IETF Logo Mail Archive

Re: [pkix] Delegating certificate revocation

王文正 <wcwang@cht.com.tw> Wed, 08 July 2015 12:47 UTC

Return-Path: <wcwang@cht.com.tw>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 499211A909F for <pkix@ietfa.amsl.com>; Wed, 8 Jul 2015 05:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.825
X-Spam-Level: ****
X-Spam-Status: No, score=4.825 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pffaoMHZ12GZ for <pkix@ietfa.amsl.com>; Wed, 8 Jul 2015 05:47:46 -0700 (PDT)
Received: from scan14.cht.com.tw (scan14.cht.com.tw [202.39.160.144]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBED1A90DA for <pkix@ietf.org>; Wed, 8 Jul 2015 05:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436359622; x=1438951622; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8HIzJTzT4v9Lwbh6+3BpWfIayEaTSjIgnvDqb/cNAIY=; b=A7UVCr6BUGTCS9ef3baD4VrfykIj4d8UzdPKXdeRKrdK9oRVlfc5tQkMy6wE8sJJ EFi7j+ksNBx+u1HeIY4+4O0WXpQUCG87zQMENeZTrXaD4HBOCuPdCAAaKiu7WcDN 1Uu4LzK/W/vAvM80pNyleNYg4OBEEyLdXmiAl50+g90=;
X-AuditID: 0aa00768-f79166d000000bd1-4c-559d1bc63aef
Received: from scanrelay4.cht.com.tw ( [10.160.7.109]) by scan14.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id 84.99.03025.6CB1D955; Wed, 8 Jul 2015 20:47:02 +0800 (CST)
Received: from CAS3.app.corp.cht.com.tw (unknown [10.172.18.165]) by scanrelay4.cht.com.tw (Symantec Mail Security) with ESMTP id E79AAC000088; Wed, 8 Jul 2015 20:47:01 +0800 (CST)
Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS3.app.corp.cht.com.tw ([fe80::51e1:3e0d:a18c:1a89%12]) with mapi id 14.02.0342.003; Wed, 8 Jul 2015 20:47:01 +0800
From: 王文正 <wcwang@cht.com.tw>
To: Directory list <x500standard@freelists.org>, PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Delegating certificate revocation
Thread-Index: AdC5ZYTWICHXrWDpSPyNrlQIAPd+RAAE8o5Q
Date: Wed, 08 Jul 2015 12:47:00 +0000
Message-ID: <20825998BCB8D84C983674C159E25E753D61D07D@mbs6.app.corp.cht.com.tw>
References: <000201d0b965$8597d4e0$90c77ea0$@x500.eu>
In-Reply-To: <000201d0b965$8597d4e0$90c77ea0$@x500.eu>
Accept-Language: zh-TW, en-US
Content-Language: zh-TW
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.77.4.111]
Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D61D07Dmbs6appcorpchtc_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRmVeSWpSXmKPExsXCtYA9V/eY9NxQg2332C0uHiyyWH99MqsD k8epi1IeS5b8ZApgimpgtEnMy8svSSxJVUhJLU62VUrOKNFNySxOzknMzE0t0k3NS1dSyEyx VTJRUijISUxOzU3NK7FVSiwoSM1LUbLjUsAANkBlmXkKqXnJ+SmZeem2Sp7B/roWFqaWuoZK dgE5qYnFqQpJqQqJKWWZxakpCgkbZDKuvHrPXHA7v+Lj5g0sDYwv07oYOTkkBEwkrlxfww5h i0lcuLeerYuRi0NIYDujxL8jn5ggnJ2MEr1tx5khnEOMEs2/rjODtLAJ6ErsOrwVrF1EwFXi +KdbTCC2sICpxM6dR9gg4mYSlzofMULYRhK7Xr4Eq2ERUJFYvmkHWC+vgL/E5tXrWboYOYAW mErcOpcOEuYEap1w8xfYKkYBWYknC56BtTILiEucu9gKdbWAxJI955khbFGJl4//sYKMkRCQ l5j2RgaiPF9i2as+FohNghInZz5hmcAoOgvJpFlIymYhKYOIa0h861zIBGErSkzpfghVry6x +0kDlK0tsWzha+YFjOyrGAWLkxPzDE30gJGsl5yfq1dSvokRklIydjDun+94iFGAg1GJh7fh ++xQIdbEsuLKXGCYcjArifCe55wbKsSbklhZlVqUH19UmpNafIjRFBhWE5mlRJPzgekuryTe 0NjS2MLQyMDM2NzCQkmcd0prZoiQQDowdWWnphakFsH0MXFwSjUwzrCSyZV65lf3K71425/t cmV7D9v6v932I3bHHkumFyvlpqZ/PWWwRfKX8hJOLbv3hSFJEdNZz/9xyJdkPek0I+OXQsKB BatOqtmsXxQuopW/mn8Vi1Cw5IQXE1aeuTO5OyVXozD9d61ObpKbAANPdkPrniqzDWpr9Trf W3X+irSOfh+9oe61EktxRqKhFnNRcSIASrWxeT8DAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/T85W5gtaNVT2XpIbzAW1vPPLUI0>
Subject: Re: [pkix] Delegating certificate revocation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 12:47:50 -0000

Eric,


I think an AA can do that.



Actually, there is a paragraph describes how a CA authorizes a different entity to perform revocation.



Only a CA that is authorized to issue CRLs may choose to delegate that authority to another entity. If this delegation is

done, it shall be verifiable at the time of certificate/CRL verification. The cRLDistributionPoints extension can be

used for this purpose. The cRLIssuer field of this extension would be populated with the name(s) of any entities, other

than the certificate issuer itself, that have been authorized to issue CRLs concerning the revocation status of the

certificate in question.

The same method can be used by an AA. You can simply replace “CA” with “AA”, “CRL” with “ACRL”, “certificate” with “attribute certificate” and done.


Only a AA that is authorized to issue ACRLs may choose to delegate that authority to another entity. If this delegation is

done, it shall be verifiable at the time of attribute certificate/ACRL verification. The cRLDistributionPoints extension can be

used for this purpose. The cRLIssuer field of this extension would be populated with the name(s) of any entities, other

than the attribute certificate issuer itself, that have been authorized to issue ACRLs concerning the revocation status of the

attribute certificate in question.

That means the AA can include a cRLDistributionPoints extension in attribute certificates and use the cRLIssuer field of this extension to specify the name of the delegated CARL issuer.

Wen-Cheng Wang

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Erik Andersen
Sent: Wednesday, July 08, 2015 6:05 PM
To: Directory list; PKIX
Subject: [pkix] Delegating certificate revocation

Clause 7.10 of X.509 on Certificate revocation lists states:

“the certificate-issuing authority authorizes a different entity to perform revocation.”

Can an AA do that, and if yes, how?

Regards,

Erik

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

v2.23.0 | Report a Bug | By Email