basic constraints extension identifies whether the > subject of the > > > certificate is a CA and the maximum depth of valid > certification paths that > > > include this certificate. A subject is considered a CA > if it issues public > > > key certificates or CRLs that describe the revocation > status of public key > > > certificates. > > > > > > ----------------------end proposed text > > > What do you think? > > > >RFC 2459 only said: > > > > The basic constraints extension identifies whether the > subject of the > > certificate is a CA and how deep a certification path may exist > > through that CA. > > > >However, according to the new text a "CRL Issuer" is now > also a "CA": " A > >subject is considered a CA if it issues public key > certificates or CRLs that > >describe the revocation status of public key certificates." > > > >The current text of new-part1-06 also goes in the same direction. > > > > The cA bit indicates if the certified public key may be used to > > verify signatures on other certificates. If the cA bit > is asserted, > > then either the keyCertSign bit or the cRLSign bit in > the key usage > > extension (see 4.2.1.3) MUST also be asserted. If the cA > bit is not > > asserted, then both the keyCertSign bit and the cRLSign > in the key > > usage extension MUST NOT be asserted. > > > >This seems quite strange. A CRL issuer is just one way to > make available > >revocation status information. OCSP is another way. RFC 2560 says: > > > > OCSP signing delegation SHALL be designated by the > > inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate > > extension included in the OCSP response signer's > certificate. This > > certificate MUST be issued directly by the CA that issued the > > certificate in question. > > > >If a "CRL issuer" is a "CA", why should an OCSP responder > designated by a CA > >not also be a "CA" ? > > > >As far as I remember, originally the cA boolean in the basic > constraints > >extension only allowed to make the difference between leaf > certificates and > >CA certificates. This boolean now seems to be be used with a > different > >meaning (and, maybe, we should change its meaning - not the syntax). > > > >Could someone say again, why that change was requested and > what are the real > >benefits of that change ? > > > >In other words, could someone say again what the problem was ? :-) > > > >Thanks, > > > >Denis > > > > > Thanks, > > > > > > Tim Polk > > > > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > > > >Tim, > > > > > > > >I agree with your proposed solution. As you have said, > it separates the > > > >semantics of the two extensions, and simplifies the > rules for the LDAP > > schema. > > > > > > > >There is one remaining point to address, and I believe > it may be the main > > > >point of discussion in the current thread. > > > > > > > >When a CA uses the CRLDP extension to designate another > entity to be the > > > >source for revocation information about some of its > certificates, should > > > >that entity have a "CA" certificate (with appropriate > basicConstraints > > > >extension)? I'm *not* suggesting that a > basicConstraints extension is > > > >necessary for the entity to be authorized to sign the > CRL. Instead, the > > > >problem is that clients that are trying to locate the > certificate will not > > > >know whether they should look in the cACertificate > attribute or the > > > >userCertificate attribute to find the appropriate certificate. > > > > > > > >To solve this, we can suggest that cACertificate be > searched first, > > > >followed by userCertificate, or we can require that > designated entities > > > >must always be a "CA", and the client can safely skip > the userCertificate > > > >attribute. This is a question of searching the > directory only, and does > > > >not suggest changing your assertion that any set of bits > may be set in the > > > >keyUsage extension of "CA" certificates. > > > > > > > >Terry > > > > > > > >Tim Polk wrote: > > > > > > > >>Folks, > > > >> > > > >>I have been reading the email messages on the list about the > > > >>relationships between basic constraints, key usage, and > the schema. > > > >>After mulling over the problem. I would like to > propose a solution - the > > > >>only solution, as far as I can tell... > > > >> > > > >>The solution is to simplify and separate the semantics > of the basic > > > >>constraints and key usage extension. This has positive > implications for > > > >>the PKIX LDAP schema as well. > > > >> > > > >>Basic Constraints > > > >> > > > >>As stated in the current text for Basic Constraints (in > 2459): "The > > > >>basic constraints extension identifies whether the > subject of the > > > >>certificate is a CA and how deep a certification path > may exist through > > > >>that CA." > > > >> > > > >>I believe this is the right semantics, and that basic > constraints should > > > >>be included and cA should be asserted in *any* > certificate issued to a > > > >>CA, regardless of the type or role associated with the > public key in the > > > >>certificate. > > > >> > > > >>Key Usage > > > >> > > > >>The issuer should use the Key Usage extension to > disambiguate the > > > >>subject's key pairs: > > > >>(a) The issuer indicates this public key may be used to > verify the > > > >>signature on a public key certificate by asserting > keyCertSign. (b) The > > > >>issuer indicates this public key may be used to verify > the signature on > > > >>CRLs by asserting cRLSign. (c) The issuer indicates > that this public key > > > >>may be used to establish symmetric keys with the > subject by asserting > > > >>either keyEncipherment or keyAgreement. (d) The issuer > indicates that > > > >>this public key may be used to verify signatures on > objects other than > > > >>public key certificates and CRLs by asserting nonRerpuidation or > > > >>digitalSignature. > > > >> > > > >>Of course, if a key pair is used for multiple purposes, > multiple key > > > >>usages may be asserted. > > > >> > > > >>In each of these cases, the basic constraints extension > also appears in > > > >>the certificate and asserts that the subject is a CA. > > > >> > > > >>LDAP Schema > > > >> > > > >>All certificates issued to CAs would be considered CA > certificates since > > > >>the basic constraints extension is present and asserts > that the subject > > > >>is a CA. As a result, each of these could appear in > the cACertificate > > > >>attribute or crossCertificatePair attribute. They > would *not* appear in > > > >>the userCertificate attribute. (That would include all > types (a) through > > > >>(d) above). > > > >> > > > >>------------------ > > > >> > > > >>The implications of this strategy are as follows: (1) > when a client is > > > >>searching for a CA certificate, they will not have to check the > > > >>userCertificate attribute; (2) the issuer can indicate > that the subject > > > >>is a CA regardless of the key usage; and (3) minimal > changes to the text > > > >>(my favorite!). > > > >> > > > >>What do you think? > > > >> > > > >>Thanks, > > > >> > > > >>Tim Polk > > > >> > > > >> > > > > > > > > > ------_=_NextPart_001_01C0D343.4B288470 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2652.35"> <TITLE>RE: Basic constraints, key usage, and LDAP schema</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Hi Tim,</FONT> </P> <P><FONT SIZE=3D2>I just want to clarify the directory attributes. All = certs that are not self issued must go in the cross certificates = attribute. All self issued certs must go in the caCertificates = attribute. A subset of the certificates in the cross certificate pairs = attributes may also be present in the caCertificates attribute (those = issued within the same realm, a term left undefined). Lets not go back = down that rathole :-) The two attributes are not interchangeable. Given = that the certs you are talking about are not self issued then they must = go in the cross certificate pairs attribute and may also be placed in = the caCertificate attribute if issued within the same realm.</FONT></P> <P><FONT SIZE=3D2>Sharon</FONT> </P> <P><FONT SIZE=3D2>> -----Original Message-----</FONT> <BR><FONT SIZE=3D2>> From: Tim Polk [<A = HREF=3D"mailto:tim.polk@nist.gov">mailto:tim.polk@nist.gov</A>]</FONT> <BR><FONT SIZE=3D2>> Sent: Wednesday, May 02, 2001 10:43 AM</FONT> <BR><FONT SIZE=3D2>> To: Denis Pinkas</FONT> <BR><FONT SIZE=3D2>> Cc: ietf-pkix@imc.org</FONT> <BR><FONT SIZE=3D2>> Subject: Re: Basic constraints, key usage, and = LDAP schema</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Denis,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> These messages have been flying fast and = furious under several topic </FONT> <BR><FONT SIZE=3D2>> lines. I don't believe I caught them all = either! As they </FONT> <BR><FONT SIZE=3D2>> are all related, </FONT> <BR><FONT SIZE=3D2>> it is difficult to resolve the issues = one-by-one. The </FONT> <BR><FONT SIZE=3D2>> separate solutions </FONT> <BR><FONT SIZE=3D2>> may combine to present new problems. That = was the rationale </FONT> <BR><FONT SIZE=3D2>> for the single </FONT> <BR><FONT SIZE=3D2>> comprehensive posting.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> The real problems, in my opinion, are as = follows:</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> (1) Consider a PKIX client, searching for a = certificate to validate a </FONT> <BR><FONT SIZE=3D2>> particular CRL. Under 2459, the client = cannot guess whether </FONT> <BR><FONT SIZE=3D2>> the basic </FONT> <BR><FONT SIZE=3D2>> constraints extension will be present with the = CA bit asserted.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If the key used to validate the CRL is also = used to validate </FONT> <BR><FONT SIZE=3D2>> certificates, </FONT> <BR><FONT SIZE=3D2>> it will have basic constraints and assert cA is = TRUE. In </FONT> <BR><FONT SIZE=3D2>> this case, the </FONT> <BR><FONT SIZE=3D2>> certificate should be in the ca certificate = attribute (or </FONT> <BR><FONT SIZE=3D2>> perhaps the cross </FONT> <BR><FONT SIZE=3D2>> certificate pairs).</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> If the key is not used to validate = certificates, basic </FONT> <BR><FONT SIZE=3D2>> constraints will be </FONT> <BR><FONT SIZE=3D2>> omitted and the certificate will be stored in = the user </FONT> <BR><FONT SIZE=3D2>> certificate attribute.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> (2) If a PKIX client wishes to communicate with = a CA for certificate </FONT> <BR><FONT SIZE=3D2>> management purposes (e.g., to request a new = certificate, request </FONT> <BR><FONT SIZE=3D2>> revocation, or perhaps centralized key = generation for key </FONT> <BR><FONT SIZE=3D2>> escrow scenarios) </FONT> <BR><FONT SIZE=3D2>> the client will need to validate the CA's = signature and </FONT> <BR><FONT SIZE=3D2>> perhaps make use of </FONT> <BR><FONT SIZE=3D2>> the CA's key management key. If the keys = used for these </FONT> <BR><FONT SIZE=3D2>> transactions are </FONT> <BR><FONT SIZE=3D2>> also used to sign PKCs, the certs will be in = the CA certificate </FONT> <BR><FONT SIZE=3D2>> attribute. If the keys used for these = purposes are not used </FONT> <BR><FONT SIZE=3D2>> to sign PKCs, </FONT> <BR><FONT SIZE=3D2>> there will be no indication that this entity is = a CA and the </FONT> <BR><FONT SIZE=3D2>> certs will be </FONT> <BR><FONT SIZE=3D2>> stored in the user certificate = attribute.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> As above, the PKIX client does not know where = to look for these </FONT> <BR><FONT SIZE=3D2>> certificates. Where they are not used to = sign PKCs, there will be no </FONT> <BR><FONT SIZE=3D2>> indication in the certificate that this entity = is a CA at all.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> (3) The attribute certificate profile is very = clear regarding </FONT> <BR><FONT SIZE=3D2>> AC issuers </FONT> <BR><FONT SIZE=3D2>> versus PKC issuers. Section 4.5 states = "the AC issuer's PKC </FONT> <BR><FONT SIZE=3D2>> MUST NOT have a </FONT> <BR><FONT SIZE=3D2>> basicConstraints extension with the cA BOOLEAN = set to TRUE."</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> However, the combination of RFC 2459 and the = attribute </FONT> <BR><FONT SIZE=3D2>> certificate profile </FONT> <BR><FONT SIZE=3D2>> does not permit an issuer to specify whether a = subject can issue CRLs </FONT> <BR><FONT SIZE=3D2>> for PKCs, ACs, or both. This would = provide us with an </FONT> <BR><FONT SIZE=3D2>> analogous solution: </FONT> <BR><FONT SIZE=3D2>> if the CA bit is not asserted, but the cRLSign = bit is set in </FONT> <BR><FONT SIZE=3D2>> key usage, the </FONT> <BR><FONT SIZE=3D2>> subject is only permitted to issue CRLs for = ACs.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> To be honest, (3) is the least compelling = problem. The CA </FONT> <BR><FONT SIZE=3D2>> must explicitly </FONT> <BR><FONT SIZE=3D2>> name an indirect CRL issuer in PKCs it issues = *anyway*, so </FONT> <BR><FONT SIZE=3D2>> the CA bit isn't </FONT> <BR><FONT SIZE=3D2>> a big security issue. Still, I think it = is nice to supply </FONT> <BR><FONT SIZE=3D2>> clients with </FONT> <BR><FONT SIZE=3D2>> this information.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Anyway, I hope this clarifies things a = bit. My goal was to </FONT> <BR><FONT SIZE=3D2>> resolve all </FONT> <BR><FONT SIZE=3D2>> three problems simultaneously and = consistently.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Thanks,</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Tim Polk</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> At 03:14 PM 5/2/01 +0200, Denis Pinkas = wrote:</FONT> <BR><FONT SIZE=3D2>> >Tim,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >I stayed silent on that topic and it is = quite hard to catch </FONT> <BR><FONT SIZE=3D2>> all the e-mails</FONT> <BR><FONT SIZE=3D2>> >related to it. I certainly missed or = skipped missed some of them.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > > Terry,</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > I think it would be best if the = client did not need to check the</FONT> <BR><FONT SIZE=3D2>> > > userCertificate attribute to validate = CRLs. This adds </FONT> <BR><FONT SIZE=3D2>> complexity without</FONT> <BR><FONT SIZE=3D2>> > > any real benefit (in my = opinion.) I have included some </FONT> <BR><FONT SIZE=3D2>> proposed text for</FONT> <BR><FONT SIZE=3D2>> > > the first paragraph of section = 4.2.1.10 (basic </FONT> <BR><FONT SIZE=3D2>> constraints) that would</FONT> <BR><FONT SIZE=3D2>> > > clarify the issue.</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > ----------------proposed text for = first paragraph of </FONT> <BR><FONT SIZE=3D2>> > 4.2.1.10----------------</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > The basic constraints extension = identifies whether the </FONT> <BR><FONT SIZE=3D2>> subject of the</FONT> <BR><FONT SIZE=3D2>> > > certificate is a CA and the maximum = depth of valid </FONT> <BR><FONT SIZE=3D2>> certification paths that</FONT> <BR><FONT SIZE=3D2>> > > include this certificate. A = subject is considered a CA </FONT> <BR><FONT SIZE=3D2>> if it issues public</FONT> <BR><FONT SIZE=3D2>> > > key certificates or CRLs that = describe the revocation </FONT> <BR><FONT SIZE=3D2>> status of public key</FONT> <BR><FONT SIZE=3D2>> > > certificates.</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > ----------------------end proposed = text</FONT> <BR><FONT SIZE=3D2>> > > What do you think?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >RFC 2459 only said:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > The basic constraints = extension identifies whether the </FONT> <BR><FONT SIZE=3D2>> subject of the</FONT> <BR><FONT SIZE=3D2>> > certificate is a CA and = how deep a certification path may exist</FONT> <BR><FONT SIZE=3D2>> > through that CA.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >However, according to the new text a = "CRL Issuer" is now </FONT> <BR><FONT SIZE=3D2>> also a "CA": " A</FONT> <BR><FONT SIZE=3D2>> >subject is considered a CA if it issues = public key </FONT> <BR><FONT SIZE=3D2>> certificates or CRLs that</FONT> <BR><FONT SIZE=3D2>> >describe the revocation status of public = key certificates."</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >The current text of new-part1-06 also goes = in the same direction.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > The cA bit indicates if = the certified public key may be used to</FONT> <BR><FONT SIZE=3D2>> > verify signatures on = other certificates. If the cA bit </FONT> <BR><FONT SIZE=3D2>> is asserted,</FONT> <BR><FONT SIZE=3D2>> > then either the = keyCertSign bit or the cRLSign bit in </FONT> <BR><FONT SIZE=3D2>> the key usage</FONT> <BR><FONT SIZE=3D2>> > extension (see 4.2.1.3) = MUST also be asserted. If the cA </FONT> <BR><FONT SIZE=3D2>> bit is not</FONT> <BR><FONT SIZE=3D2>> > asserted, then both the = keyCertSign bit and the cRLSign </FONT> <BR><FONT SIZE=3D2>> in the key</FONT> <BR><FONT SIZE=3D2>> > usage extension MUST NOT = be asserted.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >This seems quite strange. A CRL issuer is = just one way to </FONT> <BR><FONT SIZE=3D2>> make available</FONT> <BR><FONT SIZE=3D2>> >revocation status information. OCSP is = another way. RFC 2560 says:</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > OCSP signing delegation = SHALL be designated by the</FONT> <BR><FONT SIZE=3D2>> > inclusion of = id-kp-OCSPSigning in an extendedKeyUsage certificate</FONT> <BR><FONT SIZE=3D2>> > extension included in = the OCSP response signer's </FONT> <BR><FONT SIZE=3D2>> certificate. This</FONT> <BR><FONT SIZE=3D2>> > certificate MUST be = issued directly by the CA that issued the</FONT> <BR><FONT SIZE=3D2>> > certificate in = question.</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >If a "CRL issuer" is a = "CA", why should an OCSP responder </FONT> <BR><FONT SIZE=3D2>> designated by a CA</FONT> <BR><FONT SIZE=3D2>> >not also be a "CA" ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >As far as I remember, originally the cA = boolean in the basic </FONT> <BR><FONT SIZE=3D2>> constraints</FONT> <BR><FONT SIZE=3D2>> >extension only allowed to make the = difference between leaf </FONT> <BR><FONT SIZE=3D2>> certificates and</FONT> <BR><FONT SIZE=3D2>> >CA certificates. This boolean now seems to = be be used with a </FONT> <BR><FONT SIZE=3D2>> different</FONT> <BR><FONT SIZE=3D2>> >meaning (and, maybe, we should change its = meaning - not the syntax).</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Could someone say again, why that change = was requested and </FONT> <BR><FONT SIZE=3D2>> what are the real</FONT> <BR><FONT SIZE=3D2>> >benefits of that change ?</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >In other words, could someone say again = what the problem was ? :-)</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Thanks,</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> >Denis</FONT> <BR><FONT SIZE=3D2>> ></FONT> <BR><FONT SIZE=3D2>> > > Thanks,</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > Tim Polk</FONT> <BR><FONT SIZE=3D2>> > ></FONT> <BR><FONT SIZE=3D2>> > > At 01:41 PM 5/1/01 -0700, Terry Hayes = wrote:</FONT> <BR><FONT SIZE=3D2>> > > >Tim,</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >I agree with your proposed = solution. As you have said, </FONT> <BR><FONT SIZE=3D2>> it separates the</FONT> <BR><FONT SIZE=3D2>> > > >semantics of the two extensions, = and simplifies the </FONT> <BR><FONT SIZE=3D2>> rules for the LDAP </FONT> <BR><FONT SIZE=3D2>> > schema.</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >There is one remaining point to = address, and I believe </FONT> <BR><FONT SIZE=3D2>> it may be the main</FONT> <BR><FONT SIZE=3D2>> > > >point of discussion in the = current thread.</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >When a CA uses the CRLDP = extension to designate another </FONT> <BR><FONT SIZE=3D2>> entity to be the</FONT> <BR><FONT SIZE=3D2>> > > >source for revocation information = about some of its </FONT> <BR><FONT SIZE=3D2>> certificates, should</FONT> <BR><FONT SIZE=3D2>> > > >that entity have a = "CA" certificate (with appropriate </FONT> <BR><FONT SIZE=3D2>> basicConstraints</FONT> <BR><FONT SIZE=3D2>> > > >extension)? I'm *not* = suggesting that a </FONT> <BR><FONT SIZE=3D2>> basicConstraints extension is</FONT> <BR><FONT SIZE=3D2>> > > >necessary for the entity to be = authorized to sign the </FONT> <BR><FONT SIZE=3D2>> CRL. Instead, the</FONT> <BR><FONT SIZE=3D2>> > > >problem is that clients that are = trying to locate the </FONT> <BR><FONT SIZE=3D2>> certificate will not</FONT> <BR><FONT SIZE=3D2>> > > >know whether they should look in = the cACertificate </FONT> <BR><FONT SIZE=3D2>> attribute or the</FONT> <BR><FONT SIZE=3D2>> > > >userCertificate attribute to find = the appropriate certificate.</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >To solve this, we can suggest = that cACertificate be </FONT> <BR><FONT SIZE=3D2>> searched first,</FONT> <BR><FONT SIZE=3D2>> > > >followed by userCertificate, or = we can require that </FONT> <BR><FONT SIZE=3D2>> designated entities</FONT> <BR><FONT SIZE=3D2>> > > >must always be a "CA", = and the client can safely skip </FONT> <BR><FONT SIZE=3D2>> the userCertificate</FONT> <BR><FONT SIZE=3D2>> > > >attribute. This is a = question of searching the </FONT> <BR><FONT SIZE=3D2>> directory only, and does</FONT> <BR><FONT SIZE=3D2>> > > >not suggest changing your = assertion that any set of bits </FONT> <BR><FONT SIZE=3D2>> may be set in the</FONT> <BR><FONT SIZE=3D2>> > > >keyUsage extension of = "CA" certificates.</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >Terry</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >Tim Polk wrote:</FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > >>Folks,</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>I have been reading the email = messages on the list about the</FONT> <BR><FONT SIZE=3D2>> > > >>relationships between basic = constraints, key usage, and </FONT> <BR><FONT SIZE=3D2>> the schema.</FONT> <BR><FONT SIZE=3D2>> > > >>After mulling over the = problem. I would like to </FONT> <BR><FONT SIZE=3D2>> propose a solution - the</FONT> <BR><FONT SIZE=3D2>> > > >>only solution, as far as I = can tell...