Re: [pkix] Why is the crlNumber an OCTET STRING?

Peter Gutmann <> Tue, 20 April 2021 22:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A26D73A2033 for <>; Tue, 20 Apr 2021 15:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6QNtwCVN67dE for <>; Tue, 20 Apr 2021 15:28:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4778B3A2031 for <>; Tue, 20 Apr 2021 15:28:57 -0700 (PDT)
Received: from ( []) (Using TLS) by with ESMTP id au-mta-20-lkfcKzTNMr2u1JwO3iTchg-1; Wed, 21 Apr 2021 08:28:52 +1000
X-MC-Unique: lkfcKzTNMr2u1JwO3iTchg-1
Received: from (2603:1096:3::17) by (2603:10c6:10:5b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.20; Tue, 20 Apr 2021 22:28:51 +0000
Received: from (2603:1096:3:0:cafe::24) by (2603:1096:3::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16 via Frontend Transport; Tue, 20 Apr 2021 22:28:50 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=none action=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4042.16 via Frontend Transport; Tue, 20 Apr 2021 22:28:49 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 21 Apr 2021 10:28:48 +1200
Received: from ([fe80::e4e7:eb90:ab28:1bf5]) by ([fe80::e4e7:eb90:ab28:1bf5%14]) with mapi id 15.00.1497.015; Wed, 21 Apr 2021 10:28:48 +1200
From: Peter Gutmann <>
To: Russ Housley <>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9JmQAgADNMVL//zkzAIAAzrgj
Date: Tue, 20 Apr 2021 22:28:47 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e3a0e0d9-0a3f-4d9a-3aee-08d9044baba2
X-MS-TrafficTypeDiagnostic: SYBPR01MB4588:
X-Microsoft-Antispam-PRVS: <>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: C7Ywa+YBFq6MAblscbNThLBzFT5bxLpQeGIxAd0cKLmPX03+xpeMXOjm9J+/PHbZi3XTarwAWRXWm0LVgyHCjtp6/DsaNxn87bdex+1BEEXrI+uUTrum+tIwsPSGM0rI+AMZPvCGjAQo3HJUAHJlIp3+wsa+IzJJ5Yr5mITyZXuIpGqinhrnDJun1MTAYS79zegXExJwy4U4j7h8mg0ci6q2A9HPjyY5hVeXJSDYuS1kRzC4T316rR5cICsDFQq3NsrQdACZ/LKAmHtm8qm9vGa9Id3RRdB/wlkdWty6v4yadRktCaa8UrbZAhwtK1O+ocChra5gBeC8+FvbAZs+zImGd7wd/UDh1Kab0lRkH06v3QKe0aTPpo3TFLcPYKP01KPYAXzUUDRIKu+wrixCNpKiiKD8n95nHdEjk1JCjmp5skm0s/9E3fxfoBEgxvpz2uloVp8rsWHYm1KCBqg6xQRVrbe0ivv3HTQ2ICfUOHariP/y71+yq4qCKWdXpvfBqoTfpPgbPJwnwdAgRJo7s71l1vDxIvWIM7TEvnXBHrDnMT3LFm7lSRzqoMVkSWTHP3LT8hBkAmeXAvXk8ZNGpFE43VXjHRt14oZ8LbX19VSUfQyVuraEjsjeLwfK5cJw5C5AEBAr1qnFby+EoVMxMx4JQCKCsdoKv/w1M8Hni3c=
X-Forefront-Antispam-Report: CIP:; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM;;; CAT:NONE; SFS:(4636009)(39850400004)(376002)(346002)(396003)(136003)(36840700001)(46966006)(4326008)(186003)(26005)(478600001)(2906002)(2616005)(6916009)(5660300002)(47076005)(86362001)(36860700001)(82310400003)(336012)(7636003)(356005)(82740400003)(70206006)(70586007)(8676002)(36906005)(8936002)(786003)(316002); DIR:OUT; SFP:1101
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2021 22:28:49.4796 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e3a0e0d9-0a3f-4d9a-3aee-08d9044baba2
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[]; Helo=[]
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB4588
Authentication-Results:; auth=pass smtp.auth=CAU17A13
X-Mimecast-Spam-Score: 0
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Apr 2021 22:29:04 -0000

Russ Housley <> writes:

>the text explains there are various ways that a CRL issuer can assign numbers
>for different scopes that can lead to larger values.

It doesn't really explain it, all it says is:

   If a CRL issuer generates two CRLs (two complete CRLs, two delta
   CRLs, or a complete CRL and a delta CRL) for the same scope at
   different times, the two CRLs MUST NOT have the same CRL number.

So CRL #1 has crlNumber 17, CRL #2 has crlNumber 18.  That's monotonically
increasing, and fits into a standard integer.

Paul Hoffman <> writes:

>you chose to use RFC 3280 instead of RFC 5280. :-(

I used 3280 because that's where the requirement for 20-byte "integers" was
introduced, so I was wondering what caused it.  My guess, for lack of any
obvious reason, was that it was someone's hack/implementation bug that was
written into the spec, because I can't see any other reason for the
OCTET_STRING-as-INTEGER use.  You certainly can't monotonically increase a
counter to the point where it'd be necessary.