IETF Logo Mail Archive

[lamps] AD initial comments on draft-ietf-lamps-crl-validation

Deb Cooley <debcooley1@gmail.com> Sun, 26 October 2025 18:12 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: spasm@mail2.ietf.org
Delivered-To: spasm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 968937C781CD for <spasm@mail2.ietf.org>; Sun, 26 Oct 2025 11:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0sAprcwGMboF for <spasm@mail2.ietf.org>; Sun, 26 Oct 2025 11:12:44 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 38C2E7C781C6 for <spasm@ietf.org>; Sun, 26 Oct 2025 11:12:44 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-290d14e5c9aso53657045ad.3 for <spasm@ietf.org>; Sun, 26 Oct 2025 11:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761502363; x=1762107163; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=VL2byuIP6lOf7iDN2wqu2zF7gLqSYCndSrLcSJDirMc=; b=PPhjZtZOmKR2aBTABc6SCoO7Ms+bzz6POewBCtw7TnY8OsOMEK94qM94YhJ9AZH4S0 dCTi5maJtjzQ8k5iB+xM28ufTNrLMwZf+b5UOe+cRkODJNQQmyT/Pj8Qw09rZ1QFXSOG CAhrvvKZqu9smiGk3L9Gz8vkqannnbvY56KmIPDVGR81ACTV1awvmBDHNHqg2q0UDLax 5g7lJc/OzxVNs6zRzs6PB3FReu8UHdO0cREGk3AfPUHt0apqKb/JR5v1ZRmoQitB8hBF 0qrRm+fLq9TfC4kIM32RDhhQPUVI8BBefEYrHaIiTmNTordGQSsnobeFj/u8d2U7nlzv /VxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761502363; x=1762107163; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=VL2byuIP6lOf7iDN2wqu2zF7gLqSYCndSrLcSJDirMc=; b=nk5Cl1D1KmQ9hrGbCVSx9dDZaaif7sGzdIOllhS+fkbEhtqiW2MX6A/TUkGjkg8Ux1 d+VgggkQJLQ5AUKp2GPTUbIV0qhDM0FMXvV1KvSH1ojpRW7Xxk+fFFJAheE8RTxLZw3g pkqPU+IUjGq7565JKU+3zPWbmdGdFhCnZ2d3U/NOW3WZBM2f9Xf62BMuc13DOWugr0me ou+j4AbdnOsNDZxCHbcU5B4UjxQ4i5qjVoW2aip1KHO1cJhDzTuc5Z8hc+auo60Gwy/c 3/oHrXE6YrZdUTFN+jvT2SmaU01r75TaGZmwAe7gu+5dMtBmhh1ZY4/ET9/urfN5iIAJ /d1Q==
X-Forwarded-Encrypted: i=1; AJvYcCWRNxxPo/y0YOPNE3xG5H/kdUHea4M9BSyIyK0NjSNp4xa4qzKMqzNfHWigZIicxfaWJpo6Fw==@ietf.org
X-Gm-Message-State: AOJu0YwvsaCoS3dv2DdKiFA7ZR1xYEeAMukuyabgibup7OLUXJaLk85H T26QsM9/6URjpMNF1oqNp9JOIz4LuCS+GJCraMAAvU618BSBAQv0+9Rww1Ta33q2oVNhsEot+Fn RlCk/tqiC6Fbf5gzF5EEa+3XlRHq397Bbs1Q=
X-Gm-Gg: ASbGncuqI+frmL/4pCtXbOvFfRbr0PqJ78g0DSbueBud6KKsFa/o4Svq0s+P4EChA5Z ysgRgxl1Av8rtjcTNmQaC2X5SDT20RLKFlZA1nH5NTnprpQ4WNYSWGBMzes8Zexk4SXS6fK1p8m 2v3dGV/Wa899/SMu6YorubSdkU3qiU52S3QhEjyufvzfpZp82H1veuFb/QCc7l5/2Av2QNGQnDR ucx+Of9gUfxEEvoCbYXm2CLycxmikGqLnlzmEkHgrIgzVvjxHEVcDdsyTC8uPebe/3Zs7kM/XWf 9iUhT4aUfAYTG2jZ/IW+g/4WtpZ5
X-Google-Smtp-Source: AGHT+IFFZnNKSGDnaW0Nv99dSuGUz1q1cdxw4EWL1WdN0un6/0ET2qSf2nxOBmu5pSJKbUKuNpg8uQ89zEQ76IjjqjY=
X-Received: by 2002:a17:902:ecc8:b0:27e:e1f3:f853 with SMTP id d9443c01a7336-290c9c8a5dbmr341890705ad.8.1761502363133; Sun, 26 Oct 2025 11:12:43 -0700 (PDT)
MIME-Version: 1.0
From: Deb Cooley <debcooley1@gmail.com>
Date: Sun, 26 Oct 2025 14:12:32 -0400
X-Gm-Features: AWmQ_bmk9S1quL1rJ5cRouWii40wE4uaYfGN9JPP2Otugfi49-DUXjHvF7oT6uY
Message-ID: <CAGgd1OdsccHA+BJ1BQRVNeGsDjLdbpS4cHu-98vVy+Eg_4PW2w@mail.gmail.com>
To: draft-ietf-lamps-keyusage-crl-validation.authors@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a02d94064213babc"
Message-ID-Hash: 43IR6WFJR7SLA4CFOSBSZ43MPI2VNJPG
X-Message-ID-Hash: 43IR6WFJR7SLA4CFOSBSZ43MPI2VNJPG
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: LAMPS Chairs <lamps-chairs@ietf.org>, LAMPS WG <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] AD initial comments on draft-ietf-lamps-crl-validation
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/3LbSovpxNl-Yut-O2b4irdRWimw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

Huzzah!  a draft I understand (I might be a touch rusty).  These are only
initial comments, I will have more once I understand the real scope of this
draft.


General:  Is this correct?  The general concern is that RFC 5280 requires
CAs to include the key usage extension when creating a certificate that is
meant to sign CRLs.  But there is no requirement for the RP to validate
that the key usage extension is on a certificate that has been used to
create a CRL.

What about a similar situation with certificate signing? I see in section
4.2.1.3 the requirement for the CA to use a key usage extension, but I see
Section 6.1.4.n. that says: 'If a key usage extension is present, verify
that the keyCertSign bit is set.' which looks similar to the CRL
situation.  What am I missing?

This leads me to one question:  Does this specification need to be
broadened to include the case of a bogus CA where a TA (or CA) has signed a
cert that has no key usage extension?

Specific comments:

Abstract:  Add a specific sentence that states that this specification
updates RFC 5280.  Normally, this is at the end of the abstract.

Abstract:  This sentence isn't really clear.  CRL validators can be RPs...
The introduction states
 this more clearly.  Maybe use that language for the Abstract (with the
sentence about updating RFC 5280).

Section 3:  Some ideas of how to simplify/clarify the CRL validation issue.
a.  Para 2&3:  How important is it to understand indirect CRLs vs direct
CRLs?
b.  Para 4&5:  Keep this.  It is clear and explains the issue.
c.  Para 6 is fine, the quote doesn't appear to support the para above.  I
would remove the quote.
d.  The example is horribly complicated.
   - It can be much simpler:  A CA issues a certificate w/out a key usage
extension, that private key is used to generate a bogus CRL, and voila we
have an issue.
   - I have not included CRL DP.

I'll have more comments once I understand more about what is necessary.  I
have not even looked at Section 4 & Section 5. But why not MUST use v3 and
KU?  why only RECOMMEND?

Deb

v2.37.1 | Report a Bug | By Email | System Status