RE: not required to support IDP?
Peter Williams <peterw@valicert.com> Thu, 21 February 2002 00:04 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA24279 for <pkix-archive@odin.ietf.org>; Wed, 20 Feb 2002 19:04:59 -0500 (EST)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g1KNMCD20648 for ietf-pkix-bks; Wed, 20 Feb 2002 15:22:12 -0800 (PST)
Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g1KNMB320644 for <ietf-pkix@imc.org>; Wed, 20 Feb 2002 15:22:11 -0800 (PST)
Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GRU00E01U91QK@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 20 Feb 2002 15:22:13 -0800 (PST)
Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GRU00ED3U91E5@ext-mail.valicert.com>; Wed, 20 Feb 2002 15:22:13 -0800 (PST)
Received: by exchange.valicert.com with Internet Mail Service (5.5.2653.19) id <FHF3D89A>; Wed, 20 Feb 2002 15:22:08 -0800
Content-return: allowed
Date: Wed, 20 Feb 2002 15:21:57 -0800
From: Peter Williams <peterw@valicert.com>
Subject: RE: not required to support IDP?
To: "'David A. Cooper'" <david.cooper@nist.gov>, ietf-pkix@imc.org
Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E01F4A4F4@exchange.valicert.com>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-type: text/plain
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Summary Side issue for the unwary, for IDPs or CRLs or OCSP or ORACLE responses, and the distinction between revocation information and revocation notice ------- For those embroiled in IP and legal matters concerning validity, one can note that a CA that DOES NOT issue a CRL/DP DOES NOT issue/perform X.509 "revocation *notice*", by definition. Similarly, only when an OCSP responder provides a reading-service for a CRL on which a particular revocation notice is first posted can an OCSP responder (under policy) be said to be *publishing* that revocation notice. In no sense does the mere act by a CA of delegating authority to an OCSP responder mean that an OCSP responder response performs the act of publishing an X.509 revocation notice. The same limitation is true for an ORACLE database Repository controlled by a CA. Relying on an OCSP or ORACLE responder to help verify a claimed-legal signature without very carefully reading and vetting the validation policy of the Repository is not a reasonable thing to do. Sadly, the Internet's PKI repositories mostly all make false claims about their status as an "X.509 compliant" means for publishing revocation notice. -----Original Message----- From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Wednesday, February 20, 2002 2:12 PM To: ietf-pkix@imc.org Subject: RE: not required to support IDP? Simon, I agree that PKIX did not mean to suggest that one could CRL containing a critical IDP extension even if you can not process the extension. PKIX is simply saying that you are not required to have the ability to process the extension, even though this will mean that you may have to reject some CRLs. However, X.509 does not require that a CA issue full CRLs. If this requirement did appear in X.509 (1997), it has been removed in X.509 (2000). In fact, X.509 makes clear that CAs may choose not to issue CRLs at all. Either because they to not revoke certificates or because they only publish revocation information using some other mechanism (e.g., OCSP). So, an X.509 compliant CA could issue only partitioned CRLs, in which case a relying party that could not process the IDP extension would be unable to obtain revocation information. Dave At 04:53 PM 2/20/02 +0100, Simon Tardell wrote: >Hi Hiro, > >Of course, whatever extension is critical that you don't understand, >must cause you to reject the CRL. However, according to X.509(97) 12.6.1 >f) a complete CRL shall always be issued, even if partitioned CRLs are >also issued. That means that you don't have to support partitioned CRLs, >since there is always (if the CA is X.509 compliant) a complete CRL to >get. For many applications, partitioning CRLs may not even be the best >answer to the problem you try to solve (depending on the problem of >course). > >Simon > >Simon Tardell, Software Architect, SmartTrust >voice +46 8 6853174, fax +46 8 6856530 >cell +46 70 3198319, simon.tardell@smarttrust.com > > > > -----Original Message----- > > From: Hiro [mailto:yoshida@secomtrust.net] > > Sent: den 20 februari 2002 14:57 > > To: ietf-pkix@imc.org > > Subject: not required to support IDP? > > > > > > > > > > Hi, > > I have one question about Issuing Distribution Point > > Extension. In RFC2459 and draft-ietf-pkix-new-part1-12.txt, > > about this extension > > > > "Although the extension is critical, conforming implementations > > are not required to support this extension." > > > > I cannot understand. > > I think it is not only conflicting with critical flag > > concept, but also, if a CA is issuing CRL/ARL(not complete > > CRL) and it happen the CRL > > substitution attack > > on the directory, EE should be find this attack. > > So I think this extension must be supported. > > > > Does anyone answer for this question? > > > > Regard, > > > > > > > > -- > > Hiro > > yoshida@secomtrust.net
- not required to support IDP? Hiro
- RE: not required to support IDP? Simon Tardell
- RE: not required to support IDP? David A. Cooper
- RE: not required to support IDP? Peter Williams
- Re: not required to support IDP? Housley, Russ