Re: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained
Santosh Chokhani <santosh.chokhani@gmail.com> Wed, 28 February 2024 13:13 UTC
Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531CBC14F603 for <pkix@ietfa.amsl.com>; Wed, 28 Feb 2024 05:13:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxx7b3IL0MK4 for <pkix@ietfa.amsl.com>; Wed, 28 Feb 2024 05:13:50 -0800 (PST)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82609C14EB19 for <pkix@ietf.org>; Wed, 28 Feb 2024 05:13:50 -0800 (PST)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-787ba16a236so307136685a.1 for <pkix@ietf.org>; Wed, 28 Feb 2024 05:13:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709126029; x=1709730829; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6odli+BbhuqU8xXHqM4caKQxhONIMKsSBbL6T94ABrs=; b=FAmsAE/Xe52ccixy9yNhB24rkpQ28sFu5pEDofLXdLip/yCbzQSslSzC5741koSMN7 i0ekt7cvI9NZ7PeygOxRWo7UHnljMj/gemkC++B2Rlkzt8S+r+85hWShT5jHqvDGUzNy qPAGJLyfEj/2qMpM6OwSp594vZjAZqbQBaskFe+oxPrb28ijfiFnmzBiV0NnhOaGWNrz V8uhLZ4+Oa6QBu02ZzBBKR41dMTIb/qKp8UvjrIMBpo5z7xR0Z5vpVjx0untHFjMBuHQ kmpw1jkCN0jkH4MJ4ljSPnSblA975LqI6OKVs6v15KxCMVdlTu9CVMwHRipmZW7WNyjV iBvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709126029; x=1709730829; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6odli+BbhuqU8xXHqM4caKQxhONIMKsSBbL6T94ABrs=; b=Y+4ad2vO5FnDZWGLl+SxKA9nv7Vq44xV4PTF8bFcqU+PgYTV/H+fL0kVNKsi4letDq L8XjXp3Z/HNQNKJHwRYipNSt4jTchANAGomp9CTvRgTCNdpU1flVSJHMpEPW4BBF9+tK O3JmHimSs2frxdJu6K4MV50DRxvFShnykeIfgzGJ7xvwK5bmvHcq7BLRS7d19tOuGcE2 kIELqMopDRGpg5AIu1oCUFRGHBgqv6yeCXYin2RLK9D6iJTFV0ohoRQOJihuiWCb6UFf 4kc6vJBuGRgmF1mGmuUxlv+pQuH5IL7qaAw9kVlGK2dPYmhV6WRn7H2IjhSUNbRL1qXK kkNA==
X-Forwarded-Encrypted: i=1; AJvYcCWG4LyR0DDdqA//rK1lKZ5WMDpFEQMLYV998sSSbl3BNjKCEPoKiOEtPa7uYFAV27SwERQ3QwbYXOZpoM0B
X-Gm-Message-State: AOJu0Yy0z1jJm1sxLIILod5bLJbf1BRTZ1ZoFc+rP70qnq4WHiuIxFQn qodrRhKUbsnCRNFCsvKhP+iO4aiP3Ae/oVSIDd5egYpiGjtx6BsLiEoUqvw/
X-Google-Smtp-Source: AGHT+IEteH2VAiZqDC9kUNdfLvHmT2KfP1ovyapGidEd+a7jM1SDA9RLBwsZh1HZIQcjTRgDcia2yQ==
X-Received: by 2002:a05:620a:40c3:b0:787:f605:5e62 with SMTP id g3-20020a05620a40c300b00787f6055e62mr541237qko.48.1709126029091; Wed, 28 Feb 2024 05:13:49 -0800 (PST)
Received: from SantoshBrain (pool-71-114-70-176.washdc.dsl-w.verizon.net. [71.114.70.176]) by smtp.gmail.com with ESMTPSA id f3-20020a05620a12e300b00787f6064a9fsm118559qkl.108.2024.02.28.05.13.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Feb 2024 05:13:48 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Dhaura Pathirana' <dhaurapathirana@gmail.com>, pkix@ietf.org
References: <CAL4nJSYSJtgKPBmk+LGwYaeyk34i7CRibQ3qnLiNtaLUkVLiSg@mail.gmail.com>
In-Reply-To: <CAL4nJSYSJtgKPBmk+LGwYaeyk34i7CRibQ3qnLiNtaLUkVLiSg@mail.gmail.com>
Date: Wed, 28 Feb 2024 08:13:49 -0500
Message-ID: <256901da6a47$f7e80050$e7b800f0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_256A_01DA6A1E.0F144240"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQG8yiVOOY30EzdE2ug3YBqDwJk5JbFa97iQ
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/nUPlQUmBDpeO8CJcqLwOSepNvBM>
Subject: Re: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 13:13:54 -0000
CRL URL needs to be obtained from the certificate or using other local means or doing LDAP lookup for the issuer DN in the certificate and obtaining proper attribute for the issuer DN LDAP entry. CRL URL in issuer certificate will have pointer to the CRL to check the revocation status of the issuer certificate and NOT the subject certificate. From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Dhaura Pathirana Sent: Wednesday, February 28, 2024 1:18 AM To: pkix@ietf.org Subject: [pkix] RFC 5280 - Clarification on the Location where CRL URL should be Obtained Hi all, Kindly requesting assistance in clarifying the location where CRL URL should be obtained in order to do CRL validation on a X509 certificate since it was not specifically clear in the specification [1]. 1. Should we extract the CRL URL from the certificate itself or from the issuer certificate associated with the validating certificate? 2. Furthermore, if the default behavior is to obtain the CRL URL from the certificate itself and if the CRL URl is unavailable in the certificate itself, is it customary to obtain it from the issuer certificate? Any assistance on these two questions would be greatly appreciated. [1] - https://datatracker.ietf.org/doc/html/rfc5280 Thank you. Kind regards, Dhaura.
- [pkix] RFC 5280 - Clarification on the Location w… Dhaura Pathirana
- Re: [pkix] RFC 5280 - Clarification on the Locati… Santosh Chokhani
- Re: [pkix] RFC 5280 - Clarification on the Locati… Michael StJohns
- Re: [pkix] RFC 5280 - Clarification on the Locati… Dhaura Pathirana