Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs

["Erik Andersen" <era@x500.eu>]

Hi Stephen,

I will put the PDAM text and the drat technical corrigendum up on our web site (http://www.x500standard.com/) and provide exact links. Any comments and suggestions on the lists can then be converted to ballot comments to be considered at the ITU-T meeting March 2016. It is important to have maximum consensus.

Kind regards,

Erik

-----Oprindelig meddelelse-----
Fra: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sendt: 20 November 2015 17:36
Til: Erik Andersen <era@x500.eu>; x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs



On 20/11/15 16:33, Erik Andersen wrote:
> Hi Santosh,
> 
> Thanks a lot. That would be very helpful. I am quite pressed for time. 
> It is the plan to have the next edition of X.509 ready at ITU-T  
> September next year. This is necessary, as the smart grid security 
> people need to reference
> X.509 for their use of authorization and validation lists 
> (whitelists). To meet the schedule, I need to have the next PDAM out 
> for ballot at the end of this month. The same applies for a technical 
> corrigendum covering all identified defects.

A suggestion: why not make that draft visible to folks here. I think you'd get comments that would improve it.

S.

> 
> Regards,
> 
> Erik
> 
> -----Oprindelig meddelelse-----
> Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
> Sendt: 20 November 2015 16:44
> Til: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
> Emne: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
> 
> Erik,
> 
> I am happy to help craft or review additional exposition if that helps.
> 
> -----Original Message-----
> From: x500standard-bounce@freelists.org 
> [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
> Sent: Friday, November 20, 2015 6:00 AM
> To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
> Subject: [x500standard] SV: Re: SV: [pkix] Indirect CRLs
> 
> Hi Santosh,
> 
> Try to imagine a guy that is completely new in PKI and pick-up X.509 
> or RFC
> 5280 to learn about it. Will he understand what an indirect CRL is by 
> just looking at some brief statements on an iCRL is.
> 
> 8.5.2.2	CRL scope extension (deprecated) has the following statements:
> 
> –	simple CRLs that provide revocation information about certificates
> issued by a single authority; 
> –	indirect CRLs that provide revocation information about certificates
> issued by multiple authorities;
> 
> It was a statement like this that made me wrongly to believe that it 
> is only an iCRL if there are certificate info from multiple authorities.
> 
> I also some comments on your other mail.
> 
> Regards,
> 
> Erik
>  
> 
> -----Oprindelig meddelelse-----
> Fra: x500standard-bounce@freelists.org 
> [mailto:x500standard-bounce@freelists.org] På vegne af Santosh 
> Chokhani
> Sendt: 19 November 2015 19:52
> Til: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
> Emne: [x500standard] Re: SV: [pkix] Indirect CRLs
> 
> Erik,
> 
> Look at Section 8.6.2.1 of X.509 and I quote the following: "The 
> cRLIssuer component identifies the authority that issues and signs the 
> CRL. If this component is absent, the CRL issuer name defaults to the 
> certificate issuer name."
> 
> Also see Section C.5.1.4 of X.509
> 
> -----Original Message-----
> From: x500standard-bounce@freelists.org 
> [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
> Sent: Thursday, November 19, 2015 11:52 AM
> To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
> Subject: [x500standard] SV: [pkix] Indirect CRLs
> 
> Within X.509 there is not even a small paragraph introducing indirect 
> CRLs where such information could be introduced. Besides the brief 
> definition, iCRLs are mentioned the first time within the CRL scope 
> extension (which is deprecated).
> 
> Erik
> -----Oprindelig meddelelse-----
> Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
> Sendt: 19 November 2015 17:27
> Til: mrex@sap.com
> Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
> Emne: Re: [pkix] [x500standard] Indirect CRLs
> 
> Without doing the latter, the relying party will not be able to use 
> the indirect CRL to verify the revocation status of the certificate in 
> the scope of the indirect CRL.
> 
> -----Original Message-----
> From: Martin Rex [mailto:mrex@sap.com]
> Sent: Thursday, November 19, 2015 9:54 AM
> To: Santosh Chokhani <santosh.chokhani@gmail.com>
> Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
> Subject: Re: [pkix] [x500standard] Indirect CRLs
> 
> Santosh Chokhani wrote:
>> Yes.  That is an indirect CRL.
>>
>> Note that the CA needs to assert appropriate cRLIssuer in the 
>> DistributionPoint field of CRL DP extension of each certificate the 
>> CA issues.
> 
> Huh?  The latter comment has exactly nothing to do with indirect CRLs.
> 
> -Martin
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
> 
> -----
> www.x500standard.com: The central source for information on the X.500 
> Directory Standard.
> 
> 
> -----
> www.x500standard.com: The central source for information on the X.500 
> Directory Standard.
> 
> -----
> www.x500standard.com: The central source for information on the X.500 
> Directory Standard.
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>