</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>The solution is to simplify = and separate the semantics </FONT> <BR><FONT SIZE=3D2>> of the basic</FONT> <BR><FONT SIZE=3D2>> > > >>constraints and key usage = extension. This has positive </FONT> <BR><FONT SIZE=3D2>> implications for</FONT> <BR><FONT SIZE=3D2>> > > >>the PKIX LDAP schema as = well.</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>Basic Constraints</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>As stated in the current text = for Basic Constraints (in </FONT> <BR><FONT SIZE=3D2>> 2459): "The</FONT> <BR><FONT SIZE=3D2>> > > >>basic constraints extension = identifies whether the </FONT> <BR><FONT SIZE=3D2>> subject of the</FONT> <BR><FONT SIZE=3D2>> > > >>certificate is a CA and how = deep a certification path </FONT> <BR><FONT SIZE=3D2>> may exist through</FONT> <BR><FONT SIZE=3D2>> > > >>that CA."</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>I believe this is the right = semantics, and that basic </FONT> <BR><FONT SIZE=3D2>> constraints should</FONT> <BR><FONT SIZE=3D2>> > > >>be included and cA should be = asserted in *any* </FONT> <BR><FONT SIZE=3D2>> certificate issued to a</FONT> <BR><FONT SIZE=3D2>> > > >>CA, regardless of the type or = role associated with the </FONT> <BR><FONT SIZE=3D2>> public key in the</FONT> <BR><FONT SIZE=3D2>> > > >>certificate.</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>Key Usage</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>The issuer should use the Key = Usage extension to </FONT> <BR><FONT SIZE=3D2>> disambiguate the</FONT> <BR><FONT SIZE=3D2>> > > >>subject's key pairs:</FONT> <BR><FONT SIZE=3D2>> > > >>(a) The issuer indicates this = public key may be used to </FONT> <BR><FONT SIZE=3D2>> verify the</FONT> <BR><FONT SIZE=3D2>> > > >>signature on a public key = certificate by asserting </FONT> <BR><FONT SIZE=3D2>> keyCertSign. (b) The</FONT> <BR><FONT SIZE=3D2>> > > >>issuer indicates this public = key may be used to verify </FONT> <BR><FONT SIZE=3D2>> the signature on</FONT> <BR><FONT SIZE=3D2>> > > >>CRLs by asserting = cRLSign. (c) The issuer indicates </FONT> <BR><FONT SIZE=3D2>> that this public key</FONT> <BR><FONT SIZE=3D2>> > > >>may be used to establish = symmetric keys with the </FONT> <BR><FONT SIZE=3D2>> subject by asserting</FONT> <BR><FONT SIZE=3D2>> > > >>either keyEncipherment or = keyAgreement. (d) The issuer </FONT> <BR><FONT SIZE=3D2>> indicates that</FONT> <BR><FONT SIZE=3D2>> > > >>this public key may be used = to verify signatures on </FONT> <BR><FONT SIZE=3D2>> objects other than</FONT> <BR><FONT SIZE=3D2>> > > >>public key certificates and = CRLs by asserting nonRerpuidation or</FONT> <BR><FONT SIZE=3D2>> > > >>digitalSignature.</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>Of course, if a key pair is = used for multiple purposes, </FONT> <BR><FONT SIZE=3D2>> multiple key</FONT> <BR><FONT SIZE=3D2>> > > >>usages may be = asserted.</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>In each of these cases, the = basic constraints extension </FONT> <BR><FONT SIZE=3D2>> also appears in</FONT> <BR><FONT SIZE=3D2>> > > >>the certificate and asserts = that the subject is a CA.</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>LDAP Schema</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>All certificates issued to = CAs would be considered CA </FONT> <BR><FONT SIZE=3D2>> certificates since</FONT> <BR><FONT SIZE=3D2>> > > >>the basic constraints = extension is present and asserts </FONT> <BR><FONT SIZE=3D2>> that the subject</FONT> <BR><FONT SIZE=3D2>> > > >>is a CA. As a result, = each of these could appear in </FONT> <BR><FONT SIZE=3D2>> the cACertificate</FONT> <BR><FONT SIZE=3D2>> > > >>attribute or = crossCertificatePair attribute. They </FONT> <BR><FONT SIZE=3D2>> would *not* appear in</FONT> <BR><FONT SIZE=3D2>> > > >>the userCertificate = attribute. (That would include all </FONT> <BR><FONT SIZE=3D2>> types (a) through</FONT> <BR><FONT SIZE=3D2>> > > >>(d) above).</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>------------------</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>The implications of this = strategy are as follows: (1) </FONT> <BR><FONT SIZE=3D2>> when a client is</FONT> <BR><FONT SIZE=3D2>> > > >>searching for a CA = certificate, they will not have to check the</FONT> <BR><FONT SIZE=3D2>> > > >>userCertificate attribute; = (2) the issuer can indicate </FONT> <BR><FONT SIZE=3D2>> that the subject</FONT> <BR><FONT SIZE=3D2>> > > >>is a CA regardless of the key = usage; and (3) minimal </FONT> <BR><FONT SIZE=3D2>> changes to the text</FONT> <BR><FONT SIZE=3D2>> > > >>(my favorite!).</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>What do you think?</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>Thanks,</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >>Tim Polk</FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > >></FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> > > ></FONT> <BR><FONT SIZE=3D2>> </FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01C0D343.4B288470-- Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id MAA18157 for <ietf-pkix@imc.org>; Wed, 2 May 2001 12:20:43 -0700 (PDT) Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GCQ00I0132UFX@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 2 May 2001 12:20:55 -0700 (PDT) Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GCQ00HKX32UQC@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 02 May 2001 12:20:54 -0700 (PDT) Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HR26Q50L>; Wed, 02 May 2001 12:19:13 -0700 Content-return: allowed Date: Wed, 02 May 2001 12:19:11 -0700 From: Peter Williams <peterw@valicert.com> Subject: RE: CPS Pointer To: ietf-pkix@imc.org Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E182C81@exchange.valicert.com> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" The CPS pointer and the user notice policy qualifiers are each an input to the PMI *control model*, acting as an environmental variable. Env vars have a defined function for both NR and access control in conforming authorization and privilege management schemes. The semantics of CPS pointer and user notices are properly dealt with not in the sense of UI issues of the Netscape/Microsoft browser era of PKI, but in the PMI modules that enforce policy *control*. CPS pointers and user notices are control devices. The issue has moved tangentially away, somewhat, from choice of URI form, into the factors that motivate the choice(s) of URI form, for the CPS pointer. You might decide based on what forms make best sense for technical interoperability between CA chain processing and PMI control policy enforcement modules. -----Original Message----- From: Trevor Freeman [mailto:trevorf@windows.microsoft.com] Sent: Wednesday, May 02, 2001 10:23 AM To: Paul Hoffman / IMC; Housley, Russ; ietf-pkix@imc.org Subject: RE: CPS Pointer Paul, This can occur in any certificate, and if we want a client to have this option, then lets be realistic over what is possible. Te client being on or offline has no relevance to the types of URI. If we are going to include this in the profile, then it should have a chance to work. Trevor -----Original Message----- From: Paul Hoffman / IMC [mailto:phoffman@imc.org] Sent: Monday, April 30, 2001 3:40 PM To: Housley, Russ; ietf-pkix@imc.org Subject: Re: CPS Pointer At 2:32 PM -0400 4/30/01, Housley, Russ wrote: >Trevor Freeman noticed we don't have any guidelines for what forms >of URI are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > >So, we are not mandating any behavior on the client. Nor should we. The "client" might be offline, such as a mail user agent that uses S/MIME. The "client" might have no user interface for certificates, such as an IPsec box. Let's be realistic: will the end user reading the CPS affect the actions in more that 0.000001% of PKI transactions? If a user has already loaded a root cert, there is essentially no chance that they will read a CPS after the fact. I propose that you don't change anything. --Paul Hoffman, Director --Internet Mail Consortium Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.123]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA13601 for <ietf-pkix@imc.org>; Wed, 2 May 2001 10:39:54 -0700 (PDT) Received: from 157.54.9.104 by mail3.microsoft.com (InterScan E-Mail VirusWall NT); Wed, 02 May 2001 10:21:13 -0700 (Pacific Daylight Time) Received: from red-imc-01.redmond.corp.microsoft.com ([157.54.9.102]) by inet-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 2 May 2001 10:23:18 -0700 Received: from win-imc-02.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.82]) by red-imc-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2883); Wed, 2 May 2001 10:23:18 -0700 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-02.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(5.0.2195.1600); Wed, 2 May 2001 10:23:10 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: CPS Pointer Date: Wed, 2 May 2001 10:23:10 -0700 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD631B43@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: CPS Pointer Thread-Index: AcDR3JgUAmZbchQuSFybXTkc2Wn1+wBT5EaQ From: "Trevor Freeman" <trevorf@windows.microsoft.com> To: "Paul Hoffman / IMC" <phoffman@imc.org>, "Housley, Russ" <rhousley@rsasecurity.com>, <ietf-pkix@imc.org> X-OriginalArrivalTime: 02 May 2001 17:23:10.0824 (UTC) FILETIME=[8FA34E80:01C0D32C] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id KAA13602 Paul, This can occur in any certificate, and if we want a client to have this option, then lets be realistic over what is possible. Te client being on or offline has no relevance to the types of URI. If we are going to include this in the profile, then it should have a chance to work. Trevor -----Original Message----- From: Paul Hoffman / IMC [mailto:phoffman@imc.org] Sent: Monday, April 30, 2001 3:40 PM To: Housley, Russ; ietf-pkix@imc.org Subject: Re: CPS Pointer At 2:32 PM -0400 4/30/01, Housley, Russ wrote: >Trevor Freeman noticed we don't have any guidelines for what forms >of URI are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > >So, we are not mandating any behavior on the client. Nor should we. The "client" might be offline, such as a mail user agent that uses S/MIME. The "client" might have no user interface for certificates, such as an IPsec box. Let's be realistic: will the end user reading the CPS affect the actions in more that 0.000001% of PKI transactions? If a user has already loaded a root cert, there is essentially no chance that they will read a CPS after the fact. I propose that you don't change anything. --Paul Hoffman, Director --Internet Mail Consortium Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA12166 for <ietf-pkix@imc.org>; Wed, 2 May 2001 10:18:45 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id TAA20266; Wed, 2 May 2001 19:18:36 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id TAA06062; Wed, 2 May 2001 19:18:13 +0200 Message-ID: <3AF04157.413C93ED@bull.net> Date: Wed, 02 May 2001 19:18:15 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Jeff Jacoby <jjacoby@rsasecurity.com> CC: pkix <ietf-pkix@imc.org> Subject: Re: delta-CRLs References: <3AF01CF6.78789733@bull.net> <3AF03E1A.40122743@rsasecurity.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Jeff, > Greetings, > > I would like to suggest one minor addition (though perhaps painfully > obvious to most) ... > > Denis Pinkas wrote: > > > > David, > > > > On monday 23 April, I sent you the following long e-mail, and since I > > got no > > reply to it I would guess that you agree with it. So it is now the right > > time to fix the text. What follows is a full replacement proposal for > > section 5.2.4. It simplifies the current text making it easier to read > > and, > > when delta CRLs are supported, only mandate the support of what you call > > "the traditional method". > > > > 5.2.4 Delta CRL Indicator > > > > The delta CRL indicator is a critical CRL extension that identifies > > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > > information about certificates who statuses have changed since the > > issuance of a specific, previously issued CRL. The use of delta > > It's not obvious to me if this "previously issued CRL" is supposed to be > the base CRL or if it's a prior delta CRL. Would it be worthwhile to > specifically say: > > "issuance of a specific, previously issued base CRL." This is the correct answer. :-) Denis > Or if it can be either base CRL or delta CRL then perhaps the text > should > specifically say that. > > [I have been unable to follow this thread is closely as I would like and > so I apologize if this issue was clearly covered elsewhere/elsewhen.] > > > CRLs can significantly reduce network load and processing time in > > some environments. Delta CRLs are generally much smaller than the > > CRLs they update, so applications that obtain delta CRLs consume > > less network bandwidth than applications that obtain the > > corresponding complete CRLs. > > [great big snip] > > Jeff > > -- > Jeff Jacoby, Sr. Programmer > RSA Security Inc., SMDC > > 2755 Campus Dr., Ste. 300 jjacoby@rsasecurity.com > San Mateo, CA 94493 (650) 295-7569 Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id KAA10759 for <ietf-pkix@imc.org>; Wed, 2 May 2001 10:05:05 -0700 (PDT) Received: from sdtihq24.securid.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 2 May 2001 17:04:56 UT Received: from tuna.rsa.com (tuna.rsa.com [10.80.211.153]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA05370 for <ietf-pkix@imc.org>; Wed, 2 May 2001 13:05:06 -0400 (EDT) Received: from rsasecurity.com ([10.81.217.242]) by tuna.rsa.com (8.8.8+Sun/8.8.8) with ESMTP id KAA18979 for <ietf-pkix@imc.org>; Wed, 2 May 2001 10:05:36 -0700 (PDT) Message-ID: <3AF03E1A.40122743@rsasecurity.com> Date: Wed, 02 May 2001 10:04:26 -0700 From: Jeff Jacoby <jjacoby@rsasecurity.com> Organization: RSA Security, Inc. X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: pkix <ietf-pkix@imc.org> Subject: Re: delta-CRLs References: <3AF01CF6.78789733@bull.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Greetings, I would like to suggest one minor addition (though perhaps painfully obvious to most) ... Denis Pinkas wrote: > > David, > > On monday 23 April, I sent you the following long e-mail, and since I > got no > reply to it I would guess that you agree with it. So it is now the right > time to fix the text. What follows is a full replacement proposal for > section 5.2.4. It simplifies the current text making it easier to read > and, > when delta CRLs are supported, only mandate the support of what you call > "the traditional method". > > 5.2.4 Delta CRL Indicator > > The delta CRL indicator is a critical CRL extension that identifies > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > information about certificates who statuses have changed since the > issuance of a specific, previously issued CRL. The use of delta It's not obvious to me if this "previously issued CRL" is supposed to be the base CRL or if it's a prior delta CRL. Would it be worthwhile to specifically say: "issuance of a specific, previously issued base CRL." Or if it can be either base CRL or delta CRL then perhaps the text should specifically say that. [I have been unable to follow this thread is closely as I would like and so I apologize if this issue was clearly covered elsewhere/elsewhen.] > CRLs can significantly reduce network load and processing time in > some environments. Delta CRLs are generally much smaller than the > CRLs they update, so applications that obtain delta CRLs consume > less network bandwidth than applications that obtain the > corresponding complete CRLs. [great big snip] Jeff -- Jeff Jacoby, Sr. Programmer RSA Security Inc., SMDC 2755 Campus Dr., Ste. 300 jjacoby@rsasecurity.com San Mateo, CA 94493 (650) 295-7569 Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA05943 for <ietf-pkix@imc.org>; Wed, 2 May 2001 09:13:16 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA46520; Wed, 2 May 2001 18:13:06 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA18736; Wed, 2 May 2001 18:12:42 +0200 Message-ID: <3AF031FD.CD4034C9@bull.net> Date: Wed, 02 May 2001 18:12:45 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "Housley, Russ" <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments References: <DD62792EA182FF4E99C2FBC07E3053BD01DA3F98@sottmxs09.entrust.com> <5.0.1.4.2.20010424092659.01af9748@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, This is fine in general. I would however prefer to move the two first sentences from 6.1 at the end of 6.1. This would lead to: The path validation process determines the set of certificate policies that are valid for this path, based on the certificate policies extension, policy mapping extension, policy constraints extension, and inhibit any-policy extension. To achieve this, the path validation algorithm constructs a valid policy tree. If the set of certificate policies that are valid for this path is not empty, then the result will be a valid policy tree of depth n, otherwise the result will be a null valid policy tree. A particular certification path may not, however, be appropriate for all applications. Therefore, an application MAY augment this algorithm to further limit the set of valid paths. Regards, Denis > Denis: > > I agree with Steve Hanna's observation. However, I think that we can > include a bit of notice in section 6.1. I propose the following > replacement paragraph: > > A particular certification path may not, however, be appropriate for > all applications. Therefore, an application MAY augment this > algorithm to further limit the set of valid paths. The path > validation process also determines the set of certificate policies > that are valid for this path, based on the certificate policies > extension, policy mapping extension, policy constraints extension, > and inhibit any-policy extension. To achieve this, the path > validation algorithm constructs a valid policy tree. If the set of > certificate policies that are valid for this path is not empty, then > the result will be a valid policy tree of depth n, otherwise the > result will be a null valid policy tree. > > I suggest that we replace the first paragraph of section 6.2. with: > > The path validation algorithm describes the process of validating a > single certification path. While each certification path begins with > a specific trust anchor, there is no requirement that all > certification paths validated by a particular system share a single > trust anchor. An implementation that supports multiple trust anchors > MAY augment the algorithm presented in section 6.1 to further limit > the set of valid certification paths which begin with a particular > trust anchor. For example, an implementation MAY modify the > algorithm to apply name constraints to a specific trust anchor during > the initialization phase, or the application MAY require the presence > of a particular alternative name form in the end entity certificate, > or the application MAY impose requirements on application-specific > extensions. Thus, the path validation algorithm presented in section > 6.1 defines the minimum conditions for a path to be considered valid. > > Russ Received: from tholian.securitydynamics.com (mail.rsasecurity.com [204.167.112.129]) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA03635 for <ietf-pkix@imc.org>; Wed, 2 May 2001 08:57:58 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.imc.org [208.184.76.43]) with SMTP; 2 May 2001 15:57:49 UT Received: from exna00.securitydynamics.com (ebola.securid.com [192.168.7.4]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id LAA29606 for <ietf-pkix@imc.org>; Wed, 2 May 2001 11:57:54 -0400 (EDT) Received: by exna00.securitydynamics.com with Internet Mail Service (5.5.2653.19) id <JY8NT4WB>; Wed, 2 May 2001 11:57:53 -0400 Received: from HOUSLEY-LAP.rsasecurity.com (housley-lap.securitydynamics.com [10.100.23.218]) by exna00.securitydynamics.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id JY8NT4V8; Wed, 2 May 2001 11:57:51 -0400 From: "Housley, Russ" <rhousley@rsasecurity.com> To: thayes@netscape.com Cc: ietf-pkix@imc.org Message-Id: <5.0.1.4.2.20010502113645.01d04a38@exna07.securitydynamics.com> X-Sender: rhousley@exna07.securitydynamics.