Re: [pkix] [x500standard] SV: Indirect CRLs

"Santosh Chokhani" <santosh.chokhani@gmail.com> Thu, 19 November 2015 18:51 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD0D1B344F for <pkix@ietfa.amsl.com>; Thu, 19 Nov 2015 10:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvI3Gph-Z8HV for <pkix@ietfa.amsl.com>; Thu, 19 Nov 2015 10:51:37 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34EA91B3450 for <pkix@ietf.org>; Thu, 19 Nov 2015 10:51:34 -0800 (PST)
Received: by ykdv3 with SMTP id v3so121146029ykd.0 for <pkix@ietf.org>; Thu, 19 Nov 2015 10:51:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=ZQHBC3lrFQK1e6D737CuWPawsqFITO/GOKszdYInnzM=; b=N3m+7bvnGvbAxAqa3y6+o2RRVNNH4e3DEaJky31/+0J3CrJcxDxue0rB3f4UStywgb 5OX7cGxDfFK4aELEySpS1SIPYx27Wmu1psXAQ7XQYJWqmovMY8Xl+U2y4MS3Cwcw78Ps Tl5XYBArYSbKKDc1OtkaywI7ZUDoKLD41yfxcdP8C5lbwkMps6He/4IEFtpokpggq+Dx iRY4nAqcBGzGpuTWhkiZKSCd/MdUi2QIR9+wuRK1iSoGlDxAIrvQss6mTJfxTCw9MSnY 2zQBfZuUUlfYLw9njdxTfrAFd/8rXUl46ULUcIDABAMELjYZ6aVnuDX82T7WV5wVpqcA YhKA==
X-Received: by 10.13.204.149 with SMTP id o143mr8218856ywd.97.1447959093377; Thu, 19 Nov 2015 10:51:33 -0800 (PST)
Received: from SantoshBrain (pool-108-31-66-4.washdc.fios.verizon.net. [108.31.66.4]) by smtp.gmail.com with ESMTPSA id i12sm8786925ywg.40.2015.11.19.10.51.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Nov 2015 10:51:32 -0800 (PST)
From: "Santosh Chokhani" <santosh.chokhani@gmail.com>
To: <x500standard@freelists.org>, "'PKIX'" <pkix@ietf.org>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp> <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com> <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu>
In-Reply-To: <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu>
Date: Thu, 19 Nov 2015 13:51:34 -0500
Message-ID: <07f801d122fb$50a39ad0$f1ead070$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJLV6rQki7Ndh+GnxkA8afJ1MxnUAICz3cyAloWsuACQUv0rp16USTw
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/MTesgyv6y34LKyhNRYK_Svt0ncg>
Subject: Re: [pkix] [x500standard] SV: Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 18:51:41 -0000

Erik,

Look at Section 8.6.2.1 of X.509 and I quote the following: "The cRLIssuer
component identifies the authority that issues and signs the CRL. If this
component is absent, the CRL
issuer name defaults to the certificate issuer name."

Also see Section C.5.1.4 of X.509

-----Original Message-----
From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: Thursday, November 19, 2015 11:52 AM
To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: [x500standard] SV: [pkix] Indirect CRLs

Within X.509 there is not even a small paragraph introducing indirect CRLs
where such information could be introduced. Besides the brief definition,
iCRLs are mentioned the first time within the CRL scope extension (which is
deprecated).

Erik
-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
Sendt: 19 November 2015 17:27
Til: mrex@sap.com
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] Indirect CRLs

Without doing the latter, the relying party will not be able to use the
indirect CRL to verify the revocation status of the certificate in the scope
of the indirect CRL.

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Thursday, November 19, 2015 9:54 AM
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: Re: [pkix] [x500standard] Indirect CRLs

Santosh Chokhani wrote:
> Yes.  That is an indirect CRL.
> 
> Note that the CA needs to assert appropriate cRLIssuer in the 
> DistributionPoint field of CRL DP extension of each certificate the CA 
> issues.

Huh?  The latter comment has exactly nothing to do with indirect CRLs.

-Martin

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.