IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Tue, 12 October 2021 13:35 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D9E93A123E for <spasm@ietfa.amsl.com>; Tue, 12 Oct 2021 06:35:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3LxgPnu9cKR for <spasm@ietfa.amsl.com>; Tue, 12 Oct 2021 06:35:34 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150045.outbound.protection.outlook.com [40.107.15.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B0DF3A1243 for <spasm@ietf.org>; Tue, 12 Oct 2021 06:35:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DAPqCdYVBDUhqbnyNvvJE2JaPpXTfx73aWDAGOPxRM/9RYVP08Qtc7q6Xj5Ga+/ZbrNBtw+3MOf0setCVwZE7xN5bCIoWMYpaQZ9YykUuWgRHhH+JMSE3tP4dqbDZaS7CTQmDlum94F5HVneeRQ9IU6tqKDveov18S4n6lNKYOliaXeJE2FsHBHWH0JryOpoMpYVcFJSSnbL5zExQtaGfWlqHH6hhpnQ+LfoVn1fy4j0BJR5XNsf4D6bUVsA064kv1+JROrvuEnjM7SEffOndPzvIzesjn1YE5m6sY+fA5+z7NdCIjuTC+gCD+HUi531bqRKYNdq0csrZAC0if0QdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=z/iWIFxyMiFtChhAnjSQOyvmvZbepAdZaKcaYYQR5Xw=; b=dswybw5kDpZaeNbDBX8Rad6MTVISXHH8iUF3HvjF/uAQh/6Kows8DNDtHaArTFuAfYjdTKk2p3yeEMAZppqgfskZYuIMgVwOy6fgW0N5AF5KOAxsInmwtqnpafg/sAdDTBT0+z2IAm6+xAieFWhI/5F5pdjdE2W7oeZi3G9kiT5t2FQzWZy6UUwWqkywMXk9zMvrUs9PeEw4/vcru2E/xB+V485U2gZgWTiuX/LJp9ywoBsONX3pzZrjlNQinsZ5vrd+bbkE2KjMQCpJ+ImyjZy1/g4qP3vfK4jcaEliDacYCm0FQEBHrB927ImYPHPSMM4ViCabjlVdL2eJdI2LMA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z/iWIFxyMiFtChhAnjSQOyvmvZbepAdZaKcaYYQR5Xw=; b=fyYDrJADsoqT/723mvmuQ1mbJxvp5iOzTw/1t0OLK10oqBvaWL6j8Cd76cRZK5jnoUWHxSjeiOUoYzFVhLneTeOyrTyT38zhumlILa4EZvlzRuTMbTbdMI9fCQ6dn+VayBaJaKCMc+AmrBDMB9mK6dmh7pQRv/hlGer1m0ncGR0=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM0PR10MB2210.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:d5::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.21; Tue, 12 Oct 2021 13:35:24 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29%5]) with mapi id 15.20.4587.026; Tue, 12 Oct 2021 13:35:24 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: David von Oheimb <nl0@von-Oheimb.de>, Russ Housley <housley@vigilsec.com>, Lijun Liao <lijun.liao@gmail.com>
CC: LAMPS WG <spasm@ietf.org>, John Gray <John.Gray@entrust.com>
Thread-Topic: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
Thread-Index: AQHXvICw5lKlXeFImkiFFvAECAJpoqvLCKYAgAJP4sCAAJR6gIAAAnsAgAAOYZCAAB/HAIAAFQeAgAAFdYCAANCAAIAAWWfA
Date: Tue, 12 Oct 2021 13:35:24 +0000
Message-ID: <AM0PR10MB2418F810110FDE2E11BCF8BBFEB69@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com> <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com> <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <0b24c287-a6ac-593e-e0e4-3fd0b9373208@von-Oheimb.de> <B48AB092-BE17-42AE-BBA8-7ACDBDBF75D7@vigilsec.com> <AM0PR10MB2418B4A2D6498C6E4A7CC6D9FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C5546F9B-8AF0-48FA-9B9E-FE10C9B700F9@vigilsec.com> <CANNx7D-y4Sju8DN8=AmOQnq+GhrPAbmgZnhwYoDoSy_iB6gfpQ@mail.gmail.com> <29024D4D-A638-44AA-855A-6081F66D4A24@vigilsec.com> <93dd2d1d-3e82-36de-280a-365d3b1c388c@von-Oheimb.de>
In-Reply-To: <93dd2d1d-3e82-36de-280a-365d3b1c388c@von-Oheimb.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-10-12T13:35:23Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=78e08874-62ae-4902-960d-a6ceacd3b443; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: von-Oheimb.de; dkim=none (message not signed) header.d=none;von-Oheimb.de; dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 75840abc-e0d7-4258-7b61-08d98d85257c