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.1 Date: Wed, 02 May 2001 11:39:41 -0400 Subject: Re: Basic constraints, key usage, and LDAP schema In-Reply-To: <3AEF1F80.8090502@netscape.com> References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Terry: In my view, certificates that contain public keys used to verify signatures on public key certificates or CRLs that contain revocation status information about public key certificates are CA certificates. As such, the basic constraints extension should assert the cA bit, and they should be fetched from the cACertificate directory attribute. Russ At 01:41 PM 5/1/2001 -0700, Terry Hayes wrote: >Tim, > >I agree with your proposed solution. As you have said, it separates the >semantics of the two extensions, and simplifies the rules for the LDAP schema. > >There is one remaining point to address, and I believe it may be the main >point of discussion in the current thread. > >When a CA uses the CRLDP extension to designate another entity to be the >source for revocation information about some of its certificates, should >that entity have a "CA" certificate (with appropriate basicConstraints >extension)? I'm *not* suggesting that a basicConstraints extension is >necessary for the entity to be authorized to sign the CRL. Instead, the >problem is that clients that are trying to locate the certificate will not >know whether they should look in the cACertificate attribute or the >userCertificate attribute to find the appropriate certificate. > >To solve this, we can suggest that cACertificate be searched first, >followed by userCertificate, or we can require that designated entities >must always be a "CA", and the client can safely skip the userCertificate >attribute. This is a question of searching the directory only, and does >not suggest changing your assertion that any set of bits may be set in the >keyUsage extension of "CA" certificates. > >Terry > >Tim Polk wrote: > >>Folks, >> >>I have been reading the email messages on the list about the >>relationships between basic constraints, key usage, and the schema. >>After mulling over the problem. I would like to propose a solution - the >>only solution, as far as I can tell... >> >>The solution is to simplify and separate the semantics of the basic >>constraints and key usage extension. This has positive implications for >>the PKIX LDAP schema as well. >> >>Basic Constraints >> >>As stated in the current text for Basic Constraints (in 2459): "The >>basic constraints extension identifies whether the subject of the >>certificate is a CA and how deep a certification path may exist through >>that CA." >> >>I believe this is the right semantics, and that basic constraints should >>be included and cA should be asserted in *any* certificate issued to a >>CA, regardless of the type or role associated with the public key in the >>certificate. >> >>Key Usage >> >>The issuer should use the Key Usage extension to disambiguate the >>subject's key pairs: >>(a) The issuer indicates this public key may be used to verify the >>signature on a public key certificate by asserting keyCertSign. (b) The >>issuer indicates this public key may be used to verify the signature on >>CRLs by asserting cRLSign. (c) The issuer indicates that this public key >>may be used to establish symmetric keys with the subject by asserting >>either keyEncipherment or keyAgreement. (d) The issuer indicates that >>this public key may be used to verify signatures on objects other than >>public key certificates and CRLs by asserting nonRerpuidation or >>digitalSignature. >> >>Of course, if a key pair is used for multiple purposes, multiple key >>usages may be asserted. >> >>In each of these cases, the basic constraints extension also appears in >>the certificate and asserts that the subject is a CA. >> >>LDAP Schema >> >>All certificates issued to CAs would be considered CA certificates since >>the basic constraints extension is present and asserts that the subject >>is a CA. As a result, each of these could appear in the cACertificate >>attribute or crossCertificatePair attribute. They would *not* appear in >>the userCertificate attribute. (That would include all types (a) through >>(d) above). >> >>------------------ >> >>The implications of this strategy are as follows: (1) when a client is >>searching for a CA certificate, they will not have to check the >>userCertificate attribute; (2) the issuer can indicate that the subject >>is a CA regardless of the key usage; and (3) minimal changes to the text >>(my favorite!). >> >>What do you think? >> >>Thanks, >> >>Tim Polk >> >> Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA01852 for <ietf-pkix@imc.org>; Wed, 2 May 2001 08:42:43 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id LAA27269; Wed, 2 May 2001 11:42:40 -0400 (EDT) Message-Id: <4.2.0.58.20010502114027.017593c0@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 02 May 2001 11:40:34 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net>, "David A. Cooper" <david.cooper@nist.gov>, pkix <ietf-pkix@imc.org> From: Tim Polk <tim.polk@nist.gov> Subject: Re: delta-CRLs In-Reply-To: <3AF01CF6.78789733@bull.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis, Sorry about the silence from NIST. I was supposed to write the reply. Since you were out last week, I delayed writing the response to deal with other, more immediate, crises... Anyway, the list has agreed that we should remove the requirement for issuing full CRLs with every delta. Since we don't even require issuing CRLs at all, it would be inappropriate for us to be heavily prescriptive regarding *how* deltas must be implemented. Basically, I believe the modifications you propose are out of scope. I also should note that we (David Cooper & I) disagree with the requirements you have stated. They seem to depart from the traditional deltas in certain details, but prevent use of sliding window deltas. We can continue to discuss effective delta CRL strategies off-line, but I believe that no additional changes are required or appropriate in son-of-2459. (I do accept that we should remove the requirement for full CRLs with each delta. I believe that reflects the consensus of the list as well.) Thanks, Tim Polk At 04:43 PM 5/2/01 +0200, Denis Pinkas wrote: >David, > >On monday 23 April, I sent you the following long e-mail, and since I got no >reply to it I would guess that you agree with it. So it is now the right >time to fix the text. What follows is a full replacement proposal for >section 5.2.4. It simplifies the current text making it easier to read and, >when delta CRLs are supported, only mandate the support of what you call >"the traditional method". > >5.2.4 Delta CRL Indicator > > The delta CRL indicator is a critical CRL extension that identifies > a CRL as being a delta CRL. A delta-CRL is a CRL that only provides > information about certificates who statuses have changed since the > issuance of a specific, previously issued CRL. The use of delta > CRLs can significantly reduce network load and processing time in > some environments. Delta CRLs are generally much smaller than the > CRLs they update, so applications that obtain delta CRLs consume > less network bandwidth than applications that obtain the > corresponding complete CRLs. > > The delta CRL indicator extension contains a single value of type > BaseCRLNumber. This value identifies the CRL number of the base CRL > that was used as the foundation in the generation of this delta CRL. > The referenced base CRL is a CRL that was explicitly issued as a CRL > that is complete for a given scope (e.g., a set of revocation reasons > or a particular distribution point.) The CRL containing the delta CRL > indicator extension contains all updates to the certificate > revocation status for that same scope. > > When a delta CRL is issued, it MUST cover the same set of reasons > and same set of certificates that were covered by the base CRL it > references. > > When a conforming CA issues a delta CRL, the delta CRL MUST include > a critical delta CRL indicator extension. > > An application can construct a CRL that is the most current for > a given scope, for a specific date, by retrieving the appropriate > base CRL for that scope, and combining it with a delta-CRL which > contains a Delta CRL Indicator equal to the cRLNumber of the base > CRL and where the date for which the construction is being made is > between thisUpdate and nextUpdate as indicated the delta CRL. > > Conforming implementations of this specification are not required > to implement the above algorithm, but MUST provide functionality > equivalent to the external behavior resulting from this procedure. > > CAs must ensure that application of a delta CRL to the referenced > base revocation information accurately reflects the current status of > revocation. If a CA supports the certificateHold revocation reason > the following rules must be applied when generating delta CRLs: > > (a) If a certificate was listed as revoked with revocation reason > certificateHold on a CRL (either a delta CRL or a CRL that is > complete for a given scope), and the hold is subsequently > released, the certificate must be listed with revocation reason > removeFromCRL until the next base CRL is issued. > > Note: Should the certificate be subsequently revoked again for > one of the revocation reasons covered by the delta CRL, > then the certificate must be listed with the revocation > reason appropriate for the subsequent revocation. > > (b) If the certificate was not removed from hold, but was > permanently revoked, then it must be listed as such on all > subsequent delta CRLs until the next base CRL is issued . > > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } > > BaseCRLNumber ::= CRLNumber > > >Regards, > >Denis > >========================================================================== > >This is a LONG e-mail and a last e-mail to you, before leaving for a trip >that will keep me away from my e-mails during a week. So, don't think I am >giving up if you do not receive a reply soon. > > > Denis, > > > > My comments are in line. > > > > At 06:50 PM 4/20/01 +0200, Denis Pinkas wrote: > > >[Denis] This is the case I had in mind. However I would disagree to > say that > > >the locally contructed CRL is equal to the full CRL number 8, because > there > > >is no need to issue such CRL (see the first comment). It is simply the > > >"freshest CRL constructed from the base CRL number 5 for 3:10 am". This > > >locally contructed CRL bears no number, or if you assign one, this is a > > >local matter and is not part of the standard. This also avoids the later > > >confusing between CRL numbers. > >[David] This is simply not true. > >[Denis] The sentence above is technically correct: "It is simply the >freshest CRL constructed from the base CRL number 5 for 3:10 am". > >[David] A delta-CRL can (will) contain the cRLNumber extension just as a >full CRL will. > >[Denis] The cRLNumber extension is simply an identifier that allows you to >uniquely identify it and to know whether it is earlier or later another CRL >issued by the same CRL issuer. > >[David] If a full CRL and a delta-CRL are issued at the same time, the >combination of the delta-CRL and an appropriate base CRL must be equivalent >to the full CRL, and both the delta-CRL and the full CRL must have the same >cRLNumber. > >[Denis] This is where we do not agree. The delta-CRL and the full CRL MUST >NOT have the same cRLNumber because this would violate the definition of >what is a CRLnumber. RFC 2459 says: > >5.2.3 CRL Number > > The CRL number is a non-critical CRL extension which conveys a > monotonically increasing sequence number for each CRL issued by a CA. > This extension allows users to easily determine when a particular CRL > supersedes another CRL. CAs conforming to this profile MUST include > this extension in all CRLs. > >Maybe you are making some confusion with the deltaCRLindicator. > >The construction you mention is not acceptable and is no even part of the >ISO X509 document. > >[David] If a delta-CRL is issued, and no corresponding full CRL issued, then >the combination of the delta-CRL and an appropriate base CRL should be >equivalent to the full CRL that would have been issued at that time, if a >full CRL had been issued. > >[Denis] Here is the problem ! Let us take an example: A base CRL >is issued at midnight. thisUpdate is set to midnight while nextUpdate is >midnight for the next day. This means that there is no guarantee at all that >any other base/full CRL will necessarily be seen within the next 24 hours. >Certainly a base can be issued before, but once again there is no guarantee >that it will ever be seen. If someone is now using the CRL as a proof to be >presented later on that the certificate was not revoked, a relying party >is perfectly right to use the base from midnight (if allowed by the >validation policy) or the base plus a delta (if mandated by the validation >policy). > >Now if you issue a full CRL (I did not say a base CRL) every hour at the >same time you issue a delta, the problem becomes worse because at 11:30 p.m. >you have now 23 full CRLs, and you cannot know which one is the right one to >use (if someone purposely is blocking the transmission of the latest full >CRLs), unless precisely you introduce he statement that is the cause of all >this trouble: > > When a conforming CA issues a delta CRL, the CA MUST also issue a CRL > that is complete for the given scope. > >Now understand better the problem: this is a stone fundation of the whole >edifice. If we take it away, the whole edifice collapses. > >Anyway, the intention has never been that relying parties will necessarilly >get the same level of information when using only base CRLs and when using >base CRLs plus deltas. > >The question which arises now is what are the implications if a full CRL is >issued at the same time a delta is issued and when we apply the modified >sentence: > > When a conforming CA issues a delta CRL, the CA MAY also issue a full CRL > that is complete for the given scope. > >In this case the relying pary is using the delta (*in the way I have >described it*), i.e. testing thisUpdate and nextUpdate from the delta CRL, >it will get a GUARANTEE to obtain either the freshest revocation >information or it will know that the freshest revocation information is not >available. > >In the case the relying pary is using not using the delta, he will have no >GUARANTEE that the information he got is the freshest. > >[David] The delta-CRL should have the same cRLNumber as would have been >assigned to a full CRL issued at the same time. > >[Denis] Once again, I disagree, since this would violate the definition of >CRL Number given in section 5.2.3. > >[David] A delta-CRL is nearly the same as a full CRL. It has a thisUpdate, >nextUpdate, cRLNumber, etc. just as a full CRL. It just has an incomplete >list of revoked certificates. > >[Denis] Yes, but you have to explain detail how a relying party will use >thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate for a delta >to make sure that in both cases he got the freshest information. > >Remember that RFC 2459 says: > > The behavior of clients processing CRLs which > omit nextUpdate is not specified by this profile. > >So, in order to be PKIX compliant, you cannot escape a sentence which tells >what use is made of that field. > > > > > A few hours later, at 6:30am, the relying party performs another > validation. The relying party has, in its local >cache, the contents of CRL number 8 (which it constructed at 3:10am). It >wants to update the information in its local case >to based on the newly available revocation information. So, it obtains the >latest delta-CRL. This delta-CRL has a CRL >number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, >the delta-CRL provides status information for all >certificates whose status has changed since CRL number 5 was issued. >(midnight). So, clearly the delta-CRL provides status >information for all certificates whose status has changed since 3:00am when >CRL number 8 was issued. Thus, the relying >party can combine the delta-CRL with its locally cached version of full CRL >number 8 to obtain the contents of CRL number >11. This is a case where the CRL number of the complete CRL used is greater >than the BaseCRLNumber specified in the >delta-CRL. > > > >[Denis] This is a local matter and I would not mandate this in the > document > > >since there is another and simpler way to do it: you keep in the cache the > > >base CRL (instead of the previously recontructed full CRL). This has the > > >same end result, except that the method your recommend is not optimum: it > > >will include many duplicates and deleting the duplicates is more painfull > > >than making a simple addition. > >[David] I'm not sure what you are saying is a local matter. The contents of >the delta-CRL is not a local matter and must be mandated in the certificate >and CRL profile. If you prefer to always apply the delta-CRLs to the >referenced base CRL instead of to a locally generated, more recent CRL, that >is your choice. The document states that the delta-CRL may be combined with >the referenced base CRL or a more recently issued full CRL. > >[Denis] > >As said later, your paper provides the right answer (on page 1): " A >delta-CRL is a CRL that only provides information about certificates who >statuses have changed since the issuance of a specific, previously issued >CRL". The text says " *a* specific, previously issued CRL", it does NOT say >"or any, more recently, issued CRL". Now I understand that you may get the >same final result (in a less efficient way), if such a CRL has been issued >and if it could have been seen by the relying party. I would propose that we >describe in the text, the basic rule. I would have no problem to mention in >a note that the same result COULD also be obtained, IF a full CRL were >issued >after the base. > > > >The basic algorithm is to take the base CRL and to add the delta. This is > > >the standard. As soon as you get the same end result this is fine. This is > > >the approach we have taken for path validation. Other ways do not need > to be > > >mentionned. > > > > > > > There are other reasons why the two numbers may not match, but I > will not go into them. If you are interested, you >can read my paper. > > > > > >[Denis] I read it (and skipped the mathematical formulas) > > > > > >This paper is proposing a method for over-issuing the CRLs. It omits > to take > > >into consideration that in PKIX-1 we mandate the CRL number extension > > >(section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL > > >before the next update you have no more way to know which base CRL is the > > >freshest CRL. I believe this is a major security weakness and for that > > >reason this mechanism should be deprecated. > >[David] The paper does discuss over-issuing of CRLs, but there is plenty of >information about using delta-CRLs efficiently without over-issuing. Bear in >mind, however, that the nextUpdate field only specifies the time by which a >new CRL will be issued. Many people intend to issue a new CRL whenever a >revocation occurs (or a revocation for key compromise) without waiting until >the regularly scheduled time. > >[Denis] As said earlier, without any guarantee that the fullCRL issued >before nextUpdate will be seen until the validation time has passed >nextUpdate. > > > >BTW, the same security problem would occur as soon as a base would be used > > >for every delta. Hence another good reason to delete the sentence which > > >originally triggered all this discussion. > > > > I don't understand this at all. > > > > >BTW, I noticed that you have precisely deleted from my previous e-mail all > > >the text dealing with this nextUpdate. :-( > > > > > >So I am still insisting on the major text change to make to that section: > > > > > > An application can construct a CRL that is the most current for > > > a given scope, at the current time, by retrieving the current > > > base CRL for that scope, and combining it with a delta-CRL which > > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > > CRL and where the current date from that delta-CRL is between > > > thisUpdate and nextUpdate; > > > > > >It is important to notice that the algorithm does NOT use the > individual CRL > > >numbers assigned to the delta-CRLs, but uses instead thisUpdate and > > >nextUpdate. This is *very* important. > >[David] I thought I did respond to this. First, one should expect that >delta-CRLs will always be at least as recent as base CRLs. So the first step >should be to obtain the current delta-CRL. Next, one obtains a base CRL that >can be used in combination with that delta-CRL. You may choose to only use >the full CRL whose cRLNumber is equal to the BaseCRLNumber specified in the >delta-CRL, however, any full CRL with a cRLNumber greater than or equal to >the BaseCRLNumber is acceptable. > >[Denis] Your algorithm is looking at the CRL Numbers only. My algorithm is >looking at thisUpdate and nextUpdate only. This is a major difference. In >particular you do not say how "to obtain the current delta-CRL". > >[David] Since the cRLNumber of the base can be greater than the specified >BaseCRLNumber, the document should say so. > >[Denis] This can be mentionned in a note (see earlier). > >[David] There is no need to state that the current time must be after the >thisUpdate time in the delta-CRL as this will always be true by >construction. > >[Denis] There is definitively a need to state this because the end result of >the two algorithms will not be identical as soon as someone will block some >of the information coming from the repository where the full/base CRLs are >stored or where the delta CRLs are stored. > >[David] Finally, since a CRL issuer may issue "emergency" delta-CRLs, there >is no guarantee that any delta-CRL whose nextUpdate time is later than the >current time is the most current delta-CRL. > >[Denis] If you issue such "emergency" delta-CRLs then once again there is no >guarantee that they will ever be seen. The "most recent delta-CRL" is any >delta CRL which satisfies the following condition : > >" A delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of >the base CRL and where the validation date (which may be the current time) >is between thisUpdate and nextUpdate from that delta-CRL;" > > > > > >Finally we should explain what happens at the boundaries, i.e. > when a CA > > > > >decides to generate a (new) base CRL. Here is a text proposal: > > > > > > > > > > When issuing a base CRL that supports a delta-CRL mechanism > then the > > > > > CRL Issuer MUST at the same time issue a delta CRL that points > to that > > > > > base CRL. This first delta CRL will usually be empty (or will > include > > > > > last-minute additions to the base CRL). > > > > > This is not acceptable. The rule is that when a base CRL is issued > a delta-CRL must be issued that has the same >cRLNumber. The base CRL referenced by the delta must either be the >previously issued base CRL or a base CRL issued before >that one. Since the new base and the delta must have the same cRLNumber, >there can be no differences as a result of >"last-minute additions to the base CRL". > > > >[Denis] This does not work. Let me explain it differently. Suppose that > > >during the week you do not generate delta-CRLs but for the week-end you > > >decide to do it (e.g. more risk, more transactions done by citizens). > So you > > >issue a CRL with the freshest CRLindicator. You say that the delta > points to > > >the previous base CRL. The one from yesterday or the one from last week ? > > >In either case this simply does not work. > >[David] Why? A delta-CRL must include a BaseCRLNumber that corresponds to a >CRL that was issued at some time in the past. > >[Denis] A delta-CRL must include a BaseCRLNumber that corresponds to a CRL >that was issued at some time in the past *or to the current time*. The above >example demonstrates that the rule does not work the first time you use it >since there is no such past base CRL or an ambiguity about which one is the >right one. Since it is not possible to answer the question I raised (i.e. >does the first delta points to one from yesterday or the one from last >week ?) this is one way to demonstrate that there is a problem. > > > >The rule you mention, i.e. "The rule is that when a base CRL is issued a > > >delta-CRL must be issued that has the same cRLNumber" is also wrong. The > > >notion of a base CRL that would have the same number as a delta does not > > >exist. > > > > > >Suppose we issue a base CRL every midnight. The question is whether we > > > > >should issue a delta and, if yes, does this delta refer to the > previous > > > > >base or to the new one ? > > > > > The delta must refer either to the