Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs

"Erik Andersen" <era@x500.eu> Fri, 20 November 2015 16:33 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 308F91B3692 for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 08:33:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.591
X-Spam-Level:
X-Spam-Status: No, score=-1.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03-FueXQHQ5V for <pkix@ietfa.amsl.com>; Fri, 20 Nov 2015 08:33:49 -0800 (PST)
Received: from mail02.dandomain.dk (mail02.dandomain.dk [194.150.112.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F9581B3849 for <pkix@ietf.org>; Fri, 20 Nov 2015 08:33:48 -0800 (PST)
Received: from Morten ([62.44.134.101]) by mail02.dandomain.dk (DanDomain Mailserver) with ASMTP id 2201511201733454520; Fri, 20 Nov 2015 17:33:45 +0100
From: Erik Andersen <era@x500.eu>
To: x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp> <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com> <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu> <07f801d122fb$50a39ad0$f1ead070$@gmail.com> <001301d12382$890371c0$9b0a5540$@x500.eu> <0b3d01d123aa$3ab3cf10$b01b6d30$@gmail.com>
In-Reply-To: <0b3d01d123aa$3ab3cf10$b01b6d30$@gmail.com>
Date: Fri, 20 Nov 2015 17:33:46 +0100
Message-ID: <000b01d123b1$3a78e4c0$af6aae40$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJLV6rQki7Ndh+GnxkA8afJ1MxnUAICz3cyAloWsuACQUv0rgIQG4V7A7BMSZcB+OIEPZ097nlA
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/uOkrdoZ9biDathkcmjzVRXfjE0Q>
Subject: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 16:33:51 -0000

Hi Santosh,

Thanks a lot. That would be very helpful. I am quite pressed for time. It is
the plan to have the next edition of X.509 ready at ITU-T  September next
year. This is necessary, as the smart grid security people need to reference
X.509 for their use of authorization and validation lists (whitelists). To
meet the schedule, I need to have the next PDAM out for ballot at the end of
this month. The same applies for a technical corrigendum covering all
identified defects.

Regards,

Erik

-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
Sendt: 20 November 2015 16:44
Til: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] SV: Re: SV: Indirect CRLs

Erik,

I am happy to help craft or review additional exposition if that helps.

-----Original Message-----
From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: Friday, November 20, 2015 6:00 AM
To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: [x500standard] SV: Re: SV: [pkix] Indirect CRLs

Hi Santosh,

Try to imagine a guy that is completely new in PKI and pick-up X.509 or RFC
5280 to learn about it. Will he understand what an indirect CRL is by just
looking at some brief statements on an iCRL is.

8.5.2.2	CRL scope extension (deprecated) has the following statements:

–	simple CRLs that provide revocation information about certificates
issued by a single authority; 
–	indirect CRLs that provide revocation information about certificates
issued by multiple authorities;

It was a statement like this that made me wrongly to believe that it is only
an iCRL if there are certificate info from multiple authorities.

I also some comments on your other mail.

Regards,

Erik
 

-----Oprindelig meddelelse-----
Fra: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] På vegne af Santosh Chokhani
Sendt: 19 November 2015 19:52
Til: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: [x500standard] Re: SV: [pkix] Indirect CRLs

Erik,

Look at Section 8.6.2.1 of X.509 and I quote the following: "The cRLIssuer
component identifies the authority that issues and signs the CRL. If this
component is absent, the CRL issuer name defaults to the certificate issuer
name."

Also see Section C.5.1.4 of X.509

-----Original Message-----
From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: Thursday, November 19, 2015 11:52 AM
To: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: [x500standard] SV: [pkix] Indirect CRLs

Within X.509 there is not even a small paragraph introducing indirect CRLs
where such information could be introduced. Besides the brief definition,
iCRLs are mentioned the first time within the CRL scope extension (which is
deprecated).

Erik
-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
Sendt: 19 November 2015 17:27
Til: mrex@sap.com
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] Indirect CRLs

Without doing the latter, the relying party will not be able to use the
indirect CRL to verify the revocation status of the certificate in the scope
of the indirect CRL.

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Thursday, November 19, 2015 9:54 AM
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: Re: [pkix] [x500standard] Indirect CRLs

Santosh Chokhani wrote:
> Yes.  That is an indirect CRL.
> 
> Note that the CA needs to assert appropriate cRLIssuer in the 
> DistributionPoint field of CRL DP extension of each certificate the CA 
> issues.

Huh?  The latter comment has exactly nothing to do with indirect CRLs.

-Martin

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.


-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.

-----
www.x500standard.com: The central source for information on the X.500
Directory Standard.


_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix