IETF Logo Mail Archive

RE: not required to support IDP?

"David A. Cooper" <david.cooper@nist.gov> Wed, 20 February 2002 22:53 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22996 for <pkix-archive@odin.ietf.org>; Wed, 20 Feb 2002 17:53:48 -0500 (EST)
Received: by above.proper.com (8.11.6/8.11.3) id g1KMCTi18989 for ietf-pkix-bks; Wed, 20 Feb 2002 14:12:29 -0800 (PST)
Received: from email.nist.gov (email.nist.gov [129.6.2.7]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g1KMCS318983 for <ietf-pkix@imc.org>; Wed, 20 Feb 2002 14:12:28 -0800 (PST)
Received: from krdp2 (krdp2.ncsl.nist.gov [129.6.54.107]) by email.nist.gov (8.12.2/8.12.2) with ESMTP id g1KMCTCr029532 for <ietf-pkix@imc.org>; Wed, 20 Feb 2002 17:12:29 -0500 (EST)
Message-Id: <4.2.2.20020220170429.00aa57c0@email.nist.gov>
X-Sender: cooper@email.nist.gov
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
Date: Wed, 20 Feb 2002 17:11:53 -0500
To: ietf-pkix@imc.org
From: "David A. Cooper" <david.cooper@nist.gov>
Subject: RE: not required to support IDP?
In-Reply-To: <9AC1E20200AD934D95F3972A0E048AFE0821D2@sek43.smarttrust.co m>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Simon,

I agree that PKIX did not mean to suggest that one could CRL containing a critical IDP extension even if you can not process the extension. PKIX is simply saying that you are not required to have the ability to process the extension, even though this will mean that you may have to reject some CRLs.

However, X.509 does not require that a CA issue full CRLs. If this requirement did appear in X.509 (1997), it has been removed in X.509 (2000). In fact, X.509 makes clear that CAs may choose not to issue CRLs at all. Either because they to not revoke certificates or because they only publish revocation information using some other mechanism (e.g., OCSP).

So, an X.509 compliant CA could issue only partitioned CRLs, in which case a relying party that could not process the IDP extension would be unable to obtain revocation information.

Dave

At 04:53 PM 2/20/02 +0100, Simon Tardell wrote:

>Hi Hiro,
>
>Of course, whatever extension is critical that you don't understand,
>must cause you to reject the CRL. However, according to X.509(97) 12.6.1
>f) a complete CRL shall always be issued, even if partitioned CRLs are
>also issued. That means that you don't have to support partitioned CRLs,
>since there is always (if the CA is X.509 compliant) a complete CRL to
>get. For many applications, partitioning CRLs may not even be the best
>answer to the problem you try to solve (depending on the problem of
>course).
>
>Simon
>
>Simon Tardell, Software Architect, SmartTrust
>voice +46 8 6853174, fax +46 8 6856530
>cell +46 70 3198319, simon.tardell@smarttrust.com
>
>
> > -----Original Message-----
> > From: Hiro [mailto:yoshida@secomtrust.net] 
> > Sent: den 20 februari 2002 14:57
> > To: ietf-pkix@imc.org
> > Subject: not required to support IDP?
> > 
> > 
> > 
> > 
> > Hi,
> > I have one question about Issuing Distribution Point 
> > Extension. In RFC2459 and draft-ietf-pkix-new-part1-12.txt, 
> > about this extension
> > 
> >     "Although the extension is critical, conforming implementations
> >      are not required to support this extension."
> > 
> > I cannot understand.
> > I think it is not only conflicting with critical flag 
> > concept, but also, if a CA is issuing CRL/ARL(not complete 
> > CRL) and it happen the CRL 
> > substitution attack
> > on the directory, EE should be find this attack.
> > So I think this extension must be supported.
> > 
> > Does anyone answer for this question?
> > 
> > Regard,
> > 
> > 
> > 
> > --
> > Hiro
> > yoshida@secomtrust.net

v2.23.0 | Report a Bug | By Email