previous base or a base issued > before the previous base. > > > >[Denis] Certainly not. Your paper however provides the right answer > > >(on page 1): " A delta-CRL is a CRL that only provides information about > > >certificates who statuses have changed since the issuance of a specific, > > >previously issued CRL". > >[David] Where is the difference? A CRL that is referenced in the >BaseCRLNumber of a delta-CRL is by definition a base CRL. > >[Denis] The difference lies in the fact that the sentence is using the >wording "*a* specific, previously issued CRL". If it is *a* (i.e. one) >specific CRL, it cannot be more than one. > > > > > >Suppose it refers to the previous one. According to the current > sentence: > > > > >"The constructed CRL has the CRL number specified in the CRL number > > > > >extension found in the delta CRL used in its construction.", it is > > > > >impossible. If that was the case the delta CRL would have a CRL > number equal > > > > >to the base CRL and it is not allowed for two CRLs to have the > same CRL > > > > >number. > > > > > > > I think you are confusing two different extensions. The > deltaCRLIndicator extension contains a BaseCRLNumber which is >used to determine against which base CRLs the delta-CRL can be applied. The >cRLNumber extension specifies the CRL number of >the full CRL that will be generated by applying the delta-CRL to a base CRL. >The sentence above states that the CRL number >of the constructed CRL is taken from the cRLNumber extension, not the >BaseCRLNumber of the deltaCRLIndicator extension. > > > > > >[Denis] I do not think I make a confusion. The confusion comes from the > > >numbering you introduce (see my earlier comment). > > > > > >Let me conclude: > > > > > >1) I do not have the time to spend hours of discussions on that topic. > > >However the current text needs to be corrected and I have provided text > > >for this. Please take again a look at it in the light of the following. > > > > > >2) In your paper you advertise the "traditional delta-CRLs". Let us > stay in > > >the tradition and let us mandate the implementation of the "tradition" if > > >someone wans to support the delta-CRL mechanism. > > > > > >Any other method would first need to be proven to be secure (over-issuing > > >CRLs and sliding window delta-CRLs have security problems) and should > > >*anyway* fall in the MAY category, so that noone needs to implement to > claim > > >conformance with the delta CRL mechanism. Standard track documents need to > > >make choices among multiple methods, otherwise two different > implementations > > >will never interoperate. > >[David] you say that you want to stick with "traditional" delta-CRLs, >however you are proposing changes to the text that would not result in >"traditional" delta-CRLs but would result in broken implementations. > >[Denis] You have provided no evidence of what you say just above. Tell me >precisely what is wrong in the text I propose that would not allow the >support of the "traditional" delta-CRLs. If something is wrong, we can fix >it. > >[David] We do not prevent people from implementing "traditional" delta-CRLs, >but we should not force them to either. > >[Denis] We disagree here. Standards are there to support at least one >(simple) method that all implementations have to support( if they support >delta). In addition, implementations may support additional methods and it >will be up to the final customer to decide which one to use. We MAY describe >these additional methods, but MUST clearly indicate the difference. > >[David] There are no security problems with sliding window delta-CRLs and >they do not add any complexity for those who choose not to >implement them. > >[Denis] There ARE security problems with sliding window delta-CRLs. I have >descibed at length what the problems are. However, this does not mean that >this technique cannot be supported as an OPTIO and IF we indicate in the >text what are their security problems. The current text places the two >techniques at the same level. The traditional way offers a guarantee while >the other does not. There is indedd added complexity for building the >software from the relying party. > >[David] I want to be sure that the delta-CRL text is correct just as you >do, > >[Denis] At least one point on which we both agree. :-) > >[David] ... but I still feel that many of your comments are based on a >misunderstanding and are not based on actual problems in the text. > >[Denis] I do hope that after this response you will think differently. > >Regards, > >Denis > > > Dave Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA26724 for <ietf-pkix@imc.org>; Wed, 2 May 2001 07:44:37 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id KAA08401; Wed, 2 May 2001 10:44:35 -0400 (EDT) Message-Id: <4.2.0.58.20010502100305.017554d0@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 02 May 2001 10:42:30 -0400 To: Denis Pinkas <Denis.Pinkas@bull.net> From: Tim Polk <tim.polk@nist.gov> Subject: Re: Basic constraints, key usage, and LDAP schema Cc: ietf-pkix@imc.org In-Reply-To: <3AF0081C.1227BAC1@bull.net> References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> <4.2.0.58.20010501170030.01fa3230@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Denis, These messages have been flying fast and furious under several topic lines. I don't believe I caught them all either! As they are all related, it is difficult to resolve the issues one-by-one. The separate solutions may combine to present new problems. That was the rationale for the single comprehensive posting. The real problems, in my opinion, are as follows: (1) Consider a PKIX client, searching for a certificate to validate a particular CRL. Under 2459, the client cannot guess whether the basic constraints extension will be present with the CA bit asserted. If the key used to validate the CRL is also used to validate certificates, it will have basic constraints and assert cA is TRUE. In this case, the certificate should be in the ca certificate attribute (or perhaps the cross certificate pairs). If the key is not used to validate certificates, basic constraints will be omitted and the certificate will be stored in the user certificate attribute. (2) If a PKIX client wishes to communicate with a CA for certificate management purposes (e.g., to request a new certificate, request revocation, or perhaps centralized key generation for key escrow scenarios) the client will need to validate the CA's signature and perhaps make use of the CA's key management key. If the keys used for these transactions are also used to sign PKCs, the certs will be in the CA certificate attribute. If the keys used for these purposes are not used to sign PKCs, there will be no indication that this entity is a CA and the certs will be stored in the user certificate attribute. As above, the PKIX client does not know where to look for these certificates. Where they are not used to sign PKCs, there will be no indication in the certificate that this entity is a CA at all. (3) The attribute certificate profile is very clear regarding AC issuers versus PKC issuers. Section 4.5 states "the AC issuer's PKC MUST NOT have a basicConstraints extension with the cA BOOLEAN set to TRUE." However, the combination of RFC 2459 and the attribute certificate profile does not permit an issuer to specify whether a subject can issue CRLs for PKCs, ACs, or both. This would provide us with an analogous solution: if the CA bit is not asserted, but the cRLSign bit is set in key usage, the subject is only permitted to issue CRLs for ACs. To be honest, (3) is the least compelling problem. The CA must explicitly name an indirect CRL issuer in PKCs it issues *anyway*, so the CA bit isn't a big security issue. Still, I think it is nice to supply clients with this information. Anyway, I hope this clarifies things a bit. My goal was to resolve all three problems simultaneously and consistently. Thanks, Tim Polk At 03:14 PM 5/2/01 +0200, Denis Pinkas wrote: >Tim, > >I stayed silent on that topic and it is quite hard to catch all the e-mails >related to it. I certainly missed or skipped missed some of them. > > > Terry, > > > > I think it would be best if the client did not need to check the > > userCertificate attribute to validate CRLs. This adds complexity without > > any real benefit (in my opinion.) I have included some proposed text for > > the first paragraph of section 4.2.1.10 (basic constraints) that would > > clarify the issue. > > > > ----------------proposed text for first paragraph of > 4.2.1.10---------------- > > > > The basic constraints extension identifies whether the subject of the > > certificate is a CA and the maximum depth of valid certification paths that > > include this certificate. A subject is considered a CA if it issues public > > key certificates or CRLs that describe the revocation status of public key > > certificates. > > > > ----------------------end proposed text > > What do you think? > >RFC 2459 only said: > > The basic constraints extension identifies whether the subject of the > certificate is a CA and how deep a certification path may exist > through that CA. > >However, according to the new text a "CRL Issuer" is now also a "CA": " A >subject is considered a CA if it issues public key certificates or CRLs that >describe the revocation status of public key certificates." > >The current text of new-part1-06 also goes in the same direction. > > The cA bit indicates if the certified public key may be used to > verify signatures on other certificates. If the cA bit is asserted, > then either the keyCertSign bit or the cRLSign bit in the key usage > extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not > asserted, then both the keyCertSign bit and the cRLSign in the key > usage extension MUST NOT be asserted. > >This seems quite strange. A CRL issuer is just one way to make available >revocation status information. OCSP is another way. RFC 2560 says: > > OCSP signing delegation SHALL be designated by the > inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate > extension included in the OCSP response signer's certificate. This > certificate MUST be issued directly by the CA that issued the > certificate in question. > >If a "CRL issuer" is a "CA", why should an OCSP responder designated by a CA >not also be a "CA" ? > >As far as I remember, originally the cA boolean in the basic constraints >extension only allowed to make the difference between leaf certificates and >CA certificates. This boolean now seems to be be used with a different >meaning (and, maybe, we should change its meaning - not the syntax). > >Could someone say again, why that change was requested and what are the real >benefits of that change ? > >In other words, could someone say again what the problem was ? :-) > >Thanks, > >Denis > > > Thanks, > > > > Tim Polk > > > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > > >Tim, > > > > > >I agree with your proposed solution. As you have said, it separates the > > >semantics of the two extensions, and simplifies the rules for the LDAP > schema. > > > > > >There is one remaining point to address, and I believe it may be the main > > >point of discussion in the current thread. > > > > > >When a CA uses the CRLDP extension to designate another entity to be the > > >source for revocation information about some of its certificates, should > > >that entity have a "CA" certificate (with appropriate basicConstraints > > >extension)? I'm *not* suggesting that a basicConstraints extension is > > >necessary for the entity to be authorized to sign the CRL. Instead, the > > >problem is that clients that are trying to locate the certificate will not > > >know whether they should look in the cACertificate attribute or the > > >userCertificate attribute to find the appropriate certificate. > > > > > >To solve this, we can suggest that cACertificate be searched first, > > >followed by userCertificate, or we can require that designated entities > > >must always be a "CA", and the client can safely skip the userCertificate > > >attribute. This is a question of searching the directory only, and does > > >not suggest changing your assertion that any set of bits may be set in the > > >keyUsage extension of "CA" certificates. > > > > > >Terry > > > > > >Tim Polk wrote: > > > > > >>Folks, > > >> > > >>I have been reading the email messages on the list about the > > >>relationships between basic constraints, key usage, and the schema. > > >>After mulling over the problem. I would like to propose a solution - the > > >>only solution, as far as I can tell... > > >> > > >>The solution is to simplify and separate the semantics of the basic > > >>constraints and key usage extension. This has positive implications for > > >>the PKIX LDAP schema as well. > > >> > > >>Basic Constraints > > >> > > >>As stated in the current text for Basic Constraints (in 2459): "The > > >>basic constraints extension identifies whether the subject of the > > >>certificate is a CA and how deep a certification path may exist through > > >>that CA." > > >> > > >>I believe this is the right semantics, and that basic constraints should > > >>be included and cA should be asserted in *any* certificate issued to a > > >>CA, regardless of the type or role associated with the public key in the > > >>certificate. > > >> > > >>Key Usage > > >> > > >>The issuer should use the Key Usage extension to disambiguate the > > >>subject's key pairs: > > >>(a) The issuer indicates this public key may be used to verify the > > >>signature on a public key certificate by asserting keyCertSign. (b) The > > >>issuer indicates this public key may be used to verify the signature on > > >>CRLs by asserting cRLSign. (c) The issuer indicates that this public key > > >>may be used to establish symmetric keys with the subject by asserting > > >>either keyEncipherment or keyAgreement. (d) The issuer indicates that > > >>this public key may be used to verify signatures on objects other than > > >>public key certificates and CRLs by asserting nonRerpuidation or > > >>digitalSignature. > > >> > > >>Of course, if a key pair is used for multiple purposes, multiple key > > >>usages may be asserted. > > >> > > >>In each of these cases, the basic constraints extension also appears in > > >>the certificate and asserts that the subject is a CA. > > >> > > >>LDAP Schema > > >> > > >>All certificates issued to CAs would be considered CA certificates since > > >>the basic constraints extension is present and asserts that the subject > > >>is a CA. As a result, each of these could appear in the cACertificate > > >>attribute or crossCertificatePair attribute. They would *not* appear in > > >>the userCertificate attribute. (That would include all types (a) through > > >>(d) above). > > >> > > >>------------------ > > >> > > >>The implications of this strategy are as follows: (1) when a client is > > >>searching for a CA certificate, they will not have to check the > > >>userCertificate attribute; (2) the issuer can indicate that the subject > > >>is a CA regardless of the key usage; and (3) minimal changes to the text > > >>(my favorite!). > > >> > > >>What do you think? > > >> > > >>Thanks, > > >> > > >>Tim Polk > > >> > > >> > > > > > > Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id HAA26616 for <ietf-pkix@imc.org>; Wed, 2 May 2001 07:43:35 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA41588; Wed, 2 May 2001 16:43:24 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id QAA09692; Wed, 2 May 2001 16:43:00 +0200 Message-ID: <3AF01CF6.78789733@bull.net> Date: Wed, 02 May 2001 16:43:02 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "David A. Cooper" <david.cooper@nist.gov>, pkix <ietf-pkix@imc.org> Subject: Re: delta-CRLs Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David, On monday 23 April, I sent you the following long e-mail, and since I got no reply to it I would guess that you agree with it. So it is now the right time to fix the text. What follows is a full replacement proposal for section 5.2.4. It simplifies the current text making it easier to read and, when delta CRLs are supported, only mandate the support of what you call "the traditional method". 5.2.4 Delta CRL Indicator The delta CRL indicator is a critical CRL extension that identifies a CRL as being a delta CRL. A delta-CRL is a CRL that only provides information about certificates who statuses have changed since the issuance of a specific, previously issued CRL. The use of delta CRLs can significantly reduce network load and processing time in some environments. Delta CRLs are generally much smaller than the CRLs they update, so applications that obtain delta CRLs consume less network bandwidth than applications that obtain the corresponding complete CRLs. The delta CRL indicator extension contains a single value of type BaseCRLNumber. This value identifies the CRL number of the base CRL that was used as the foundation in the generation of this delta CRL. The referenced base CRL is a CRL that was explicitly issued as a CRL that is complete for a given scope (e.g., a set of revocation reasons or a particular distribution point.) The CRL containing the delta CRL indicator extension contains all updates to the certificate revocation status for that same scope. When a delta CRL is issued, it MUST cover the same set of reasons and same set of certificates that were covered by the base CRL it references. When a conforming CA issues a delta CRL, the delta CRL MUST include a critical delta CRL indicator extension. An application can construct a CRL that is the most current for a given scope, for a specific date, by retrieving the appropriate base CRL for that scope, and combining it with a delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of the base CRL and where the date for which the construction is being made is between thisUpdate and nextUpdate as indicated the delta CRL. Conforming implementations of this specification are not required to implement the above algorithm, but MUST provide functionality equivalent to the external behavior resulting from this procedure. CAs must ensure that application of a delta CRL to the referenced base revocation information accurately reflects the current status of revocation. If a CA supports the certificateHold revocation reason the following rules must be applied when generating delta CRLs: (a) If a certificate was listed as revoked with revocation reason certificateHold on a CRL (either a delta CRL or a CRL that is complete for a given scope), and the hold is subsequently released, the certificate must be listed with revocation reason removeFromCRL until the next base CRL is issued. Note: Should the certificate be subsequently revoked again for one of the revocation reasons covered by the delta CRL, then the certificate must be listed with the revocation reason appropriate for the subsequent revocation. (b) If the certificate was not removed from hold, but was permanently revoked, then it must be listed as such on all subsequent delta CRLs until the next base CRL is issued . id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } BaseCRLNumber ::= CRLNumber Regards, Denis ========================================================================== This is a LONG e-mail and a last e-mail to you, before leaving for a trip that will keep me away from my e-mails during a week. So, don't think I am giving up if you do not receive a reply soon. > Denis, > > My comments are in line. > > At 06:50 PM 4/20/01 +0200, Denis Pinkas wrote: > >[Denis] This is the case I had in mind. However I would disagree to say that > >the locally contructed CRL is equal to the full CRL number 8, because there > >is no need to issue such CRL (see the first comment). It is simply the > >"freshest CRL constructed from the base CRL number 5 for 3:10 am". This > >locally contructed CRL bears no number, or if you assign one, this is a > >local matter and is not part of the standard. This also avoids the later > >confusing between CRL numbers. [David] This is simply not true. [Denis] The sentence above is technically correct: "It is simply the freshest CRL constructed from the base CRL number 5 for 3:10 am". [David] A delta-CRL can (will) contain the cRLNumber extension just as a full CRL will. [Denis] The cRLNumber extension is simply an identifier that allows you to uniquely identify it and to know whether it is earlier or later another CRL issued by the same CRL issuer. [David] If a full CRL and a delta-CRL are issued at the same time, the combination of the delta-CRL and an appropriate base CRL must be equivalent to the full CRL, and both the delta-CRL and the full CRL must have the same cRLNumber. [Denis] This is where we do not agree. The delta-CRL and the full CRL MUST NOT have the same cRLNumber because this would violate the definition of what is a CRLnumber. RFC 2459 says: 5.2.3 CRL Number The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for each CRL issued by a CA. This extension allows users to easily determine when a particular CRL supersedes another CRL. CAs conforming to this profile MUST include this extension in all CRLs. Maybe you are making some confusion with the deltaCRLindicator. The construction you mention is not acceptable and is no even part of the ISO X509 document. [David] If a delta-CRL is issued, and no corresponding full CRL issued, then the combination of the delta-CRL and an appropriate base CRL should be equivalent to the full CRL that would have been issued at that time, if a full CRL had been issued. [Denis] Here is the problem ! Let us take an example: A base CRL is issued at midnight. thisUpdate is set to midnight while nextUpdate is midnight for the next day. This means that there is no guarantee at all that any other base/full CRL will necessarily be seen within the next 24 hours. Certainly a base can be issued before, but once again there is no guarantee that it will ever be seen. If someone is now using the CRL as a proof to be presented later on that the certificate was not revoked, a relying party is perfectly right to use the base from midnight (if allowed by the validation policy) or the base plus a delta (if mandated by the validation policy). Now if you issue a full CRL (I did not say a base CRL) every hour at the same time you issue a delta, the problem becomes worse because at 11:30 p.m. you have now 23 full CRLs, and you cannot know which one is the right one to use (if someone purposely is blocking the transmission of the latest full CRLs), unless precisely you introduce he statement that is the cause of all this trouble: When a conforming CA issues a delta CRL, the CA MUST also issue a CRL that is complete for the given scope. Now understand better the problem: this is a stone fundation of the whole edifice. If we take it away, the whole edifice collapses. Anyway, the intention has never been that relying parties will necessarilly get the same level of information when using only base CRLs and when using base CRLs plus deltas. The question which arises now is what are the implications if a full CRL is issued at the same time a delta is issued and when we apply the modified sentence: When a conforming CA issues a delta CRL, the CA MAY also issue a full CRL that is complete for the given scope. In this case the relying pary is using the delta (*in the way I have described it*), i.e. testing thisUpdate and nextUpdate from the delta CRL, it will get a GUARANTEE to obtain either the freshest revocation information or it will know that the freshest revocation information is not available. In the case the relying pary is using not using the delta, he will have no GUARANTEE that the information he got is the freshest. [David] The delta-CRL should have the same cRLNumber as would have been assigned to a full CRL issued at the same time. [Denis] Once again, I disagree, since this would violate the definition of CRL Number given in section 5.2.3. [David] A delta-CRL is nearly the same as a full CRL. It has a thisUpdate, nextUpdate, cRLNumber, etc. just as a full CRL. It just has an incomplete list of revoked certificates. [Denis] Yes, but you have to explain detail how a relying party will use thisUpdate, nextUpdate for a base CRL and thisUpdate, nextUpdate for a delta to make sure that in both cases he got the freshest information. Remember that RFC 2459 says: The behavior of clients processing CRLs which omit nextUpdate is not specified by this profile. So, in order to be PKIX compliant, you cannot escape a sentence which tells what use is made of that field. > > > A few hours later, at 6:30am, the relying party performs another validation. The relying party has, in its local cache, the contents of CRL number 8 (which it constructed at 3:10am). It wants to update the information in its local case to based on the newly available revocation information. So, it obtains the latest delta-CRL. This delta-CRL has a CRL number of 11 and a BaseCRLnumber of 5. Since it has a BaseCRLNumber of 5, the delta-CRL provides status information for all certificates whose status has changed since CRL number 5 was issued. (midnight). So, clearly the delta-CRL provides status information for all certificates whose status has changed since 3:00am when CRL number 8 was issued. Thus, the relying party can combine the delta-CRL with its locally cached version of full CRL number 8 to obtain the contents of CRL number 11. This is a case where the CRL number of the complete CRL used is greater than the BaseCRLNumber specified in the delta-CRL. > >[Denis] This is a local matter and I would not mandate this in the document > >since there is another and simpler way to do it: you keep in the cache the > >base CRL (instead of the previously recontructed full CRL). This has the > >same end result, except that the method your recommend is not optimum: it > >will include many duplicates and deleting the duplicates is more painfull > >than making a simple addition. [David] I'm not sure what you are saying is a local matter. The contents of the delta-CRL is not a local matter and must be mandated in the certificate and CRL profile. If you prefer to always apply the delta-CRLs to the referenced base CRL instead of to a locally generated, more recent CRL, that is your choice. The document states that the delta-CRL may be combined with the referenced base CRL or a more recently issued full CRL. [Denis] As said later, your paper provides the right answer (on page 1): " A delta-CRL is a CRL that only provides information about certificates who statuses have changed since the issuance of a specific, previously issued CRL". The text says " *a* specific, previously issued CRL", it does NOT say "or any, more recently, issued CRL". Now I understand that you may get the same final result (in a less efficient way), if such a CRL has been issued and if it could have been seen by the relying party. I would propose that we describe in the text, the basic rule. I would have no problem to mention in a note that the same result COULD also be obtained, IF a full CRL were issued after the base. > >The basic algorithm is to take the base CRL and to add the delta. This is > >the standard. As soon as you get the same end result this is fine. This is > >the approach we have taken for path validation. Other ways do not need to be > >mentionned. > > > > > There are other reasons why the two numbers may not match, but I will not go into them. If you are interested, you can read my paper. > > > >[Denis] I read it (and skipped the mathematical formulas) > > > >This paper is proposing a method for over-issuing the CRLs. It omits to take > >into consideration that in PKIX-1 we mandate the CRL number extension > >(section 5.2.3) so we need to advertise the nextUpdate. If you issue a CRL > >before the next update you have no more way to know which base CRL is the > >freshest CRL. I believe this is a major security weakness and for that > >reason this mechanism should be deprecated. [David] The paper does discuss over-issuing of CRLs, but there is plenty of information about using delta-CRLs efficiently without over-issuing. Bear in mind, however, that the nextUpdate field only specifies the time by which a new CRL will be issued. Many people intend to issue a new CRL whenever a revocation occurs (or a revocation for key compromise) without waiting until the regularly scheduled time. [Denis] As said earlier, without any guarantee that the fullCRL issued before nextUpdate will be seen until the validation time has passed nextUpdate. > >BTW, the same security problem would occur as soon as a base would be used > >for every delta. Hence another good reason to delete the sentence which > >originally triggered all this discussion. > > I don't understand this at all. > > >BTW, I noticed that you have precisely deleted from my previous e-mail all > >the text dealing with this nextUpdate. :-( > > > >So I am still insisting on the major text change to make to that section: > > > > An application can construct a CRL that is the most current for > > a given scope, at the current time, by retrieving the current > > base CRL for that scope, and combining it with a delta-CRL which > > contains a Delta CRL Indicator equal to the cRLNumber of the base > > CRL and where the current date from that delta-CRL is between > > thisUpdate and nextUpdate; > > > >It is important to notice that the algorithm does NOT use the individual CRL > >numbers assigned to the delta-CRLs, but uses instead thisUpdate and > >nextUpdate. This is *very* important. [David] I thought I did respond to this. First, one should expect that delta-CRLs will always be at least as recent as base CRLs. So the first step should be to obtain the current delta-CRL. Next, one obtains a base CRL that can be used in combination with that delta-CRL. You may choose to only use the full CRL whose cRLNumber is equal to the BaseCRLNumber specified in the delta-CRL, however, any full CRL with a cRLNumber greater than or equal to the BaseCRLNumber is acceptable. [Denis] Your algorithm is looking at the CRL Numbers only. My algorithm is looking at thisUpdate and nextUpdate only. This is a major difference. In particular you do not say how "to obtain the current delta-CRL". [David] Since the cRLNumber of the base can be greater than the specified BaseCRLNumber, the document should say so. [Denis] This can be mentionned in a note (see earlier). [David] There is no need to state that the current time must be after the thisUpdate time in the delta-CRL as this will always be true by construction. [Denis] There is definitively a need to state this because the end result of the two algorithms will not be identical as soon as someone will block some of the information coming from the repository where the full/base CRLs are stored or where the delta CRLs are stored. [David] Finally, since a CRL issuer may issue "emergency" delta-CRLs, there is no guarantee that any delta-CRL whose nextUpdate time is later than the current time is the most current delta-CRL. [Denis] If you issue such "emergency" delta-CRLs then once again there is no guarantee that they will ever be seen. The "most recent delta-CRL" is any delta CRL which satisfies the following condition : " A delta-CRL which contains a Delta CRL Indicator equal to the cRLNumber of the base CRL and where the validation date (which may be the current time) is between thisUpdate and nextUpdate from that delta-CRL;" > > > >Finally we should explain what happens at the boundaries, i.e. when a CA > > > >decides to generate a (new) base CRL. Here is a text proposal: > > > > > > > > When issuing a base CRL that supports a delta-CRL mechanism then the > > > > CRL Issuer MUST at the same time issue a delta CRL that points to that > > > > base CRL. This first delta CRL will usually be empty (or will include > > > > last-minute additions to the base CRL). > > > This is not acceptable. The rule is that when a base CRL is issued a delta-CRL must be issued that has the same cRLNumber. The base CRL referenced by the delta must either be the previously issued base CRL or a base CRL issued before that one. Since the new base and the delta must have the same cRLNumber, there can be no differences as a result of "last-minute additions to the base CRL". > >[Denis] This does not work. Let me explain it differently. Suppose that > >during the week you do not generate delta-CRLs but for the week-end you > >decide to do it (e.g. more risk, more transactions done by citizens). So you > >issue a CRL with the freshest CRLindicator. You say that the delta points to > >the previous base CRL. The one from yesterday or the one from last week ? > >In either case this simply does not work. [David] Why? A delta-CRL must include a BaseCRLNumber that corresponds to a CRL that was issued at some time in the past. [Denis] A delta-CRL must include a BaseCRLNumber that corresponds to a CRL that was issued at some time in the past *or to the current time*. The above example demonstrates that the rule does not work the first time you use it since there is no such past base CRL or an ambiguity about which one is the right one. Since it is not possible to answer the question I raised (i.e. does the first delta points to one from yesterday or the one from last week ?) this is one way to demonstrate that there is a problem. > >The rule you mention, i.e. "The rule is that when a base CRL is issued a > >delta-CRL must be issued that has the same cRLNumber" is also wrong. The > >notion of a base CRL that would have the same number as a delta does not > >exist. > > > >Suppose we issue a base CRL every midnight. The question is whether we > > > >should issue a delta and, if yes, does this delta refer to the previous > > > >base or to the new one ? > > > The delta must refer either to the previous base or a base issued before the previous base. > >[Denis] Certainly not. Your paper however provides the right answer > >(on page 1): " A delta-CRL is a CRL that only provides information about > >certificates who statuses have changed since the issuance of a specific, > >previously issued CRL". [David] Where is the difference? A CRL that is referenced in the BaseCRLNumber of a delta-CRL is by definition a base CRL. [Denis] The difference lies in the fact that the sentence is using the wording "*a* specific, previously issued CRL". If it is *a* (i.e. one) specific CRL, it cannot be more than one. > > > >Suppose it refers to the previous one. According to the current sentence: > > > >"The constructed CRL has the CRL number specified in the CRL number > > > >extension found in the delta CRL used in its construction.", it is > > > >impossible. If that was the case the delta CRL would have a CRL number equal > > > >to the base CRL and it is not allowed for two CRLs to have the same CRL > > > >number. > > > > > I think you are confusing two different extensions. The deltaCRLIndicator extension contains a BaseCRLNumber which is used to determine against which base CRLs the delta-CRL can be applied. The cRLNumber extension specifies the CRL number of the full CRL that will be generated by applying the delta-CRL to a base CRL. The sentence above states that the CRL number of the constructed CRL is taken from the cRLNumber extension, not the BaseCRLNumber of the deltaCRLIndicator extension. > > > >[Denis] I do not think I make a confusion. The confusion comes from the > >numbering you introduce (see my earlier comment). > > > >Let me conclude: > > > >1) I do not have the time to spend hours of discussions on that topic. > >However the current text needs to be corrected and I have provided text > >for this. Please take again a look at it in the light of the following. > > > >2) In your paper you advertise the "traditional delta-CRLs". Let us stay in > >the tradition and let us mandate the implementation of the "tradition" if > >someone wans to support the delta-CRL mechanism. > > > >Any other method would first need to be proven to be secure (over-issuing > >CRLs and sliding window delta-CRLs have security problems) and should > >*anyway* fall in the MAY category, so that noone needs to implement to claim > >conformance with the delta CRL mechanism. Standard track documents need to > >make choices among multiple methods, otherwise two different implementations > >will never interoperate. [David] you say that you want to stick with "traditional" delta-CRLs, however you are proposing changes to the text that would not result in "traditional" delta-CRLs but would result in broken implementations. [Denis] You have provided no evidence of what you say just above. Tell me precisely what is wrong in the text I propose that would not allow the support of the "traditional" delta-CRLs. If something is wrong, we can fix it. [David] We do not prevent people from implementing "traditional" delta-CRLs, but we should not force them to either. [Denis] We disagree here. Standards are there to support at least one (simple) method that all implementations have to support( if they support delta). In addition, implementations may support additional methods and it will be up to the final customer to decide which one to use. We MAY describe these additional methods, but MUST clearly indicate the difference. [David] There are no security problems with sliding window delta-CRLs and they do not add any complexity for those who choose not to implement them. [Denis] There ARE security problems with sliding window delta-CRLs. I have descibed at length what the problems are. However, this does not mean that this technique cannot be supported as an OPTIO and IF we indicate in the text what are their security problems. The current text places the two techniques at the same level. The traditional way offers a guarantee while the other does not. There is indedd added complexity for building the software from the relying party. [David] I want to be sure that the delta-CRL text is correct just as you do, [Denis] At least one point on which we both agree. :-) [David] ... but I still feel that many of your comments are based on a misunderstanding and are not based on actual problems in the text. [Denis] I do hope that after this response you will think differently. Regards, Denis > Dave Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id GAA20037 for <ietf-pkix@imc.org>; Wed, 2 May 2001 06:14:06 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id PAA31132; Wed, 2 May 2001 15:13:56 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id PAA18634; Wed, 2 May 2001 15:13:33 +0200 Message-ID: <3AF0081C.1227BAC1@bull.net> Date: Wed, 02 May 2001 15:14:04 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: Tim Polk <tim.polk@nist.gov> CC: ietf-pkix@imc.org Subject: Re: Basic constraints, key usage, and LDAP schema References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> <4.2.0.58.20010501170030.01fa3230@email.nist.gov> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Tim, I stayed silent on that topic and it is quite hard to catch all the e-mails related to it. I certainly missed or skipped missed some of them. > Terry, > > I think it would be best if the client did not need to check the > userCertificate attribute to validate CRLs. This adds complexity without > any real benefit (in my opinion.) I have included some proposed text for > the first paragraph of section 4.2.1.10 (basic constraints) that would > clarify the issue. > > ----------------proposed text for first paragraph of 4.2.1.10---------------- > > The basic constraints extension identifies whether the subject of the > certificate is a CA and the maximum depth of valid certification paths that > include this certificate. A subject is considered a CA if it issues public > key certificates or CRLs that describe the revocation status of public key > certificates. > > ----------------------end proposed text > What do you think? RFC 2459 only said: The basic constraints extension identifies whether the subject of the certificate is a CA and how deep a certification path may exist through that CA. However, according to the new text a "CRL Issuer" is now also a "CA": " A subject is considered a CA if it issues public key certificates or CRLs that describe the revocation status of public key certificates." The current text of new-part1-06 also goes in the same direction. The cA bit indicates if the certified public key may be used to verify signatures on other certificates. If the cA bit is asserted, then either the keyCertSign bit or the cRLSign bit in the key usage extension (see 4.2.1.3) MUST also be asserted. If the cA bit is not asserted, then both the keyCertSign bit and the cRLSign in the key usage extension MUST NOT be asserted. This seems quite strange. A CRL issuer is just one way to make available revocation status information. OCSP is another way. RFC 2560 says: OCSP signing delegation SHALL be designated by the inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate extension included in the OCSP response signer's certificate. This certificate MUST be issued directly by the CA that issued the certificate in question. If a "CRL issuer" is a "CA", why should an OCSP responder designated by a CA not also be a "CA" ? As far as I remember, originally the cA boolean in the basic constraints extension only allowed to make the difference between leaf certificates and CA certificates. This boolean now seems to be be used with a different meaning (and, maybe, we should change its meaning - not the syntax). Could someone say again, why that change was requested and what are the real benefits of that change ? In other words, could someone say again what the problem was ? :-) Thanks, Denis > Thanks, > > Tim Polk > > At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: > >Tim, > > > >I agree with your proposed solution. As you have said, it separates the > >semantics of the two extensions, and simplifies the rules for the LDAP schema. > > > >There is one remaining point to address, and I believe it may be the main > >point of discussion in the current thread. > > > >When a CA uses the CRLDP extension to designate another entity to be the > >source for revocation information about some of its certificates, should > >that entity have a "CA" certificate (with appropriate basicConstraints > >extension)? I'm *not* suggesting that a basicConstraints extension is > >necessary for the entity to be authorized to sign the CRL. Instead, the > >problem is that clients that are trying to locate the certificate will not > >know whether they should look in the cACertificate attribute or the > >userCertificate attribute to find the appropriate certificate. > > > >To solve this, we can suggest that cACertificate be searched first, > >followed by userCertificate, or we can require that designated entities > >must always be a "CA", and the client can safely skip the userCertificate > >attribute. This is a question of searching the directory only, and does > >not suggest changing your assertion that any set of bits may be set in the > >keyUsage extension of "CA" certificates. > > > >Terry > > > >Tim Polk wrote: > > > >>Folks, > >> > >>I have been reading the email messages on the list about the > >>relationships between basic constraints, key usage, and the schema. > >>After mulling over the problem. I would like to propose a solution - the > >>only solution, as far as I can tell... > >> > >>The solution is to simplify and separate the semantics of the basic > >>constraints and key usage extension. This has positive implications for > >>the PKIX LDAP schema as well. > >> > >>Basic Constraints > >> > >>As stated in the current text for Basic Constraints (in 2459): "The > >>basic constraints extension identifies whether the subject of the > >>certificate is a CA and how deep a certification path may exist through > >>that CA." > >> > >>I believe this is the right semantics, and that basic constraints should > >>be included and cA should be asserted in *any* certificate issued to a > >>CA, regardless of the type or role associated with the public key in the > >>certificate. > >> > >>Key Usage > >> > >>The issuer should use the Key Usage extension to disambiguate the > >>subject's key pairs: > >>(a) The issuer indicates this public key may be used to verify the > >>signature on a public key certificate by asserting keyCertSign. (b) The > >>issuer indicates this public key may be used to verify the signature on > >>CRLs by asserting cRLSign. (c) The issuer indicates that this public key > >>may be used to establish symmetric keys with the subject by asserting > >>either keyEncipherment or keyAgreement. (d) The issuer indicates that > >>this public key may be used to verify signatures on objects other than > >>public key certificates and CRLs by asserting nonRerpuidation or > >>digitalSignature. > >> > >>Of course, if a key pair is used for multiple purposes, multiple key > >>usages may be asserted. > >> > >>In each of these cases, the basic constraints extension also appears in > >>the certificate and asserts that the subject is a CA. > >> > >>LDAP Schema > >> > >>All certificates issued to CAs would be considered CA certificates since > >>the basic constraints extension is present and asserts that the subject > >>is a CA. As a result, each of these could appear in the cACertificate > >>attribute or crossCertificatePair attribute. They would *not* appear in > >>the userCertificate attribute. (That would include all types (a) through > >>(d) above). > >> > >>------------------ > >> > >>The implications of this strategy are as follows: (1) when a client is > >>searching for a CA certificate, they will not have to check the > >>userCertificate attribute; (2) the issuer can indicate that the subject > >>is a CA regardless of the key usage; and (3) minimal changes to the text > >>(my favorite!). > >> > >>What do you think? > >> > >>Thanks, > >> > >>Tim Polk > >> > >> > > > > Received: from firewall ([211.205.65.125]) by above.proper.com (8.9.3/8.9.3) with SMTP id EAA12406 for <ietf-pkix@imc.org>; Wed, 2 May 2001 04:23:42 -0700 (PDT) From: customercare217@fine-view.com Message-ID: <00002b9e68dc$00004044$00005579@fine-view.com> To: <Bizzops@salesgroupint.net> Subject: write back when you can 21881 Date: Wed, 02 May 2001 04:25:39 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal <HTML><HEAD><TITLE>Take Control Of Your Conference Calls</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12= 52"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY vLink=3D#c0c0c0 link=3D#c0c0c0 bgColor=3D#ffffff leftMargin=3D0><FON= T face=3Darial,helvetica> <P> <CENTER> <TABLE width=3D600 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><B><FONT color=3D#000066 size=3D6>Long Distance Conferencing<BR>Only <U>18 Cents</U> Per Minute</B></FONT></TD></TR></TBODY></TABLE> <P><FONT color=3D#ff0000 size=3D5><B>Connects Up To 100 Participants!