IETF Logo Mail Archive

Re: [pkix] [x500standard] Re: Indirect CRLs

"Erik Andersen" <era@x500.eu> Wed, 18 November 2015 09:33 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC7271B2B27 for <pkix@ietfa.amsl.com>; Wed, 18 Nov 2015 01:33:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.591
X-Spam-Level:
X-Spam-Status: No, score=-1.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sm3ajG0aY6V3 for <pkix@ietfa.amsl.com>; Wed, 18 Nov 2015 01:33:08 -0800 (PST)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7C941B2B26 for <pkix@ietf.org>; Wed, 18 Nov 2015 01:33:07 -0800 (PST)
Received: from Morten ([62.44.134.101]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201511181033022227; Wed, 18 Nov 2015 10:33:02 +0100
From: Erik Andersen <era@x500.eu>
To: x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
References: <002701d12053$dee21d30$9ca65790$@x500.eu> <012001d1208f$d8cab330$8a601990$@gmail.com> <003b01d1210f$ead18240$c07486c0$@x500.eu> <004c01d12113$1dd26d00$59774700$@x500.eu> <072301d12145$b905cc40$2b1164c0$@gmail.com> <5B1D7E570380A64989D4C069F7D14BC8DC3C6D9C@Mustang.missi.ncsc.mil>
In-Reply-To: <5B1D7E570380A64989D4C069F7D14BC8DC3C6D9C@Mustang.missi.ncsc.mil>
Date: Wed, 18 Nov 2015 10:33:02 +0100
Message-ID: <000301d121e4$1f1c3f20$5d54bd60$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHe19kKlDjUbKxoDOCow0BcjpR94QJLV6rQAUpwCusCh7ACqwNmuTeoAU6HvoSeL39aYA==
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/vLDev8M_5Al4mlsmRs0TOpKq3o8>
Subject: Re: [pkix] [x500standard] Re: Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2015 09:33:10 -0000

Hi David,

Thanks for your input. 

You are touching on something about entities. The entity concept is somewhat
confusing. I have made a suggestion in the form of a defect report I have
not so far published. I am not sure how it will be received. I have not
included the issue on entity naming as you mentioned. The proposed defect
report may be found on http://www.x500standard.com/uploads/Ig/DR_414.pdf.  I
will be happy for any comments and/or proposed enhancement.

Kind regards,

Erik
-----Oprindelig meddelelse-----
Fra: Kemp, David P. [mailto:DPKemp@missi.ncsc.mil] 
Sendt: 17 November 2015 20:45
Til: x500standard@freelists.org; 'Erik Andersen' <era@x500.eu>; 'PKIX'
<pkix@ietf.org>
Emne: RE: [x500standard] Re: [pkix] Indirect CRLs

The confusion is worse than that:

    authority: An entity, responsible for the issuance of certificates. Two
types are defined
    in this Recommendation | International Standard; a certification
authority which issues public-key
    certificates and an attribute authority which issues attribute
certificates.

    indirect CRL (iCRL): A revocation list that contains at least revocation
information about
    certificates issued by authorities other than that which issued this
CRL.


According to these definitions, an iCRL is issued by an authority, which can
be only an issuer of PKCs or an issuer of ACs.  That's not just confusing,
it's wrong.

But assuming that a third type of authority is added to the definition,
there is still the question of the relationship between entities and
identifiers.  If one entity has more than one identifier (e.g., a CA cert
containing one subject name and an EE cert with a different subject name
referenced in a CRL DP), the relying party has no way of determining that
they are the same "entity".  A heuristic definition of entity would say that
two distinct identifiers refer to the same entity only if the identifiers
are bound together, e.g., by appearing in the Subject Name and Subject Alt
Name of the same certificate.

So to answer your question, if you locally generate a new PKC with another
subject name just for signing CRLs, then you have created a new authority /
entity that is distinct from the CA.



-----Original Message-----
From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Santosh Chokhani
Sent: Tuesday, November 17, 2015 9:39 AM
To: 'Erik Andersen'; x500standard@freelists.org; 'PKIX'
Subject: [x500standard] Re: [pkix] Indirect CRLs

Erik,

 

Yes it is.

 

There is no other mechanism defined in X.509 to delegate CRL issuance.  

 

From: Erik Andersen [mailto:era@x500.eu] 
Sent: Tuesday, November 17, 2015 3:37 AM
To: 'Santosh Chokhani' <santosh.chokhani@gmail.com>;
x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: SV: [pkix] [x500standard] Indirect CRLs

 

Hi Santosh,

 

In continuation, I checked the X.509 definition for  indirect CRL :

 

3.5.36   indirect CRL (iCRL): A revocation list that contains at least
revocation information about certificates issued by authorities other than
that which issued this CRL.

 

This could be a little confusing.

 

As I understand from your answer, if I as CA delegate the CRL issuing to a
closely related function or even if I locally generate a new PKC with
another subject name  just for signing CRLs, it is still an indirect CRL.

 

Regards,

 

Erik

 

Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Erik Andersen
Sendt: 17 November 2015 09:14
Til: 'Santosh Chokhani' <santosh.chokhani@gmail.com>;
x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] Indirect CRLs

 

Hi Santosh,

 

Thanks a lot for your answer.

 

My first impression reading the text was that an indirect CRL is one that
potentially holds revocation information from multiple CAs. Others may have
the same impression. I will check X.509 to see  if it  clear enough on this
point.

 

Kind regards,

 

Erik

 

Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
Sendt: 16 November 2015 17:57
Til: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] Indirect CRLs

 

Yes.  That is an indirect CRL.

 

Note that the CA needs to assert appropriate cRLIssuer in the
DistributionPoint field of CRL DP extension of each certificate the CA
issues.

 

From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: Monday, November 16, 2015 4:48 AM
To: PKIX <pkix@ietf.org>
Cc: Directory list <x500standard@freelists.org>
Subject: [x500standard] Indirect CRLs

 

I have a question related to indirect CRLs. RFC 5280 in Section 5:

 

If the scope of the CRL includes one or more certificates issued by

an entity other than the CRL issuer, then it is an indirect CRL.

 

If a CA has delegated CRL issuing to another entity, but this entity only
issues revocation status for certificates issued by that CA, is the CRL then
an indirect CRL?

 

Erik

v2.23.0 | Report a Bug | By Email