Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt
"Tom Gindin" <tgindin@us.ibm.com> Fri, 29 June 2001 21:06 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA25292 for <pkix-archive@odin.ietf.org>; Fri, 29 Jun 2001 17:06:24 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5TKAx527854 for ietf-pkix-bks; Fri, 29 Jun 2001 13:10:59 -0700 (PDT)
Received: from e1.ny.us.ibm.com ([32.97.182.101]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5TKAum27763 for <ietf-pkix@imc.org>; Fri, 29 Jun 2001 13:10:57 -0700 (PDT)
Received: from northrelay02.pok.ibm.com (northrelay02.pok.ibm.com [9.117.200.22]) by e1.ny.us.ibm.com (8.9.3/8.9.3) with ESMTP id QAA160350; Fri, 29 Jun 2001 16:09:02 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.117.250.163]) by northrelay02.pok.ibm.com (8.11.1m3/NCO v4.96) with ESMTP id f5TK4r1130002; Fri, 29 Jun 2001 16:04:53 -0400
Importance: Normal
Subject: Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt
To: "David P. Kemp" <dpkemp@missi.ncsc.mil>
Cc: ietf-pkix@imc.org
X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000
Message-ID: <OF99BD86BF.6FB00DB5-ON85256A7A.006BD318@pok.ibm.com>
From: Tom Gindin <tgindin@us.ibm.com>
Date: Fri, 29 Jun 2001 16:10:22 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 5.0.7a SPR #MIAS4UTJ8H, S/390 SPR #JHEG4V8UT5 & S/390 SPR #JHEG4WERGL |May 21, 2001) at 06/29/2001 04:10:52 PM
MIME-Version: 1.0
Content-type: text/plain; charset="us-ascii"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>
I'm not sure what protocol would typically be used to retrieve CRL's for retrospective validation, if the reference time is more than a day or two old. If the reference time is far back, the old CRL's would probably not be available from the HTTP or FTP locations in the distribution point extensions - those would have been overwritten. A local database in the CA would be likelier to have this stuff - but that would return multiple values for a query just as LDAP would. In the TechNR draft, I suggested that the responsible party (either the RP or the escrow holder) would archive them himself and present them to the retrospective validator. In general, assuming single-valued attributes for delta CRL's would be dangerous in retrospective validation, as can be seen in the following example (ignoring time units other than days for simplicity): a) Suppose the base CRL has thisUpdate D and nextUpdate D+7. b) Suppose delta CRL's were produced on D+3, and D+5. c) Attempt to validate a transaction occurring on D+6. The second delta is needed. d) Attempt to validate a different transaction occurring on D+4. The first delta is needed. On your question about LDAP retrieval of CRL's by time range, there was some discussion on this group last summer by Steven Legg (the thread is "Matching Rules for Constructed Syntaxes"), with David Chadwick and I also contributing, about how to search LDAP for ASN.1 subfields, which is reflected in an Internet-Draft draft-legg-ldapext-component-matching-02.txt. Until this is actually part of LDAP, you probably can't do it. If it is adopted as part of LDAP, someone needs to give samples for the filters people actually would want to run - notably times in certificates and CRL's, and values of KeyUsage. Tom Gindin "David P. Kemp" <dpkemp@missi.ncsc.mil>@mail.imc.org on 06/29/2001 02:44:53 PM Sent by: owner-ietf-pkix@mail.imc.org To: ietf-pkix@imc.org cc: Subject: Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Tom Gindin wrote: > > [Tom] I'll leave SHOULD vs. MUST for Russ, although I don't understand what > would lead a retrospective verifier to use the second or third most current > delta CRL rather than the most current, if he recognizes them as such. > Your last sentence is helpful, although I don't think that the measures > which guarantee both deltas being seen are security measures. The most > common reason to only see one would be an LDAP client implementation which > only picked up one value of a multi-valued attribute. Tom, Wouldn't a retrospective verifier use a protocol other than LDAP to retrieve non-current CRLs? I believe that searching the CDP attributes on an LDAP server would always return a single CRL for the current wallclock time. Could there conceivably be an LDAP mechanism to return all CRLs issued between 10:00 June 3 2001 and 9:30 June 4 2001, or would such a retrieval requirement be better satisfied using some other protocol (database search, http query, ftp get by directory/filename, etc.)? In other words, is there a downside to profiling as single-valued any directory attributes that hold CRLs? I agree with Denis that identifying the fact that an unscheduled CRL is missing is a security consideration. If the consideration rose to the level of a security concern (which I doubt), it could be addressed by sequential numbering or by a new CRL extension holding a backpointer to the previously-issued CRL. Dave
- I-D ACTION:draft-ietf-pkix-new-part1-07.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- RE: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Ambarish Malpani
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- RE: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Santosh Chokhani
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Tom Gindin
- Should a CRL number be unique or not ? Denis Pinkas
- Re: Should a CRL number be unique or not ? David P. Kemp
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- RE: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Carlin Covey
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Tom Gindin
- Re: Should a CRL number be unique or not ? Tim Polk
- Re: Should a CRL number be unique or not ? Housley, Russ
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Housley, Russ
- RE: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Santosh Chokhani
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Denis Pinkas
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt Tom Gindin
- Re: I-D ACTION:draft-ietf-pkix-new-part1-07.txt David P. Kemp
- New draft of son-of-2459 (Was: I-D ACTION:draft-i… Tim Polk
- Re: New draft of son-of-2459 (Was: I-D ACTION:dra… Anders Rundgren
- Re: New draft of son-of-2459 (Was: I-D ACTION:dra… Housley, Russ
- Logotypes in Certificates - Report and proposal t… Stefan Santesson