</B><= /FONT> <P> <TABLE width=3D350 border=3D0> <TBODY> <TR> <TD><FONT size=3D3><B> <LI>No setup fees <LI>No contracts or monthly fees <LI>Call anytime, from anywhere, to anywhere <LI>International Dial In 18 cents per minute <LI>Simplicity in set up and administration <LI>Operator Help available 24/7 </B></FONT></LI></TD></TR></TBODY><= /TABLE> <P> <TABLE width=3D500 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><FONT color=3D#ff0000 size=3D60><B><FONT size=3D5>G= et the best quality, the easiest to use, and lowest rate in the industry.</B></FONT></FONT></TD></TR></TBODY></TABLE> <P> <TABLE width=3D400 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><FONT color=3D#000066 size=3D4>If you like saving m= oney, fill out the form below and one of our consultants will contact you.</FONT></TD></TR></TBODY></TABLE> <P><FONT color=3D#000066 size=3D2>Required Input Field<FONT color=3D#ff000= 0 size=3D2>*</FONT></FONT> <P> <TABLE cellSpacing=3D0 borderColorDark=3D#333300 cellPadding=3D3 width=3D6= 00 borderColorLight=3D#ffffcc> <TBODY> <TR> <TD align=3Dmiddle> <FORM action=3Dmailto:inboxx8@excite.com?subject=3DConference_Inquir= y method=3Dpost encType=3Dtext/plain> <TABLE width=3D"100%"> <TBODY> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2>Name*</FONT></TD> <TD><INPUT name=3DNAME></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Web Address*</FONT></TD> <TD><INPUT value=3Dhttp:// name=3DURL></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Company Name*</FONT></TD> <TD><INPUT name=3DCOMPANY_NAME></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Web Address*</FONT></TD> <TD><INPUT size=3D2 name=3DSTATE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Business Phone*</FONT></TD> <TD><INPUT name=3DBUS_PHONE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Home Phone</FONT></TD> <TD><INPUT name=3DHOME_PHONE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Email Address*</FONT></TD> <TD><INPUT name=3DEMAIL></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Type of Business</FONT></TD> <TD><INPUT name=3DTYPE_OF_BUSINESS></TD></TR></TBODY></TABLE> <P><INPUT type=3Dsubmit value=3D"Submit Information" name=3Dsubmit> </FORM></P></TD></TR></TBODY></TABLE> <P> <TABLE width=3D500> <TBODY> <TR> <TD align=3Dmiddle><FONT face=3D"Arial, Helvetica, sans-serif" color=3D= #000000 size=3D1>This email is to those persons that have contacted Conferen= ce Calls for Less regarding available services or product information. If thi= s email is reaching you in error and you feel that you have not contac= ted us, <FONT color=3D#666666><A href=3D"mailto:rem0ve424@excite.com?subject=3DRemove_Conferencing">C= lick here</A></FONT>. We will gladly remove you from our mailing list.</FONT><BR></TD></TR></TBODY></TABLE></P></CENTER></FONT></BODY= ></HTML> Received: from firewall ([211.205.65.125]) by above.proper.com (8.9.3/8.9.3) with SMTP id EAA12154 for <ietf-pkix@imc.org>; Wed, 2 May 2001 04:22:30 -0700 (PDT) From: customercare217@fine-view.com Message-ID: <00002b9e68dc$00004044$00005579@fine-view.com> To: <Bizzops@salesgroupint.net> Subject: write back when you can 21881 Date: Wed, 02 May 2001 04:24:27 -0700 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal <HTML><HEAD><TITLE>Take Control Of Your Conference Calls</TITLE> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dwindows-12= 52"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR></HEAD> <BODY vLink=3D#c0c0c0 link=3D#c0c0c0 bgColor=3D#ffffff leftMargin=3D0><FON= T face=3Darial,helvetica> <P> <CENTER> <TABLE width=3D600 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><B><FONT color=3D#000066 size=3D6>Long Distance Conferencing<BR>Only <U>18 Cents</U> Per Minute</B></FONT></TD></TR></TBODY></TABLE> <P><FONT color=3D#ff0000 size=3D5><B>Connects Up To 100 Participants!</B><= /FONT> <P> <TABLE width=3D350 border=3D0> <TBODY> <TR> <TD><FONT size=3D3><B> <LI>No setup fees <LI>No contracts or monthly fees <LI>Call anytime, from anywhere, to anywhere <LI>International Dial In 18 cents per minute <LI>Simplicity in set up and administration <LI>Operator Help available 24/7 </B></FONT></LI></TD></TR></TBODY><= /TABLE> <P> <TABLE width=3D500 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><FONT color=3D#ff0000 size=3D60><B><FONT size=3D5>G= et the best quality, the easiest to use, and lowest rate in the industry.</B></FONT></FONT></TD></TR></TBODY></TABLE> <P> <TABLE width=3D400 border=3D0> <TBODY> <TR> <TD align=3Dmiddle><FONT color=3D#000066 size=3D4>If you like saving m= oney, fill out the form below and one of our consultants will contact you.</FONT></TD></TR></TBODY></TABLE> <P><FONT color=3D#000066 size=3D2>Required Input Field<FONT color=3D#ff000= 0 size=3D2>*</FONT></FONT> <P> <TABLE cellSpacing=3D0 borderColorDark=3D#333300 cellPadding=3D3 width=3D6= 00 borderColorLight=3D#ffffcc> <TBODY> <TR> <TD align=3Dmiddle> <FORM action=3Dmailto:inboxx8@excite.com?subject=3DConference_Inquir= y method=3Dpost encType=3Dtext/plain> <TABLE width=3D"100%"> <TBODY> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2>Name*</FONT></TD> <TD><INPUT name=3DNAME></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Web Address*</FONT></TD> <TD><INPUT value=3Dhttp:// name=3DURL></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Company Name*</FONT></TD> <TD><INPUT name=3DCOMPANY_NAME></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Web Address*</FONT></TD> <TD><INPUT size=3D2 name=3DSTATE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Business Phone*</FONT></TD> <TD><INPUT name=3DBUS_PHONE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Home Phone</FONT></TD> <TD><INPUT name=3DHOME_PHONE></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Email Address*</FONT></TD> <TD><INPUT name=3DEMAIL></TD></TR> <TR> <TD align=3Dright width=3D"50%"><FONT face=3D"Arial, Helvetica, sans-serif" color=3D#ff0000 size=3D2= >Type of Business</FONT></TD> <TD><INPUT name=3DTYPE_OF_BUSINESS></TD></TR></TBODY></TABLE> <P><INPUT type=3Dsubmit value=3D"Submit Information" name=3Dsubmit> </FORM></P></TD></TR></TBODY></TABLE> <P> <TABLE width=3D500> <TBODY> <TR> <TD align=3Dmiddle><FONT face=3D"Arial, Helvetica, sans-serif" color=3D= #000000 size=3D1>This email is to those persons that have contacted Conferen= ce Calls for Less regarding available services or product information. If thi= s email is reaching you in error and you feel that you have not contac= ted us, <FONT color=3D#666666><A href=3D"mailto:rem0ve424@excite.com?subject=3DRemove_Conferencing">C= lick here</A></FONT>. We will gladly remove you from our mailing list.</FONT><BR></TD></TR></TBODY></TABLE></P></CENTER></FONT></BODY= ></HTML> Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA09368 for <ietf-pkix@imc.org>; Wed, 2 May 2001 03:39:41 -0700 (PDT) Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id MAA57898; Wed, 2 May 2001 12:39:31 +0200 Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id MAA16538; Wed, 2 May 2001 12:39:07 +0200 Message-ID: <3AEFE3EA.93E672A4@bull.net> Date: Wed, 02 May 2001 12:39:38 +0200 From: Denis Pinkas <Denis.Pinkas@bull.net> Organization: Bull X-Mailer: Mozilla 4.7 [fr] (Win98; I) X-Accept-Language: fr MIME-Version: 1.0 To: "Housley, Russ" <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: keyCertSign and cRLSign Key Usage Bits References: <5.0.1.4.2.20010424150514.01b30eb8@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Russ, In a reply to Santosh (April 24), you said: > The IDP syntax is: > > issuingDistributionPoint ::= SEQUENCE { > distributionPoint [0] DistributionPointName OPTIONAL, > onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, > onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, > onlySomeReasons [3] ReasonFlags OPTIONAL, > indirectCRL [4] BOOLEAN DEFAULT FALSE } > > I was simply suggesting that this extension be present if the CRL is signed > with a key other than the one used to sign the certificate. The current text says (in section 5.2.5): " 5.2.5 Issuing Distribution Point The issuing distribution point is a critical CRL extension that identifies the CRL distribution point for a particular CRL, and it indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, or a limited set of reason codes. Although the extension is critical, conforming implementations are not required to support this extension. The CRL is signed using the CA's private key." I would guess that the last sentence would thus need to be changed. So would you have a text proposal to fix it ? Regards, Denis > I would expect > the distributionPoint field to be present (probably with a URL > (ldap://...)). The boolean flags would be set based on the contents of the > CRL (probably all FALSE). The reason codes would also be set based on the > contents of the CRL (probably absent). > Russ Received: from david.siemens.it (david.siemens.it [192.109.0.136]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA09292 for <ietf-pkix@imc.org>; Wed, 2 May 2001 03:39:31 -0700 (PDT) X-Envelope-Sender-Is: fabio.mazzocchi@sni.it (at relayer david.siemens.it) Received: from milano-b-qfe1.netz.sbs.de (milano-b.netz.sbs.de [192.109.0.135]) by david.siemens.it (8.11.0/8.11.0) with SMTP id f42AdUt15682 for <ietf-pkix@imc.org>; Wed, 2 May 2001 12:39:30 +0200 (MET DST) Received: from mail.siemens.it ([194.138.237.200]) by milano-b-qfe1.netz.sbs.de via smtpd (for david.siemens.it [192.109.0.136]) with SMTP; 2 May 2001 10:39:30 UT Received: from mir ([141.29.240.232]) by mail.siemens.it (8.11.0/8.11.0) with SMTP id f42AdUm13299 for <ietf-pkix@imc.org>; Wed, 2 May 2001 12:39:30 +0200 (MET DST) Message-ID: <006101c0d2f4$86527d20$e8f01d8d@quinto.elemento.it> Reply-To: "Fabio Mazzocchi" <fabio.mazzocchi@sni.it> From: "Fabio Mazzocchi" <fabio.mazzocchi@sni.it> To: <ietf-pkix@imc.org> Subject: About Key Usages... Date: Wed, 2 May 2001 12:37:13 +0200 Organization: Siemens Informatica MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_005E_01C0D304.9CED6F30" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 This is a multi-part message in MIME format. ------=_NextPart_000_005E_01C0D304.9CED6F30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, I have a little question for you. I need to know if there is at least = one combination of KeyUsage, Extended Key Usage, and Netscape CertType = which let me use two certificate with Microsoft products as well as = Netscape ones. I need a certificate to use with mail clients (Outlook = and Messenger) and a certificate to work with browsers for SSL = connections. My idea was to generate the mail certificate with : KU -> Digital Signature, Key Enciphrment EKU -> EMail (1.3.6.1.5.5.7.3.4) NetscapeExtension -> S/Mime in the SSL certificate the extensions are : KU -> Digital Signature EKU -> EMail (1.3.6.1.5.5.7.3.2) NetscapeExtension -> SSL Client Authentication (none of the above extensions is critical) With IE and Outlook, the certificates work fine, because Microsoft = products mind just the EKU. With Netscape (4.76) and Messenger, I can = just use SSL certificate. How can I force the use of the mail certificate? Why Netscape doesn't = mind the S/Mime extension? Till now, the only solution I have found, is to force the usage of my = mail certificate setting the KU extension as critical, but I don't think = it is the best one. Have someone a best solution? Thanks in advance. Fabio. ------=_NextPart_000_005E_01C0D304.9CED6F30 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2> <DIV><FONT face=3DArial size=3D2>Hi all,</FONT></DIV> <DIV><FONT face=3DArial size=3D2>I have a little question for you. I = need to know if=20 there is at least one combination of KeyUsage, Extended Key Usage, and = Netscape=20 CertType which let me use two certificate with Microsoft products as = well as=20 Netscape ones. I need a certificate to use with mail clients = (Outlook and=20 Messenger) and a certificate to work with browsers for SSL=20 connections.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>My idea was to generate the mail = certificate with=20 :</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>KU -> Digital Signature, Key=20 Enciphrment</FONT></DIV> <DIV><FONT face=3DArial size=3D2>EKU -> EMail = (1.3.6.1.5.5.7.3.4)</FONT></DIV> <DIV><FONT face=3DArial size=3D2>NetscapeExtension -> = S/Mime</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>in the SSL certificate the = extensions are=20 :</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV> <DIV><FONT face=3DArial size=3D2>KU -> Digital Signature</FONT></DIV> <DIV><FONT face=3DArial size=3D2>EKU -> EMail = (1.3.6.1.5.5.7.3.2)</FONT></DIV> <DIV><FONT face=3DArial size=3D2>NetscapeExtension -> SSL Client=20 Authentication</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>(none of the above extensions is=20 critical)</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>With IE and Outlook, the certificates = work fine,=20 because Microsoft products mind just the EKU. With Netscape (4.76) and=20 Messenger, I can just use SSL certificate.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>How can I force the use of the mail = certificate?=20 Why Netscape doesn't mind the S/Mime extension?</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Till now, the only solution I have = found, is to=20 force the usage of my mail certificate setting the KU extension as = critical, but=20 I don't think it is the best one. Have someone a best = solution?</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Thanks in advance.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial=20 size=3D2>Fabio.</FONT></DIV></DIV></FONT></DIV></BODY></HTML> ------=_NextPart_000_005E_01C0D304.9CED6F30-- Received: from brot.celocom.de (brot.celocom.de [212.78.104.200]) by above.proper.com (8.9.3/8.9.3) with ESMTP id DAA08017 for <ietf-pkix@imc.org>; Wed, 2 May 2001 03:18:08 -0700 (PDT) Received: from frolic.celocom.de (frolic.celocom.de [212.78.104.90]) by brot.celocom.de (Postfix) with ESMTP id EB4502FD2 for <ietf-pkix@imc.org>; Wed, 02 May 2001 12:17:54 +0200 (CEST) Received: from gemplus.com (bernd.celocom.de [212.78.104.41]) by frolic.celocom.de (Postfix) with ESMTP id B0ED0108054 for <ietf-pkix@imc.org>; Wed, 2 May 2001 12:17:54 +0200 (CEST) Message-ID: <3AEFDECE.C500CC29@gemplus.com> Date: Wed, 02 May 2001 12:17:50 +0200 From: Bernd Matthes <bernd.matthes@gemplus.com> Organization: Celo Communications -- a Gemplus Company X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: de,en MIME-Version: 1.0 To: ietf pkix <ietf-pkix@imc.org> Subject: TimeStamp: Needs clarification Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------msDDCF07E0D2BD0C914A494DBC" This is a cryptographically signed message in MIME format. --------------msDDCF07E0D2BD0C914A494DBC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi to all! I need clarification about messageImprint of TimeStampToken. In <draft-ietf-pkix-time-stamp-14.txt>, Appendix A is written: "The value of messageImprint field within TimeStampToken shall be a hash of the value of signature field within SignerInfo for the signedData being timestamped." In my opinion is the messageImprint the hash value of the encryptedDigest in the SignerInfo (according to RFC2315) or is the messageImprint the hash value over the message identical to the messageDigest in the authenticatedAttributes within the SignerInfo? Thanks in advance. -- Mors certa, hora incerta. In dubio pro mille. -------------------------------------------------------------------- Bernd Matthes Celo Communications GmbH Senior Software Engineer - a Gemplus Company Dipl.-Ing.(FH) mailto:bernd.matthes@gemplus.com -------------------------------------------------------------------- Every information is sensitive information, and sensitive informations should be protected from being spied. ergo: because you read this mail you're probably a spy. --------------msDDCF07E0D2BD0C914A494DBC Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH6gYJKoZIhvcNAQcCoIIH2zCCB9cCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bb0wggKMMIIB9aADAgECAgMEZkswDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhh d3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwg RnJlZW1haWwgUlNBIDIwMDAuOC4zMDAeFw0wMTAzMTYxNDA0MzJaFw0wMjAzMTYxNDA0MzJa MEsxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxKDAmBgkqhkiG9w0BCQEWGWJl cm5kLm1hdHRoZXNAZ2VtcGx1cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAA w8BVu1sFXcFZ0RiaI1E7cQGzD/ilmkCBs2shzSy/ORqzS5XCQvXat5tbDgWQg1qKKvh4gvly pgwvJtnyOyqUBJ6/L+BiFHYsSgFZZ8dWCSnJFPWbYtvrAzvN3IhkRgkOiit/jo6mIOFDjQKm ZbxC2sQzcuf3eUJVL5zXvjmnAgMBAAGjNjA0MCQGA1UdEQQdMBuBGWJlcm5kLm1hdHRoZXNA Z2VtcGx1cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQBy4Avl5Chdn6uQ MnVuQd14NYuqtWZaAPL84JN0P6mEfrSxjvb/XsQNXBnfFeBe9dC28ENTWQqboh2EYlhM1LjD +BmyyORFcEbJWqQce76vBXu7HAQXo+3GlesUKy3bW34z/bMdbiovChqBxTCbSxe1qCzxdFS3 WDxx+LaaIFJUGDCCAykwggKSoAMCAQICAQwwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYT AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAwMDBa Fw0wMjA4MjkyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBl MRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlm aWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAwLjgu MzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZgpcO 40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqdknWo J67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFpAgMB AAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzASBgNV HRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQBzG28mZYv/ FTRLWWKK7US+ScfoDbuPuQ1qJipihB+4h2N0HG23zxpTkUvhzeY42e1Q9DpsNJKs5pKcbsEj AcIJp+9LrnLdBmf1UG8uWLi2C8FQV7XsHNfvF7bViJu3ooga7TlbOX00/LaWGCVNavSdxcOR L6mWuAU8Uvzd6WIDSDGCAfUwggHxAgEBMIGaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsG A1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWls IFJTQSAyMDAwLjguMzACAwRmSzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAxMDUwMjEwMTc1M1owIwYJKoZIhvcNAQkEMRYEFCSz hl82sIa88R2P7KanedhObSoqMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqG SIb3DQEBAQUABIGAmamEkJxZhOyDC7WHBwRyYJsYfOrv7pFjY9rY03kQFowXGf09Socm24zG zhwBZLAVeKm5PkkwZG/Xxej34mIE6cNqey4d7wZTT07CAtBXg7KdKUVx2/g95q/de99c3dXF LseZNfWBgPjhOwc0gagNwUhTKYyiVH44/L/WUwoCoBs= --------------msDDCF07E0D2BD0C914A494DBC-- Received: from ntsiaexch.office (exchange.sia.it [192.106.192.201]) by above.proper.com (8.9.3/8.9.3) with ESMTP id CAA04048 for <ietf-pkix@imc.org>; Wed, 2 May 2001 02:51:14 -0700 (PDT) Received: by ntsiaexch.office with Internet Mail Service (5.5.2653.19) id <KDKW0F46>; Wed, 2 May 2001 11:50:43 +0200 Message-ID: <8160937F4F4CD111A93E00805FC1752904AA273A@ntsiaexch.office> From: Santoni Adriano <adriano.santoni@sia.it> To: "'thayes@netscape.com'" <thayes@netscape.com>, Housley Russ <rhousley@rsasecurity.com> Cc: ietf-pkix@imc.org Subject: R: CPS Pointer Date: Wed, 2 May 2001 11:50:42 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id CAA04055 I think that we should also explicitly provide for HTTPS, if that is not obvious enough from the text and context. Some CAs publish their CPS on an SSL-protected web site, so the user can verify it comes from a trusted source (this is good practice, IMO). Adriano -----Messaggio originale----- Da: thayes@netscape.com [mailto:thayes@netscape.com] Inviato: martedì 1 maggio 2001 19.01 A: Housley Russ Cc: ietf-pkix@imc.org Oggetto: Re: CPS Pointer I think the current text is fine. I don't think there is any benefit in requiring or suggesting that CAs use particular forms of URIs. This should be left as "a local matter". Terry Hayes Housley, Russ wrote: > Trevor Freeman noticed we don't have any guidelines for what forms of > URI are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > > So, we are not mandating any behavior on the client. Perhaps we > should say something about the CA. Trevor suggests that HTTP and FTP > forms of URI are sufficient. Does anyone see any reason to support > other protocols for CPS fetching? > > Russ *******************Internet Email Confidentiality Footer******************* Qualsiasi utilizzo non autorizzato del presente messaggio nonche' dei suoi allegati e' vietato e potrebbe costituire reato. Se lei ha ricevuto erroneamente il presente messaggio, Le saremmo grati se, via e-mail, ce ne comunicasse la ricezione e provvedesse alla distruzione del messaggio stesso e dei suoi eventuali allegati. Le dichiarazioni contenute nel presente messaggio nonche' nei suoi eventuali allegati devono essere attribuite esclusivamente al mittente e non possono essere considerate come trasmesse o autorizzate da SIA S.p.A.; le medesime dichiarazioni non impegnano SIA S.p.A. nei confronti del destinatario o di terzi. SIA S.p.A. non si assume alcuna responsabilita' per eventuali intercettazioni, modifiche o danneggiamenti del presente messaggio e-mail. Any unauthorized use of this e-mail or any of its attachments is prohibited and could constitute an offence. If you are not the intended addressee please advise immediately the sender by using the reply facility in your e-mail software and destroy the message and its attachments. The statements and opinions expressed in this e-mail message are those of the author of the message and do not necessarily represent those of SIA. Besides, The contents of this message shall be understood as neither given nor endorsed by SIA S.p.A.. SIA S.p.A. does not accept liability for corruption, interception or amendment, if any, or the consequences thereof. Received: from samurai.mirai.hu (mirai.hu [195.70.36.2]) by above.proper.com (8.9.3/8.9.3) with ESMTP id SAA21376; Tue, 1 May 2001 18:44:40 -0700 (PDT) From: specials@computerimagingsupply.com Received: from [216.206.146.34] (helo=cis) by samurai.mirai.hu with smtp (Exim 3.12 #1 (Debian)) id 14ulg6-0007vZ-00; Wed, 02 May 2001 03:43:42 +0200 To: Printing supply consumers<> Subject: Save big on printer supplies! Date: Tue, 01 May 2001 18:43:28 -0700 X-Sender: specials@computerimagingsupply.