Re: [pkix] Why is the crlNumber an OCTET STRING?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 22 April 2021 11:21 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890923A1275 for <pkix@ietfa.amsl.com>; Thu, 22 Apr 2021 04:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TyE_vrirBlVe for <pkix@ietfa.amsl.com>; Thu, 22 Apr 2021 04:21:40 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 098DB3A1271 for <pkix@ietf.org>; Thu, 22 Apr 2021 04:21:39 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2171.outbound.protection.outlook.com [104.47.71.171]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-35-opLjV8eyMhG8JET3pTnZlA-1; Thu, 22 Apr 2021 21:21:31 +1000
X-MC-Unique: opLjV8eyMhG8JET3pTnZlA-1
Received: from SG2PR0302CA0024.apcprd03.prod.outlook.com (2603:1096:3:2::34) by MEAPR01MB2421.ausprd01.prod.outlook.com (2603:10c6:201:a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Thu, 22 Apr 2021 11:21:28 +0000
Received: from SG2APC01FT006.eop-APC01.prod.protection.outlook.com (2603:1096:3:2:cafe::d3) by SG2PR0302CA0024.outlook.office365.com (2603:1096:3:2::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.16 via Frontend Transport; Thu, 22 Apr 2021 11:21:27 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.224) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-tdc-a.UoA.auckland.ac.nz (130.216.95.224) by SG2APC01FT006.mail.protection.outlook.com (10.152.250.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4065.21 via Frontend Transport; Thu, 22 Apr 2021 11:21:25 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 22 Apr 2021 23:21:24 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::e4e7:eb90:ab28:1bf5%14]) with mapi id 15.00.1497.015; Thu, 22 Apr 2021 23:21:24 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Stefan Santesson <stefan@aaa-sec.com>, Russ Housley <housley@vigilsec.com>
CC: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Why is the crlNumber an OCTET STRING?
Thread-Index: AQHXNisBKMOxCIvjxkGR+Ro1p9pc2aq9JmQAgADNMVL//zkzAIAAzrgj//9+3gCAAZbUkP//QLUAABmVk9n//zmKAIAAPiYAgAHQc3k=
Date: Thu, 22 Apr 2021 11:21:24 +0000
Message-ID: <1619090483847.17566@cs.auckland.ac.nz>
References: <3d6d5a6ea9ca4a6a99791da46435b7cf@uxcn13-tdc-d.UoA.auckland.ac.nz> <490638C0-9D93-4998-9F5D-1C9804B8E95C@vigilsec.com> <1618955894307.55564@cs.auckland.ac.nz> <59C6BBA3-324C-4777-8A26-6E32B7D1946C@vigilsec.com> <1618957726686.74538@cs.auckland.ac.nz> <SYBPR01MB5616009D18496B7FD5CA38E1E5479@SYBPR01MB5616.ausprd01.prod.outlook.com> <1619018456026.55711@cs.auckland.ac.nz> <E16F5376-2D0F-4B04-8734-FB16892DD448@vigilsec.com> <1619020072637.77385@cs.auckland.ac.nz> <724D3978-46C6-4527-8A81-A928EEFDE217@vigilsec.com>, <f6d0bc20-2c92-3df8-a2a5-651f4e4f1dc1@aaa-sec.com>
In-Reply-To: <f6d0bc20-2c92-3df8-a2a5-651f4e4f1dc1@aaa-sec.com>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: befb5d0c-712b-4dee-7c26-08d90580c487
X-MS-TrafficTypeDiagnostic: MEAPR01MB2421:
X-Microsoft-Antispam-PRVS: <MEAPR01MB2421CA3615B9F4821B14881BEE469@MEAPR01MB2421.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: jJfQka3Sf+D3ATFYbBkAx+3jMaPfqBfUq9nktEfdYmwiO0Mb+kwr2Xb0/LTQhGQVL65MmrmZXrJmvEYJTZIJzhlL4S/nXkVaml2GJovW5gkJSoDusHD9t7zSoZ/MRmkbgjeuc4LC5mdtjRLPmPXKcAaDXVkpRuvRnUcXOtsTqTJJ4ZkscMhz5viU1ZcIpkwDgy3FQz3V490F1C6o3SDa7rNeKLyq6St7XMbdwdquP/T7W7VhUJgRIqTCZEn2OrnwOAtBGbpwhESEfKH2Ph6E4I02LWX8KXtFB4J9lH9n0MkuLeYYJAAWWM9GqhH3c+C331ufBduwyYxXPZLycdFz2D9wOVdduHQg/bPL7WG9sa/TC0UNbhpLNpCBUlEd1+vRilkUPblyizz7JIqGjAGvT40d6GFT8DdZ1WlfOZbmSEE+uJr869+ERYnv6IbBJWkj5paJFBm0fgVB7FH8tulqL3ojnNK0PTVsr0If6c+8AbBPvG9mOYGBP3icwi/yQlqbmu/O4uRUemMR7ci30cQRFS5BvGiIB/VZFh5t4G0nU4lPWhPeDqsYLeGhD4SWTbj7jvQsWEo7Ogf3a/+hUy7y4H/Hli7fbcNvr+bWjT2xthZJlGs3vZDAmquPrenTgZlYdPmQ2Sd+vxMvljwgIDTCVA==
X-Forefront-Antispam-Report: CIP:130.216.95.224; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-a.UoA.auckland.ac.nz; PTR:natgate2-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(376002)(136003)(396003)(39850400004)(346002)(36840700001)(46966006)(7636003)(186003)(356005)(36906005)(4326008)(36860700001)(2906002)(786003)(26005)(82310400003)(83380400001)(5660300002)(336012)(8936002)(4744005)(47076005)(70586007)(316002)(110136005)(70206006)(82740400003)(8676002)(86362001)(2616005)(478600001); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2021 11:21:25.7923 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: befb5d0c-712b-4dee-7c26-08d90580c487
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.224]; Helo=[uxcn13-tdc-a.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT006.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB2421
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/nGbPWTDg2cNfU7Axd_pDWrwF-xs>
Subject: Re: [pkix] Why is the crlNumber an OCTET STRING?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 11:21:45 -0000

Stefan Santesson <stefan@aaa-sec.com> writes:

>I have done quite some PKI validation implementations, but I have never found
>any reason yet to check the CRL number for any reason what so ever.

Same here, could never figure out what the purpose of it was.  Russ' answer
about partitioned CRLs makes sense, but I'd never even considered that
because, like delta CRLs, I've never encountered anyone brave enough to want
to see what clients do in response to seeing one.

>When I do CRL checking, I download the current CRL, check that it is current
>and still valid, and has the intended scope.
>
>No more, and no less. CRL number is not part of that process.

Yup.

>So basically, I find this interesting intellectually, but in what practical
>context does this matter?

I've got a client who asked about it, and my response of "I have no idea what
purpose these things serve" was possibly a bit underwhelming :-).

Peter.