x-ms-traffictypediagnostic: AM0PR10MB2210:
x-microsoft-antispam-prvs: <AM0PR10MB2210570AE34EAF7F41CBEF22FEB69@AM0PR10MB2210.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CJ/xLAP4w3K+MYEibIWpo+H9UeUw9oZICCPfFowWWjwSwgDSrJZUx1p+mxHKRuPTQemVRLyge9hJZOWDp2kH5tkdxApipMIwZQuy6Htf+Rn0Rj+KlkXnW0AuZflOHFbHzQ4e9LI9RhGpUlpZkT2/8x0/CX+z+fe0M01dF4rsiSusEQ4szmCwlGsf9HqZV0nx5vIWRP0GpIXCnbbB4NF3paicjP2f3lO0/evagTy5y2TkPRYcfcROFrwT4QTgWqVPHwhv+OGgnjWXDwhpTIY+CKHDm/A6sYiRb24Am1J9Rb+STeCYr2Cwe0Jj8fcs0ekd2RmDXPns2LWcBEirxmIpXiL6Fgh2PxTLqR99fETze7YAwZvv78yT3bMQg2aGogi6/YHGJIr2KDup0CzT1jMMH3gxmYCeLjsgCFMfKoZYvidiYG3njkJUNnHH8vai1PDQI5Q8JXKz8weHc6WPfG7r655dFvJpCX8DH1nG+PO/qJ1pohHcqJPcf8b8hziLdL5LRJCKfFtweMVpZ2htD35JZJ+oIgKlF7ejTBFsNtKJTGt+p+5d8wIBfSZJVBuDZE66h88J8uHlOWLUktGESV/t8iwjXn8GnlptUpypLXVLlM8ZU4ky3kkOzAZDfjQUrrHdueOjKOVa3US1ImMli1l9tRdjsEAqSh2Ycumj/vamC4rLrQhQfUd6uPP+cViDpQFUsO8WOQE6l9xW8aA88KOr4FdHZr4WqDoAgpak57VeXq/wFHjOxG1nLcZXgtzzsC2XQEI+PT8H1SwYJMIoL9W0EeDMIeRKyJhLkQTCGjOwDiOTuTnsGH0A+FK6hal0KQwOQDDm03jWe9tDRjGpiL03hA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(86362001)(33656002)(966005)(4326008)(64756008)(66446008)(508600001)(38100700002)(76116006)(71200400001)(66476007)(52536014)(166002)(122000001)(66946007)(5660300002)(66556008)(7696005)(9686003)(186003)(6506007)(2906002)(8676002)(110136005)(53546011)(54906003)(38070700005)(26005)(55016002)(8936002)(15650500001)(83380400001)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: nFicPQVk7JkjN5bKTn/4aom7i6ljzJmvQ4kE9z6le8s5htA4Z72F4sYwdo82Hf3zSaEvFCV8O/cSA9mf3lLAz7fSa3hMxcnV7JPmLvB/oBO/hcNFsjp0y/qNgO8z+atodSMODHR8ATs0pXY5TQXpGOtKZlmqNir6gk2OicDKy3a7MMjxl6O4hzE9ML4nRzTAftgn0HJRiIs8fqRXmHHXGQIPODhGk/qZTaDEhkKZjwslS63OjKJ9+DNCIEnnzvUCu+4/CHOSE7tIfTy/jTi+FWO+Rj3POt5HwHSIuikmDTuAcLOUFjH7Er1TMf5UZUDImetvtFkZ8BbGCyLAc3VLs066LfeCAydGqQC5znpn1a/oZntLB0U63zBWzCn5eJIxdvr08WlEXStn0Z9sN/SXUqSYRH556mXx0k6Ae/s/lgW42KrTCKrzB4XgXp7rI2FqMqz58Im/sBudQW6l5nhdW51WaC5CwlGh+dnNEDLIRmuIGnu1Jihj1dorF5OnSkVOdkyfb+gyV65gpaN9oayFsG1ZlMgq2yfJNj8d/CFLUPmuMVLvK3pDqS1spztTTy4IlPbI5mMeJlslmYrGkYEyQ+1am8NIMgwauf2nCzeI1S0aDKGuqY/yMQsJuk6dRJ1e4RfwJ7q6X3JKU/69Jas9a9L+peRKdH/X8Ft6i1/coDfntgiSZizT8FuUqt6CJ3v23gTUAgQj4k8tvXPx2NfBrz1OVKVcfLBRtam2bmgEY1AKzCXhZ8iQcSaZw1OHSnpFCUe/MzkqICKe1+NDAKsZQfDc3AeX9nPdjnrYFW8ZXGSI/ig1y7wODmqCV+3s9QC5pxJhHc3lk3UtEDq9GBYKERm8Ej8QlXcUOCTRQNweuTqxwbdjlPxTklqhdVlXxG2ErkRouJf8+3sE8FdEMS7XBsCvSbd7O03Uk2fvj1EyObOdM1Az8sl09/L+wxlIgRvSiNGLWjh7ndXzD8uFU3+T+yk/L27h6v1xYt++9+xWVrU8vWeTf6R/1BBKElh6ehyhTKCD/SeASxUBr+pOHQaHpPIvDNrKVvK4vGI4E//Nb6qd+G5kh8g5cNgF9xAIWPFUWJoj62axKnjRBY8yy+/LPyVqlV16Iei3Y0SpzLZ7YOiNkfL94fM4+zPZmG650FLKCiQGBAGMQYm7ZR0J18GKK+JYWVwaA69GmY+yh4ypovg/RKXqFmp+LGOEHtwDlNYuO3DFZuMnr1DCdC4KjjwHQeYzHOFSewG2RASSfecnbl274W6WSVpQ5FHl6iXLwTsT2++kTtBGzsTfzGl0RMgGjxupCX9wIvRx/RS9JXK4ckTo5dAtI7fI0dfyeDSp5bZ1
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR10MB2418F810110FDE2E11BCF8BBFEB69AM0PR10MB2418EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 75840abc-e0d7-4258-7b61-08d98d85257c
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2021 13:35:24.7568 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: buMKxRlmHvg75Wx7PNe6sq06T9hwe4JGcngA/EmdN1yYgMqVCZyS3NMn7R9zLg7nWYPIgoUZIq2Fzf66PZbT8HpVJ9KpfBa9Ju3pVgKupFo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2210
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/0eGfCW8oaX0-xiu3swDwKxWxTqM>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2021 13:35:40 -0000

