Re: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained
Michael StJohns <msj@nthpermutation.com> Wed, 28 February 2024 17:59 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7894C14F61C for <pkix@ietfa.amsl.com>; Wed, 28 Feb 2024 09:59:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2K8rhjOaqTYM for <pkix@ietfa.amsl.com>; Wed, 28 Feb 2024 09:59:28 -0800 (PST)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64459C14F683 for <pkix@ietf.org>; Wed, 28 Feb 2024 09:56:54 -0800 (PST)
Received: by mail-qv1-xf2b.google.com with SMTP id 6a1803df08f44-68fdc714187so17319656d6.2 for <pkix@ietf.org>; Wed, 28 Feb 2024 09:56:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1709143013; x=1709747813; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=xuhJoruk1BaC0qF+8pge4Qo/nS96EtToeMPSyxaOtZA=; b=pIoWGX71IlqvYoEVZtZvE9BUjq1y2ePtXT7ZJA6GBxqjEncylIKqk6vbA0kVmzkxPA O8mH0lYRo9MFqxYfhQsW9PLbfC3N5PBpHTAa09TWkeJ9wTPig0TaPT+w7ks3F5hkN73e hFD4jTDZAaSEtYV240mRZcRD03aavmWENOjSkfP7pvN5iA1A2k5h1BilKXWi+pW/EdwN Gyw18ouRO92aODS0LVOXmF91tKsxR0K+xs20nWalh5xZ9hqH424lYFpz0M6J6XnRN3bT nkFP8Ue9T8QZSQaHMVoTtXBNQnn+2R33ZyonIAkuSmNbbc3F8Q6kU+NkoK3dYc+ng5Mp Rqag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709143013; x=1709747813; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=xuhJoruk1BaC0qF+8pge4Qo/nS96EtToeMPSyxaOtZA=; b=qk/kJBSUU8oCQNvhhNkD6rPSu52bXpxL1XrYfr+3GRcEPYmmy1s+H+3xKeh28jqERC UiaMZWMXE2zT5PHP9TRmB7IPlG1f9ITzaDeMZV9S6BoMFMC0JWwnD3iOQa+yyz74GM2i yp6/ZGnndm0UIsxG82FMAp3Q11lmEhawY34If1rAl/pzpOMxtm0FeSsU9R3qDvSyhA3x UBUQbhNsapdFnIYhGnSI7ttBWhQecudzsZroQYm2XIJY8/mD3M27sz8BQHMMga62e3HJ 3O4u2iID4Wbo5ehUMEZJIVWDqGwkDxxXhewWb8ihe8QnijPuAvdZWF0EGEfT3mFHJYxa eD4g==
X-Gm-Message-State: AOJu0YyqWcD9CNSWn82vRNyYFuytYW14zmh7T8KuEgBPH9gxde2FoY2H H9xS0IeKz5uTt/pLf/uSkaztIQvnQveVFO2vIXoaUWysHaGcq8aIyQ63qPBw5UiBShYw0ZPfWxa m
X-Google-Smtp-Source: AGHT+IFaCR4MLUO1odfylHVIlgdNYSMNrpw8aRWh9D2UBhaJJxHMVvYPI1i/kvvkq29bUjo1KTDq4g==
X-Received: by 2002:ad4:5beb:0:b0:68f:8e3a:51e9 with SMTP id k11-20020ad45beb000000b0068f8e3a51e9mr6404294qvc.35.1709143012717; Wed, 28 Feb 2024 09:56:52 -0800 (PST)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id ev6-20020a0562140a8600b0068f2ea5c678sm1476qvb.118.2024.02.28.09.56.52 for <pkix@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Feb 2024 09:56:52 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------r06XFAGoBja6WK5nybc7HUdp"
Message-ID: <028e66c1-4fee-4eac-b58d-5a9a6281681d@nthpermutation.com>
Date: Wed, 28 Feb 2024 12:56:50 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: pkix@ietf.org
References: <CAL4nJSYSJtgKPBmk+LGwYaeyk34i7CRibQ3qnLiNtaLUkVLiSg@mail.gmail.com> <256901da6a47$f7e80050$e7b800f0$@gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <256901da6a47$f7e80050$e7b800f0$@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/aQ7Vfbc7MfdocidHHmS4fJTkWWo>
Subject: Re: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 17:59:31 -0000
To be more precise - See the CA provider's Certification of Practice - a template for one is here. https://www.ietf.org/rfc/rfc3647.txt A commercial CA will have something like this explaining the responses to your question _for the certificates issued by them._ BTW - this maining list is for protocol questions, and the yours evoke more a customer service type of question. In other words talk to your CA first. Later, Mike On 2/28/2024 8:13 AM, Santosh Chokhani wrote: > > CRL URL needs to be obtained from the certificate or using other local > means or doing LDAP lookup for the issuer DN in the certificate and > obtaining proper attribute for the issuer DN LDAP entry. > > CRL URL in issuer certificate will have pointer to the CRL to check > the revocation status of the issuer certificate and NOT the subject > certificate. > > *From:*pkix [mailto:pkix-bounces@ietf.org] *On Behalf Of *Dhaura Pathirana > *Sent:* Wednesday, February 28, 2024 1:18 AM > *To:* pkix@ietf.org > *Subject:* [pkix] RFC 5280 - Clarification on the Location where CRL > URL should be Obtained > > Hi all, > > Kindly requesting assistance in clarifying the location where CRL URL > should be obtained in order to do CRL validation on a X509 certificate > since it was not specifically clear in the specification [1]. > > 1. Should we extract the CRL URL from the certificate itself or from > the issuer certificate associated with the validating certificate? > 2. Furthermore, if the default behavior is to obtain the CRL URL from > the certificate itself and if the CRL URl is unavailable in the > certificate itself, is it customary to obtain it from the issuer > certificate? > > Any assistance on these two questions would be greatly appreciated. > > [1] - https://datatracker.ietf.org/doc/html/rfc5280 > > Thank you. > > Kind regards, > > Dhaura. > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] RFC 5280 - Clarification on the Location w… Dhaura Pathirana
- Re: [pkix] RFC 5280 - Clarification on the Locati… Santosh Chokhani
- Re: [pkix] RFC 5280 - Clarification on the Locati… Michael StJohns
- Re: [pkix] RFC 5280 - Clarification on the Locati… Dhaura Pathirana