Re: [pkix] [x500standard] Indirect CRLs
"Santosh Chokhani" <santosh.chokhani@gmail.com> Tue, 17 November 2015 14:39 UTC
Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 281BB1A88C0 for <pkix@ietfa.amsl.com>; Tue, 17 Nov 2015 06:39:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIF6g0r59V9g for <pkix@ietfa.amsl.com>; Tue, 17 Nov 2015 06:39:10 -0800 (PST)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E981E1A8856 for <pkix@ietf.org>; Tue, 17 Nov 2015 06:39:09 -0800 (PST)
Received: by qkas77 with SMTP id s77so3324958qka.0 for <pkix@ietf.org>; Tue, 17 Nov 2015 06:39:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:thread-index:content-language; bh=6uCHpnXm0Y18mDAckngRNCJJgTceMoJV5VCflMZPkJc=; b=u5ORpsM4AdyuLU3QjX0R27xdI/pxTvkJMx2LbdpTeOaSrQq5erxjbd9TOa1HEVkq9G ztQ3osNbeq8I6OMCTooDeBPiP6NqG7OHnmkjUVjhBkNleE1M89XjAcj5ndu+5fF+MibZ f4U0+LUqgdS/BDkvM3MYL9hLrfvP7MqfibTRz1O+ujfjfzWumB5EggL9s0EEzZu3cK8v eMKMTJcUyqvmXLBRDfomnD4CCitn4G8XbdFb9SMVXkh28EkSq3kXJmBQ3l+j7fyjNBp5 1mCz8df+1K5Kpgnjg8iRKzjS492wqK6MFFosBi7Yjvq7SsM7yCj+6q1v6zpNZbizHy0M 8//A==
X-Received: by 10.55.72.66 with SMTP id v63mr41707305qka.105.1447771149084; Tue, 17 Nov 2015 06:39:09 -0800 (PST)
Received: from SantoshBrain (pool-108-31-66-4.washdc.fios.verizon.net. [108.31.66.4]) by smtp.gmail.com with ESMTPSA id w14sm10228768qge.24.2015.11.17.06.39.08 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Nov 2015 06:39:08 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Erik Andersen' <era@x500.eu>, x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
References: <002701d12053$dee21d30$9ca65790$@x500.eu> <012001d1208f$d8cab330$8a601990$@gmail.com> <003b01d1210f$ead18240$c07486c0$@x500.eu> <004c01d12113$1dd26d00$59774700$@x500.eu>
In-Reply-To: <004c01d12113$1dd26d00$59774700$@x500.eu>
Date: Tue, 17 Nov 2015 09:39:10 -0500
Message-ID: <072301d12145$b905cc40$2b1164c0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0724_01D1211B.D033BBE0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHe19kKlDjUbKxoDOCow0BcjpR94QJLV6rQAUpwCusCh7ACq55T7YCA
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/oy4-lUImlpYK1WnwEMGbI5FQC7E>
Subject: Re: [pkix] [x500standard] Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 14:39:12 -0000
Erik, Yes it is. There is no other mechanism defined in X.509 to delegate CRL issuance. From: Erik Andersen [mailto:era@x500.eu] Sent: Tuesday, November 17, 2015 3:37 AM To: 'Santosh Chokhani' <santosh.chokhani@gmail.com>; x500standard@freelists.org; 'PKIX' <pkix@ietf.org> Subject: SV: [pkix] [x500standard] Indirect CRLs Hi Santosh, In continuation, I checked the X.509 definition for indirect CRL : 3.5.36 indirect CRL (iCRL): A revocation list that contains at least revocation information about certificates issued by authorities other than that which issued this CRL. This could be a little confusing. As I understand from your answer, if I as CA delegate the CRL issuing to a closely related function or even if I locally generate a new PKC with another subject name just for signing CRLs, it is still an indirect CRL. Regards, Erik Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Erik Andersen Sendt: 17 November 2015 09:14 Til: 'Santosh Chokhani' <santosh.chokhani@gmail.com <mailto:santosh.chokhani@gmail.com> >; x500standard@freelists.org <mailto:x500standard@freelists.org> ; 'PKIX' <pkix@ietf.org <mailto:pkix@ietf.org> > Emne: Re: [pkix] [x500standard] Indirect CRLs Hi Santosh, Thanks a lot for your answer. My first impression reading the text was that an indirect CRL is one that potentially holds revocation information from multiple CAs. Others may have the same impression. I will check X.509 to see if it clear enough on this point. Kind regards, Erik Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani Sendt: 16 November 2015 17:57 Til: x500standard@freelists.org <mailto:x500standard@freelists.org> ; 'PKIX' <pkix@ietf.org <mailto:pkix@ietf.org> > Emne: Re: [pkix] [x500standard] Indirect CRLs Yes. That is an indirect CRL. Note that the CA needs to assert appropriate cRLIssuer in the DistributionPoint field of CRL DP extension of each certificate the CA issues. From: x500standard-bounce@freelists.org <mailto:x500standard-bounce@freelists.org> [mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen Sent: Monday, November 16, 2015 4:48 AM To: PKIX <pkix@ietf.org <mailto:pkix@ietf.org> > Cc: Directory list <x500standard@freelists.org <mailto:x500standard@freelists.org> > Subject: [x500standard] Indirect CRLs I have a question related to indirect CRLs. RFC 5280 in Section 5: If the scope of the CRL includes one or more certificates issued by an entity other than the CRL issuer, then it is an indirect CRL. If a CA has delegated CRL issuing to another entity, but this entity only issues revocation status for certificates issued by that CA, is the CRL then an indirect CRL? Erik
- [pkix] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Re: Indirect CRLs Kemp, David P.
- Re: [pkix] [x500standard] Re: Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Martin Rex
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] Indirect CRLs Martin Rex
- Re: [pkix] [x500standard] SV: Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Indirect CRLs Santosh Chokhani
- Re: [pkix] [x500standard] Re: SV: Indirect CRLs Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Santosh Chokhani
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Stephen Farrell
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Erik Andersen
- Re: [pkix] [x500standard] SV: Re: SV: Indirect CR… Stephen Farrell