Do we really need the whole IssuingDistributionPoint, or is the DistributionPointName sufficient?

Hendrik

Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von David von Oheimb
Gesendet: Dienstag, 12. Oktober 2021 10:12
An: Russ Housley <housley@vigilsec.com>; Lijun Liao <lijun.liao@gmail.com>
Cc: LAMPS WG <spasm@ietf.org>; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com>; John Gray <John.Gray@entrust.com>
Betreff: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL


Thanks for the clarifications.

So how about adapting the CRLStatus part of Russ' below proposal from

CRLStatus ::= SEQUENCE {
   crldpn    DistributionPointName,
   thisUpdate    Time }

to (1):

CRLStatus ::= SEQUENCE {
   scope             IssuingDistributionPoint OPTIONAL,
   thisUpdate    Time }

or to (2):

CRLStatus ::= SEQUENCE {
   issuer            Name,
   cRLNumber  INTEGER,
   scope             IssuingDistributionPoint OPTIONAL }

?
In this way the full scope information can be given if needed, while
for the typical (simple) cases, it should be sufficient to give either the thisUpdate value or the CRL issuer and number.

    David

On 11.10.21 23:42, David von Oheimb wrote:

So in the end the whole IssuingDistributionPoint

structure determines the scope.



  David

On 11.10.21 21:45, Russ Housley wrote:
Lijun:

Yes, I agree.  That us the reason for crldpn in the syntax that I suggested.

Russ


On Oct 11, 2021, at 3:26 PM, Lijun Liao <lijun.liao@gmail.com<mailto:lijun.liao@gmail.com>> wrote:

The URL specified in the extension CRL DP, should be able to identify the scope.


Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> schrieb am Mo., 11. Okt. 2021, 20:11:
Hendrik:

As the introduction to Section 5 od RFC 5280 says, the scope can be based on "arbitrary local information".  Consider the example that I gave in my earlier response, where a CA uses multiple CRL distribution points.  One distribution point could be associated with NIST employees located in Boulder and a separate distribution point could be for NIST employees in Gaithersburg.  There are certainly other ways to do this, including indirect CRLs, but this is one straightforward approach.

Russ


On Oct 11, 2021, at 12:20 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote:

Russ

The introduction to Section 5 gives some examples on different scopes.
I du understand how to express theses scopes by using the flags David mentioned.

  *   "all certificates issued by CA X"
  *   "all CA certificates issued by CA X"
  *   "all certificates issued by CA X that have been revoked for reasons of key compromise and CA compromise",

But I have issues to understand how "all certificates issued to the NIST employees located in Boulder" would be expressed.
Can you give an example?

Hendrik

Von: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Gesendet: Montag, 11. Oktober 2021 17:26
An: David von Oheimb <nl0@von-Oheimb.de<mailto:nl0@von-Oheimb.de>>
Cc: Lijun Liao <lijun.liao@gmail.com<mailto:lijun.liao@gmail.com>>; spasm@ietf.org<mailto:spasm@ietf.org>; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>>; John Gray <John.Gray@entrust.com<mailto:John.Gray@entrust.com>>
Betreff: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

David:

These flags are clearly part of the scope.  The use of CRL distribution points in certificates can be used to divide the population of certificates across many different CRLs.

Russ

On Oct 11, 2021, at 11:16 AM, David von Oheimb <nl0@von-Oheimb.de<mailto:nl0@von-Oheimb.de>> wrote:

Interesting discussion!
It looks to me that the currently open issue boils down to uniquely identifying the (latest) CRL information currently known to the client.
Even when scoped, indirect, and delta CRLs need to be taken into account,
according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.3<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.3&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C4ad01b5d9113414a477f08d98d580223%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637696232756680209%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=KqGxNtGOOfOJukKWAIWwBhiljMUJMIwKvLEd9zzefcA%3D&reserved=0>
apparently the following data should be sufficient for unique identification:
    CRL issuer, scope, and CRL Number,
or am I missing something?
And how is the scope defined/encoded?
I'm having a hard time getting this nailed down from RFC 5280 and other sources,
but according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.5&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C4ad01b5d9113414a477f08d98d580223%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637696232756690198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Xi1FhU%2BLZ45xBsdwSQPlUPvwF3zIrv0%2F%2FMHy4nr7sm0%3D&reserved=0>it looks like the scope is the combination of the following fields:

        onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,

        onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,

        onlySomeReasons            [3] ReasonFlags OPTIONAL,

        indirectCRL                [4] BOOLEAN DEFAULT FALSE,

        onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
right?
    David

On 11.10.21 08:28, Brockhaus, Hendrik wrote:
Russ

Thank you for this proposal. It looks straight forward.
I will need to dig a little deeper into the partitioning of CRLs and check the requirements of our use case for CRL retrieval via CMP to better understand the complexity needed.

Hendrik

Von: Russ Housley <housley@vigilsec.com><mailto:housley@vigilsec.com>
Gesendet: Samstag, 9. Oktober 2021 21:07
An: Lijun Liao <lijun.liao@gmail.com><mailto:lijun.liao@gmail.com>
Cc: Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com><mailto:hendrik.brockhaus@siemens.com>; spasm@ietf.org<mailto:spasm@ietf.org>; von Oheimb, David (T RDA CST SEA-DE) <david.von.oheimb@siemens.com><mailto:david.von.oheimb@siemens.com>; John Gray <John.Gray@entrust.com><mailto:John.Gray@entrust.com>
Betreff: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

This is an interesting observation, but it does not seem to cover a certificate with multiple CRL distribution points, indirect CRLs, and delta CRLs.  I'm not sure we want all of that complexity here.  That said, it does make sense to me to list a distribution point name and the thisUpdate for each one.

CRLStatusList ::= SEQUENCE OF CRLStatus

CRLStatus ::= SEQUENCE {
   crldpn    DistributionPointName,
   thisUpdate    Time }

CRLs ::= SEQUENCE OF CertificateList

   GenMsg:    {id-it TBD}, CRLStatusList
   GenRep:    {id-it TBD}, CRLs  |  < absent >

Russ

v2.23.0 | Report a Bug | By Email