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Content-Type: text/html; charset="iso-8859-1" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <E14ulg6-0007vZ-00@samurai.mirai.hu> <html> <head> <title>Save $$$$ with Computer Imaging Supply Inc.!!!!!</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <!-- You are seeing this message because your email reading software cannot properly read HTML formatted email. This message is formatted in HTML. To view all of Computer Imaging Supply's great deals, simply click on the following link and start enjoying the savings. http://www.computerimagingsupply.com ------------------------------------------------------- Save $$$$ with Computer Imaging Supply Inc.!!!!! ------------------------------------------------------- Sincerely, Team Staff http://www.ComputerImagingSupply.com --> <meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <meta content="MSHTML 6.00.2462.0" name=GENERATOR> <style></style> </head> <body bgcolor="#ffffff"> <div> </div> <div align=center><a href="http://www.computerimagingsupply.com/CDindex.html"><img height=74 src="http://www.computerimagingsupplies.com/Email/LG/CIS-logo-bevel.gif" width=447 border=0></a><font color=#ff0000><b><font face="Verdana, Arial, Helvetica, sans-serif" color=#0033cc size=-1><br> </font><font color=#0033cc><b><font face="Verdana, Arial, Helvetica, sans-serif">THE MOST EXPENSIVE PART OF A PRINTER IS THE SUPPLIES!</font></b></font></b></font></div> <div align=center><font face="Verdana, Arial, Helvetica, sans-serif"><b><font size=-1>Get more value for your money with <a href="http://www.ComputerImagingSupply.com">http://www.ComputerImagingSupply.com</a>.</font></b></font><br> </div> <div align=center> <table height=67 width=418 border=0> <tbody> <tr> <td width=153 bgcolor=#ff9999 height=150> <div align=center><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><b><br> We have</b><br> <font color=#0000cc><i><b><font color=#0000ff>LOWER</font></b></i></font> <font color=#0000ff><i><b>PRICES</b></i></font><br> <font size=-2><b><font color=#330066 size=-1>than the office supply superstores on OEM Inkjet/Laser cartridges, FAX supplies & Printer Ribbons!</font> </b></font></font></div> </td> <td width=125 bgcolor=#6699ff height=150> <div align=center> <p><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><b><font color=black><br> FREE SHIPPING</font></b><br> <i>on all orders!<br> </i><b><font color=black>NO SALES TAX!</font></b><i><br> (except CA)<br> </i><font color=black><b>100% MONEY BACK<br> GURANTEE!</b></font><i><br> <font color=#003333>=No Risk To You!</font></i></font> </p> </div> </td> <td width=118 bgcolor=#66ff66 height=150> <p align=center><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><b>Check out our</b></font> <i><br> <b><font face="Verdana, Arial, Helvetica, sans-serif" color=#006666>LOW PRICES!</font></b></i></p> <form> <select onChange="OpenCIS('http://computerimagingsupply.com')" name="printer Model"> <option selected>Printer Model</option> <option>Canon</option> <option>Epson</option> <option>Hewlett Packard</option> <option>Lexmark</option> <option>Xerox</option> </select> </form> <p align=center><i><b><font face="Verdana, Arial, Helvetica, sans-serif" color=#006666><a href="http://www.computerimagingsupply.com/CDindex.html">Click Here!</a> </font></b></i></p> </td> </tr> </tbody> </table> <table width=480 border=0> <tbody> <tr> <td width=71 height=67><img height=81 src="http://www.computerimagingsupplies.com/Email/LG/cart1.gif" width=70></td> <td width=336 height=67> <div align=center><i><font face="Verdana, Arial, Helvetica, sans-serif" color=#0000cc><b><font size=-1>Plus, we carry a full line of OEM quality replacement products and our </font>CIS XL line<font size=-1>. These unique long life products cost less than OEM & they give you <br> </font></b></font></i><font face="Verdana, Arial, Helvetica, sans-serif" color=#0000cc><b><font color=#ff0000>25% or more prints!</font></b></font></div> </td> <td width=10 height=67><img height=81 src="http://www.computerimagingsupplies.com/Email/LG/toner1.gif" width=70></td> </tr> </tbody> </table> <table width=552 bgcolor=#ffff00 border=0> <tbody> <tr> <td height=72> <div align=center><font face="Verdana, Arial, Helvetica, sans-serif"><b><i><font color=#000099>Example</font></i></b></font><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><b>: Your printer needs a <font color=#0000ff>Hewlett Packard</font> Series 2 Black Cartridge.<br> </b></font><b><font face="Verdana, Arial, Helvetica, sans-serif" size=-1>Purchase our XL product and you save money & the cartridge has a longer life of up to </font><font face="Verdana, Arial, Helvetica, sans-serif" color=#0000ff>25%</font><font face="Verdana, Arial, Helvetica, sans-serif" size=-1> </font><font face="Verdana, Arial, Helvetica, sans-serif" color=#0000ff>or more!</font><font face="Verdana, Arial, Helvetica, sans-serif" size=-1> <br> <i><font color=#006666>It's that simple.</font></i></font></b></div> </td> </tr> </tbody> </table> <table height=88 width=595 border=0> <tbody> <tr> <td width=391 height=136> <div align=center><font size=-2><b><font face="Verdana, Arial, Helvetica, sans-serif" color=#000066 size=-1>Computer Imaging Supply is ready <br> to serve you<font size=-2> with our world class customer service <br> featuring<font size=-1> LIVE</font> onsite chat. Also, check out our<br> featured <font color=#3333ff><i><font size=-1>FREE GIFT </font></i></font><font size=-1><i><font color=#0000ff>PREMIUMS</font></i></font>. Visit our secure<br> and easy to use website today & you'll receive a<br> <i><font color=#cc0000 size=-1>FREE CLEANING KIT</font></i> with your first order ... <br> no minimum required!</font></font></b></font></div> </td> <td width=239 height=136><a href="http://www.computerimagingsupply.com/CDindex.html"><img height=115 src="http://www.computerimagingsupplies.com/Email/LG/hdquarters.gif" width=254 border=0></a></td> </tr> </tbody> </table> <table width=496 border=0> <tbody> <tr> <td width=311 bgcolor=#66ff66> <div align=center><b><font face="Verdana, Arial, Helvetica, sans-serif" color=#000033 size=-1><br> START SAVING $$$ NOW AT:<br> </font><font face="Verdana, Arial, Helvetica, sans-serif" color=#000033><a href="http://www.computerimagingsupply.com/CDindex.html"><font size=-1>http://www.ComputerImagingSupply.com</font></a></font></b></div> </td> <td width=169 bgcolor=#ff9999> <div align=center><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><font color=#0000ff><b><font color=#003333>Questions? Call our toll free direct <br> customer service:<br> 1-888-289-4624 </font></b></font></font></div> </td> </tr> </tbody> </table> <table height=80 width=596 border=0> <tbody> <tr> <td height=90> <p align=center><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><font color=#000099>If you are not responsible for printer supply purchasing,<br> please forward this e-mail to appropriate persons.</font> <br> <font size=-2><br> To be removed form this list, please reply to this e-mail and type "Remove" in the subject field. <br> You can also remove your email address by clicking on the following link and hitting send: <br> <b>mailto:</b><a href="mailto:remove@computerimagingsupply.com?subject=Remove ">remove@computerimagingsupply.com?subject=Remove</a></font></font><font face="Verdana, Arial, Helvetica, sans-serif" size=-1><font size=-2> Free shipping offer good to continental U.S. only. <br> Gift premiums awarded at specific purchase levels. No tax available outside CA only. <br> Free cleaning kits available while supplies last. </font></font></p> </td> </tr> </tbody> </table> </div> </body> </html> Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA07710 for <ietf-pkix@imc.org>; Tue, 1 May 2001 14:46:53 -0700 (PDT) Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id RAA65662; Tue, 1 May 2001 17:44:39 -0400 Received: from d02ml237.somers.hqregion.ibm.com ([9.45.4.171]) by northrelay02.pok.ibm.com (8.8.8m3/NCO v4.96) with ESMTP id RAA35356; Tue, 1 May 2001 17:40:57 -0400 Importance: Normal Subject: Re: Basic constraints, key usage, and LDAP schema To: thayes@netscape.com (Terry Hayes) Cc: Tim Polk <tim.polk@nist.gov>, ietf-pkix@imc.org X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: <OF17A7DCB3.1B625A01-ON85256A3F.0076487A@somers.hqregion.ibm.com> From: "Tom Gindin" <tgindin@us.ibm.com> Date: Tue, 1 May 2001 17:46:04 -0400 X-MIMETrack: Serialize by Router on D02ML237/02/M/IBM(Release 5.0.7 |March 21, 2001) at 05/01/2001 05:46:08 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Tim's idea looks good to me too. I have no strong opinions as to whether an entity delegated to sign PK CRL's which does not have the same DN as any signer of PK Certificates should have basicConstraints indicating that it is a CA and be published in caCertificate, or whether it should be published in userCertificate with no basicConstraints extension in the certificate. However, an entity which signs AC CRL's but not PK CRL's is not a CA (it may be an AA, but not a CA). First, do we need an Key Purpose ID to designate such certificates? I would think that we do. Second, what attribute does the CRL signing certificate go into? It can't go into the aACertificate attribute which contains AC's rather than PKC's. Tom Gindin thayes@netscape.com (Terry Hayes) on 05/01/2001 04:41:36 PM To: Tim Polk <tim.polk@nist.gov> cc: ietf-pkix@imc.org Subject: Re: Basic constraints, key usage, and LDAP schema Tim, I agree with your proposed solution. As you have said, it separates the semantics of the two extensions, and simplifies the rules for the LDAP schema. There is one remaining point to address, and I believe it may be the main point of discussion in the current thread. When a CA uses the CRLDP extension to designate another entity to be the source for revocation information about some of its certificates, should that entity have a "CA" certificate (with appropriate basicConstraints extension)? I'm *not* suggesting that a basicConstraints extension is necessary for the entity to be authorized to sign the CRL. Instead, the problem is that clients that are trying to locate the certificate will not know whether they should look in the cACertificate attribute or the userCertificate attribute to find the appropriate certificate. To solve this, we can suggest that cACertificate be searched first, followed by userCertificate, or we can require that designated entities must always be a "CA", and the client can safely skip the userCertificate attribute. This is a question of searching the directory only, and does not suggest changing your assertion that any set of bits may be set in the keyUsage extension of "CA" certificates. Terry Tim Polk wrote: > Folks, > > I have been reading the email messages on the list about the > relationships between basic constraints, key usage, and the schema. > After mulling over the problem. I would like to propose a solution - > the only solution, as far as I can tell... > > The solution is to simplify and separate the semantics of the basic > constraints and key usage extension. This has positive implications > for the PKIX LDAP schema as well. > > Basic Constraints > > As stated in the current text for Basic Constraints (in 2459): "The > basic constraints extension identifies whether the subject of the > certificate is a CA and how deep a certification path may exist > through that CA." > > I believe this is the right semantics, and that basic constraints > should be included and cA should be asserted in *any* certificate > issued to a CA, regardless of the type or role associated with the > public key in the certificate. > > Key Usage > > The issuer should use the Key Usage extension to disambiguate the > subject's key pairs: > (a) The issuer indicates this public key may be used to verify the > signature on a public key certificate by asserting keyCertSign. (b) > The issuer indicates this public key may be used to verify the > signature on CRLs by asserting cRLSign. (c) The issuer indicates that > this public key may be used to establish symmetric keys with the > subject by asserting either keyEncipherment or keyAgreement. (d) The > issuer indicates that this public key may be used to verify signatures > on objects other than public key certificates and CRLs by asserting > nonRerpuidation or digitalSignature. > > Of course, if a key pair is used for multiple purposes, multiple key > usages may be asserted. > > In each of these cases, the basic constraints extension also appears > in the certificate and asserts that the subject is a CA. > > LDAP Schema > > All certificates issued to CAs would be considered CA certificates > since the basic constraints extension is present and asserts that the > subject is a CA. As a result, each of these could appear in the > cACertificate attribute or crossCertificatePair attribute. They would > *not* appear in the userCertificate attribute. (That would include > all types (a) through (d) above). > > ------------------ > > The implications of this strategy are as follows: (1) when a client is > searching for a CA certificate, they will not have to check the > userCertificate attribute; (2) the issuer can indicate that the > subject is a CA regardless of the key usage; and (3) minimal changes > to the text (my favorite!). > > What do you think? > > Thanks, > > Tim Polk > > > Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA05506 for <ietf-pkix@imc.org>; Tue, 1 May 2001 14:28:27 -0700 (PDT) Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA04732 for <ietf-pkix@imc.org>; Tue, 1 May 2001 17:28:29 -0400 (EDT) Message-Id: <4.2.2.20010501170854.00a5c640@email.nist.gov> X-Sender: cooper@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 01 May 2001 17:27:03 -0400 To: ietf-pkix@imc.org From: "David A. Cooper" <david.cooper@nist.gov> Subject: Re: Basic constraints, key usage, and LDAP schema In-Reply-To: <3AEF23F8.2E4302ED@netscape.com> References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> <3AEF1F80.8090502@netscape.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Regunathan, Bear in mind that if an entity other than the certificate issuer issues CRLs that provide revocation information for a certificate, the CRLs should only be accepted if the certificate issuer specifically designates the CRL issuer as the source of revocation information. Whether we call the CRL issuer a CA or not should not affect the degree to which clients trust that entity. Similarly, whether the cA bit is set or not should not affect whether clients trust that entity. If a CA issues a certificate, specifies entityX as the source of revocation information (using a distribution point), and then issues a certificate to entityX with the cRLSign KeyUsage bit set, then clients that are willing to accept the certificate should trust the CRLs issued by entityX to provide accurate revocation information for the certificate. It doesn't make sense to say that the information in the CRL should be trusted if the certificate issued to entityX has the cA bit set, but should not be trusted if the cRLSign bit is set but the cA bit is not set. I do like the idea, however, of putting any certificate with cRLSign set in the cACertificate or crossCertificatePair attribute. We should try to have a single place for clients to look to find the certificate they need. Since most certificates with cRLSign set will also have KeyCertSign set as well, the cACertificate or crossCertificatePair attributes seem the best choice. From my point of view, the real value that basicConstraints adds is the ability to impose path length constraints. Using the cA bit to confer some degree of "trustworthiness" on the subject seems to be overloading the bit. We already have KeyUsage to indicate whether the subject public key can be used to verify signatures on certificates, CRLs, etc. Dave At 05:00 PM 5/1/01 -0400, Regunathan Rajaiah wrote: >Terry > I like the idea of > " or we can require that designated entities must always be a "CA"," > >I am wondering if the entity [source of revocation info] is not required to be CA , are the clinets expected to trust that entity too? > >We should require the designated entities must always be a CA Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA04153 for <ietf-pkix@imc.org>; Tue, 1 May 2001 14:07:21 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id RAA16411; Tue, 1 May 2001 17:07:21 -0400 (EDT) Message-Id: <4.2.0.58.20010501170030.01fa3230@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 01 May 2001 17:05:17 -0400 To: thayes@netscape.com (Terry Hayes) From: Tim Polk <tim.polk@nist.gov> Subject: Re: Basic constraints, key usage, and LDAP schema Cc: ietf-pkix@imc.org In-Reply-To: <3AEF1F80.8090502@netscape.com> References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Terry, I think it would be best if the client did not need to check the userCertificate attribute to validate CRLs. This adds complexity without any real benefit (in my opinion.) I have included some proposed text for the first paragraph of section 4.2.1.10 (basic constraints) that would clarify the issue. ----------------proposed text for first paragraph of 4.2.1.10---------------- The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. A subject is considered a CA if it issues public key certificates or CRLs that describe the revocation status of public key certificates. ----------------------end proposed text What do you think? Thanks, Tim Polk At 01:41 PM 5/1/01 -0700, Terry Hayes wrote: >Tim, > >I agree with your proposed solution. As you have said, it separates the >semantics of the two extensions, and simplifies the rules for the LDAP schema. > >There is one remaining point to address, and I believe it may be the main >point of discussion in the current thread. > >When a CA uses the CRLDP extension to designate another entity to be the >source for revocation information about some of its certificates, should >that entity have a "CA" certificate (with appropriate basicConstraints >extension)? I'm *not* suggesting that a basicConstraints extension is >necessary for the entity to be authorized to sign the CRL. Instead, the >problem is that clients that are trying to locate the certificate will not >know whether they should look in the cACertificate attribute or the >userCertificate attribute to find the appropriate certificate. > >To solve this, we can suggest that cACertificate be searched first, >followed by userCertificate, or we can require that designated entities >must always be a "CA", and the client can safely skip the userCertificate >attribute. This is a question of searching the directory only, and does >not suggest changing your assertion that any set of bits may be set in the >keyUsage extension of "CA" certificates. > >Terry > >Tim Polk wrote: > >>Folks, >> >>I have been reading the email messages on the list about the >>relationships between basic constraints, key usage, and the schema. >>After mulling over the problem. I would like to propose a solution - the >>only solution, as far as I can tell... >> >>The solution is to simplify and separate the semantics of the basic >>constraints and key usage extension. This has positive implications for >>the PKIX LDAP schema as well. >> >>Basic Constraints >> >>As stated in the current text for Basic Constraints (in 2459): "The >>basic constraints extension identifies whether the subject of the >>certificate is a CA and how deep a certification path may exist through >>that CA." >> >>I believe this is the right semantics, and that basic constraints should >>be included and cA should be asserted in *any* certificate issued to a >>CA, regardless of the type or role associated with the public key in the >>certificate. >> >>Key Usage >> >>The issuer should use the Key Usage extension to disambiguate the >>subject's key pairs: >>(a) The issuer indicates this public key may be used to verify the >>signature on a public key certificate by asserting keyCertSign. (b) The >>issuer indicates this public key may be used to verify the signature on >>CRLs by asserting cRLSign. (c) The issuer indicates that this public key >>may be used to establish symmetric keys with the subject by asserting >>either keyEncipherment or keyAgreement. (d) The issuer indicates that >>this public key may be used to verify signatures on objects other than >>public key certificates and CRLs by asserting nonRerpuidation or >>digitalSignature. >> >>Of course, if a key pair is used for multiple purposes, multiple key >>usages may be asserted. >> >>In each of these cases, the basic constraints extension also appears in >>the certificate and asserts that the subject is a CA. >> >>LDAP Schema >> >>All certificates issued to CAs would be considered CA certificates since >>the basic constraints extension is present and asserts that the subject >>is a CA. As a result, each of these could appear in the cACertificate >>attribute or crossCertificatePair attribute. They would *not* appear in >>the userCertificate attribute. (That would include all types (a) through >>(d) above). >> >>------------------ >> >>The implications of this strategy are as follows: (1) when a client is >>searching for a CA certificate, they will not have to check the >>userCertificate attribute; (2) the issuer can indicate that the subject >>is a CA regardless of the key usage; and (3) minimal changes to the text >>(my favorite!). >> >>What do you think? >> >>Thanks, >> >>Tim Polk >> >> > > Received: from netscape.com (c3po.netscape.com [205.217.237.46]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA03233 for <ietf-pkix@imc.org>; Tue, 1 May 2001 14:00:13 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id f41KxYv15767 for <ietf-pkix@imc.org>; Tue, 1 May 2001 13:59:34 -0700 (PDT) Received: from netscape.com ([205.217.228.132]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id GCOCZ602.6DD; Tue, 1 May 2001 13:59:30 -0700 Message-ID: <3AEF23F8.2E4302ED@netscape.com> Date: Tue, 01 May 2001 17:00:40 -0400 From: ragu@netscape.com (Regunathan Rajaiah) X-Mailer: Mozilla 4.75 [en]C-NSCP (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Terry Hayes <thayes@netscape.com> CC: Tim Polk <tim.polk@nist.gov>, ietf-pkix@imc.org Subject: Re: Basic constraints, key usage, and LDAP schema References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> <3AEF1F80.8090502@netscape.com> Content-Type: multipart/mixed; boundary="------------3745B398E1F63156C6504527" This is a multi-part message in MIME format. --------------3745B398E1F63156C6504527 Content-Type: multipart/alternative; boundary="------------6606F5FE7387399BF9212D05" --------------6606F5FE7387399BF9212D05 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Terry I like the idea of " or we can require that designated entities must always be a "CA"," I am wondering if the entity [source of revocation info] is not required to be CA , are the clinets expected to trust that entity too? We should require the designated entities must always be a CA Terry Hayes wrote: > Tim, > > I agree with your proposed solution. As you have said, it separates the > semantics of the two extensions, and simplifies the rules for the LDAP > schema. > > There is one remaining point to address, and I believe it may be the > main point of discussion in the current thread. > > When a CA uses the CRLDP extension to designate another entity to be the > source for revocation information about some of its certificates, should > that entity have a "CA" certificate (with appropriate basicConstraints > extension)? I'm *not* suggesting that a basicConstraints extension is > necessary for the entity to be authorized to sign the CRL. Instead, the > problem is that clients that are trying to locate the certificate will > not know whether they should look in the cACertificate attribute or the > userCertificate attribute to find the appropriate certificate. > > To solve this, we can suggest that cACertificate be searched first, > followed by userCertificate, or we can require that designated entities > must always be a "CA", and the client can safely skip the > userCertificate attribute. This is a question of searching the > directory only, and does not suggest changing your assertion that any > set of bits may be set in the keyUsage extension of "CA" certificates. > > Terry > > Tim Polk wrote: > > > Folks, > > > > I have been reading the email messages on the list about the > > relationships between basic constraints, key usage, and the schema. > > After mulling over the problem. I would like to propose a solution - > > the only solution, as far as I can tell... > > > > The solution is to simplify and separate the semantics of the basic > > constraints and key usage extension. This has positive implications > > for the PKIX LDAP schema as well. > > > > Basic Constraints > > > > As stated in the current text for Basic Constraints (in 2459): "The > > basic constraints extension identifies whether the subject of the > > certificate is a CA and how deep a certification path may exist > > through that CA." > > > > I believe this is the right semantics, and that basic constraints > > should be included and cA should be asserted in *any* certificate > > issued to a CA, regardless of the type or role associated with the > > public key in the certificate. > > > > Key Usage > > > > The issuer should use the Key Usage extension to disambiguate the > > subject's key pairs: > > (a) The issuer indicates this public key may be used to verify the > > signature on a public key certificate by asserting keyCertSign. (b) > > The issuer indicates this public key may be used to verify the > > signature on CRLs by asserting cRLSign. (c) The issuer indicates that > > this public key may be used to establish symmetric keys with the > > subject by asserting either keyEncipherment or keyAgreement. (d) The > > issuer indicates that this public key may be used to verify signatures > > on objects other than public key certificates and CRLs by asserting > > nonRerpuidation or digitalSignature. > > > > Of course, if a key pair is used for multiple purposes, multiple key > > usages may be asserted. > > > > In each of these cases, the basic constraints extension also appears > > in the certificate and asserts that the subject is a CA. > > > > LDAP Schema > > > > All certificates issued to CAs would be considered CA certificates > > since the basic constraints extension is present and asserts that the > > subject is a CA. As a result, each of these could appear in the > > cACertificate attribute or crossCertificatePair attribute. They would > > *not* appear in the userCertificate attribute. (That would include > > all types (a) through (d) above). > > > > ------------------ > > > > The implications of this strategy are as follows: (1) when a client is > > searching for a CA certificate, they will not have to check the > > userCertificate attribute; (2) the issuer can indicate that the > > subject is a CA regardless of the key usage; and (3) minimal changes > > to the text (my favorite!). > > > > What do you think? > > > > Thanks, > > > > Tim Polk > > > > > > --------------6606F5FE7387399BF9212D05 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> Terry <br> I like the idea of <br> " <b><font color="#3366FF">or we can require that designated entities must always be a "CA","</font></b><font color="#000000"></font> <p><font color="#000000">I am wondering if the entity [source of revocation info] is not required to be CA , are the clinets expected to trust that entity too?</font><font color="#000000"></font> <p><font color="#000000">We should require the designated entities must always be a CA</font> <br><font color="#000000"></font> <font color="#000000"></font> <p>Terry Hayes wrote: <blockquote TYPE=CITE>Tim, <p>I agree with your proposed solution. As you have said, it separates the <br>semantics of the two extensions, and simplifies the rules for the LDAP <br>schema. <p>There is one remaining point to address, and I believe it may be the <br>main point of discussion in the current thread. <p>When a CA uses the CRLDP extension to designate another entity to be the <br>source for revocation information about some of its certificates, should <br>that entity have a "CA" certificate (with appropriate basicConstraints <br>extension)? I'm *not* suggesting that a basicConstraints extension is <br>necessary for the entity to be authorized to sign the CRL. Instead, the <br>problem is that clients that are trying to locate the certificate will <br>not know whether they should look in the cACertificate attribute or the <br>userCertificate attribute to find the appropriate certificate. <p>To solve this, we can suggest that cACertificate be searched first, <br>followed by userCertificate, or we can require that designated entities <br>must always be a "CA", and the client can safely skip the <br>userCertificate attribute. This is a question of searching the <br>directory only, and does not suggest changing your assertion that any <br>set of bits may be set in the keyUsage extension of "CA" certificates. <p>Terry <p>Tim Polk wrote: <p>> Folks, <br>> <br>> I have been reading the email messages on the list about the <br>> relationships between basic constraints, key usage, and the schema. <br>> After mulling over the problem. I would like to propose a solution - <br>> the only solution, as far as I can tell... <br>> <br>> The solution is to simplify and separate the semantics of the basic <br>> constraints and key usage extension. This has positive implications <br>> for the PKIX LDAP schema as well. <br>> <br>> Basic Constraints <br>> <br>> As stated in the current text for Basic Constraints (in 2459): "The <br>> basic constraints extension identifies whether the subject of the <br>> certificate is a CA and how deep a certification path may exist <br>> through that CA." <br>> <br>> I believe this is the right semantics, and that basic constraints <br>> should be included and cA should be asserted in *any* certificate <br>> issued to a CA, regardless of the type or role associated with the <br>> public key in the certificate. <br>> <br>> Key Usage <br>> <br>> The issuer should use the Key Usage extension to disambiguate the <br>> subject's key pairs: <br>> (a) The issuer indicates this public key may be used to verify the <br>> signature on a public key certificate by asserting keyCertSign. (b) <br>> The issuer indicates this public key may be used to verify the <br>> signature on CRLs by asserting cRLSign. (c) The issuer indicates that <br>> this public key may be used to establish symmetric keys with the <br>> subject by asserting either keyEncipherment or keyAgreement. (d) The <br>> issuer indicates that this public key may be used to verify signatures <br>> on objects other than public key certificates and CRLs by asserting <br>> nonRerpuidation or digitalSignature. <br>> <br>> Of course, if a key pair is used for multiple purposes, multiple key <br>> usages may be asserted. <br>> <br>> In each of these cases, the basic constraints extension also appears <br>> in the certificate and asserts that the subject is a CA. <br>> <br>> LDAP Schema <br>> <br>> All certificates issued to CAs would be considered CA certificates <br>> since the basic constraints extension is present and asserts that the <br>> subject is a CA. As a result, each of these could appear in the <br>> cACertificate attribute or crossCertificatePair attribute. They would <br>> *not* appear in the userCertificate attribute. (That would include <br>> all types (a) through (d) above). <br>> <br>> ------------------ <br>> <br>> The implications of this strategy are as follows: (1) when a client is <br>> searching for a CA certificate, they will not have to check the <br>> userCertificate attribute; (2) the issuer can indicate that the <br>> subject is a CA regardless of the key usage; and (3) minimal changes <br>> to the text (my favorite!). <br>> <br>> What do you think? <br>> <br>> Thanks, <br>> <br>> Tim Polk <br>> <br>> <br>></blockquote> </html> --------------6606F5FE7387399BF9212D05-- --------------3745B398E1F63156C6504527 Content-Type: text/x-vcard; charset=us-ascii; name="ragu.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Regunathan Rajaiah Content-Disposition: attachment; filename="ragu.vcf" begin:vcard n:Rajaiah;Regunathan tel;pager:8004649587 tel;work:2125612044 x-mozilla-html:FALSE adr:;;;;;; version:2.1 email;internet:ragu@netscape.com fn:Ragu end:vcard --------------3745B398E1F63156C6504527-- Received: from netscape.com (r2d2.netscape.com [205.217.237.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA02018 for <ietf-pkix@imc.org>; Tue, 1 May 2001 13:42:11 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id f41Kfhn19263 for <ietf-pkix@imc.org>; Tue, 1 May 2001 13:41:43 -0700 (PDT) Received: from netscape.com ([192.18.121.215]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id GCOC5J01.JAU; Tue, 1 May 2001 13:41:43 -0700 Message-ID: <3AEF1F80.8090502@netscape.com> Date: Tue, 01 May 2001 13:41:36 -0700 From: thayes@netscape.com (Terry Hayes) User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.8.1+) Gecko/20010402 X-Accept-Language: en MIME-Version: 1.0 To: Tim Polk <tim.polk@nist.gov> CC: ietf-pkix@imc.org Subject: Re: Basic constraints, key usage, and LDAP schema References: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Tim, I agree with your proposed solution. As you have said, it separates the semantics of the two extensions, and simplifies the rules for the LDAP schema. There is one remaining point to address, and I believe it may be the main point of discussion in the current thread. When a CA uses the CRLDP extension to designate another entity to be the source for revocation information about some of its certificates, should that entity have a "CA" certificate (with appropriate basicConstraints extension)? I'm *not* suggesting that a basicConstraints extension is necessary for the entity to be authorized to sign the CRL. Instead, the problem is that clients that are trying to locate the certificate will not know whether they should look in the cACertificate attribute or the userCertificate attribute to find the appropriate certificate. To solve this, we can suggest that cACertificate be searched first, followed by userCertificate, or we can require that designated entities must always be a "CA", and the client can safely skip the userCertificate attribute. This is a question of searching the directory only, and does not suggest changing your assertion that any set of bits may be set in the keyUsage extension of "CA" certificates. Terry Tim Polk wrote: > Folks, > > I have been reading the email messages on the list about the > relationships between basic constraints, key usage, and the schema. > After mulling over the problem. I would like to propose a solution - > the only solution, as far as I can tell... > > The solution is to simplify and separate the semantics of the basic > constraints and key usage extension. This has positive implications > for the PKIX LDAP schema as well. > > Basic Constraints > > As stated in the current text for Basic Constraints (in 2459): "The > basic constraints extension identifies whether the subject of the > certificate is a CA and how deep a certification path may exist > through that CA." > > I believe this is the right semantics, and that basic constraints > should be included and cA should be asserted in *any* certificate > issued to a CA, regardless of the type or role associated with the > public key in the certificate. > > Key Usage > > The issuer should use the Key Usage extension to disambiguate the > subject's key pairs: > (a) The issuer indicates this public key may be used to verify the > signature on a public key certificate by asserting keyCertSign. (b) > The issuer indicates this public key may be used to verify the > signature on CRLs by asserting cRLSign. (c) The issuer indicates that > this public key may be used to establish symmetric keys with the > subject by asserting either keyEncipherment or keyAgreement. (d) The > issuer indicates that this public key may be used to verify signatures > on objects other than public key certificates and CRLs by asserting > nonRerpuidation or digitalSignature. > > Of course, if a key pair is used for multiple purposes, multiple key > usages may be asserted. > > In each of these cases, the basic constraints extension also appears > in the certificate and asserts that the subject is a CA. > > LDAP Schema > > All certificates issued to CAs would be considered CA certificates > since the basic constraints extension is present and asserts that the > subject is a CA. As a result, each of these could appear in the > cACertificate attribute or crossCertificatePair attribute. They would > *not* appear in the userCertificate attribute. (That would include > all types (a) through (d) above). > > ------------------ > > The implications of this strategy are as follows: (1) when a client is > searching for a CA certificate, they will not have to check the > userCertificate attribute; (2) the issuer can indicate that the > subject is a CA regardless of the key usage; and (3) minimal changes > to the text (my favorite!). > > What do you think? > > Thanks, > > Tim Polk > > > Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.9.3/8.9.3) with ESMTP id NAA29449 for <ietf-pkix@imc.org>; Tue, 1 May 2001 13:05:13 -0700 (PDT) Received: from st25 (st25.ncsl.nist.gov [129.6.54.67]) by email.nist.gov (8.9.3/8.9.3) with ESMTP id QAA19978 for <ietf-pkix@imc.org>; Tue, 1 May 2001 16:05:14 -0400 (EDT) Message-Id: <4.2.0.58.20010501160140.0202cb50@email.nist.gov> X-Sender: wpolk@email.nist.gov X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Tue, 01 May 2001 16:03:11 -0400 To: ietf-pkix@imc.org From: Tim Polk <tim.polk@nist.gov> Subject: Basic constraints, key usage, and LDAP schema Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Folks, I have been reading the email messages on the list about the relationships between basic constraints, key usage, and the schema. After mulling over the problem. I would like to propose a solution - the only solution, as far as I can tell... The solution is to simplify and separate the semantics of the basic constraints and key usage extension. This has positive implications for the PKIX LDAP schema as well. Basic Constraints As stated in the current text for Basic Constraints (in 2459): "The basic constraints extension identifies whether the subject of the certificate is a CA and how deep a certification path may exist through that CA." I believe this is the right semantics, and that basic constraints should be included and cA should be asserted in *any* certificate issued to a CA, regardless of the type or role associated with the public key in the certificate. Key Usage The issuer should use the Key Usage extension to disambiguate the subject's key pairs: (a) The issuer indicates this public key may be used to verify the signature on a public key certificate by asserting keyCertSign. (b) The issuer indicates this public key may be used to verify the signature on CRLs by asserting cRLSign. (c) The issuer indicates that this public key may be used to establish symmetric keys with the subject by asserting either keyEncipherment or keyAgreement. (d) The issuer indicates that this public key may be used to verify signatures on objects other than public key certificates and CRLs by asserting nonRerpuidation or digitalSignature. Of course, if a key pair is used for multiple purposes, multiple key usages may be asserted. In each of these cases, the basic constraints extension also appears in the certificate and asserts that the subject is a CA. LDAP Schema All certificates issued to CAs would be considered CA certificates since the basic constraints extension is present and asserts that the subject is a CA. As a result, each of these could appear in the cACertificate attribute or crossCertificatePair attribute. They would *not* appear in the userCertificate attribute. (That would include all types (a) through (d) above). ------------------ The implications of this strategy are as follows: (1) when a client is searching for a CA certificate, they will not have to check the userCertificate attribute; (2) the issuer can indicate that the subject is a CA regardless of the key usage; and (3) minimal changes to the text (my favorite!). What do you think? Thanks, Tim Polk Received: from netscape.com (r2d2.netscape.com [205.217.237.47]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA19836 for <ietf-pkix@imc.org>; Tue, 1 May 2001 10:01:38 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id f41H19n05926 for <ietf-pkix@imc.org>; Tue, 1 May 2001 10:01:09 -0700 (PDT) Received: from netscape.com ([192.18.121.215]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id GCO1XX00.O6X; Tue, 1 May 2001 10:01:09 -0700 Message-ID: <3AEEEBCD.8040807@netscape.com> Date: Tue, 01 May 2001 10:01:01 -0700 From: thayes@netscape.com (Terry Hayes) User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.8.1+) Gecko/20010402 X-Accept-Language: en MIME-Version: 1.0 To: "Housley Russ" <rhousley@rsasecurity.com> CC: ietf-pkix@imc.org Subject: Re: CPS Pointer References: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I think the current text is fine. I don't think there is any benefit in requiring or suggesting that CAs use particular forms of URIs. This should be left as "a local matter". Terry Hayes Housley, Russ wrote: > Trevor Freeman noticed we don't have any guidelines for what forms of > URI are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > > So, we are not mandating any behavior on the client. Perhaps we > should say something about the CA. Trevor suggests that HTTP and FTP > forms of URI are sufficient. Does anyone see any reason to support > other protocols for CPS fetching? > > Russ Received: from dtctxexchims05.ins.com ([208.164.93.100]) by above.proper.com (8.9.3/8.9.3) with ESMTP id EAA25215 for <ietf-pkix@imc.org>; Tue, 1 May 2001 04:41:21 -0700 (PDT) Received: from cpxuser (PPPa69-ResaleDetroit1-2R7402.dialinx.net [4.16.192.226]) by dtctxexchims05.ins.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 210KX5BR; Tue, 1 May 2001 06:36:09 -0500 Message-Id: <4.2.2.20010501073816.00ca2df0@POP7.ins.com> X-Sender: youngl_r@POP7.ins.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Tue, 01 May 2001 07:40:18 -0400 To: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org From: Roger Younglove <ryounglove@lucent.com> Subject: Re: CPS Pointer In-Reply-To: <5.0.1.4.2.20010430142758.01bacbe8@exna07.securitydynamics. com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed No, I believe that HTTP and FTP forms of URI are sufficient. As long as the relying party has a pointer to the CPS that should be sufficient. At 02:32 PM 04/30/2001 , Housley, Russ wrote: >Trevor Freeman noticed we don't have any guidelines for what forms of URI >are supported with the CPS Pointer. Presently, we say: > > The CPS Pointer qualifier contains a pointer to a Certification > Practice Statement (CPS) published by the CA. The pointer is in the > form of a URI. Processing requirements for this qualifier are a > local matter. No action is mandated by this specification regardless > of the criticality value asserted for the extension. > >So, we are not mandating any behavior on the client. Perhaps we should >say something about the CA. Trevor suggests that HTTP and FTP forms of >URI are sufficient. Does anyone see any reason to support other protocols >for CPS fetching? > >Russ -------- TTFN Roger W. Younglove, CISSP Distinguished Member of Consulting Staff Lucent Worldwide Services--Information Security 100 Galleria Officentre, Ste. 220 Southfield, MI 48034-8428 Numeric page: 888.935.6755 E-mail page: page_roger_younglove@ins.com eFax number: 413.425.5368 www.lucent.com/netcare
- attributes in AC Hideyuki Odahara
- Re: attributes in AC Stephen Farrell
- draft-ietf-pkix-ac509prof -> RFC? Hideyuki Odahara
- Re: draft-ietf-pkix-ac509prof -> RFC? Stephen Farrell
- Re: draft-ietf-pkix-ac509prof -> RFC? Hideyuki Odahara