Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 08 October 2021 15:19 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 566403A00E1 for <spasm@ietfa.amsl.com>; Fri, 8 Oct 2021 08:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yaoBa8sYBU13 for <spasm@ietfa.amsl.com>; Fri, 8 Oct 2021 08:19:42 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70059.outbound.protection.outlook.com [40.107.7.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E333A0475 for <spasm@ietf.org>; Fri, 8 Oct 2021 08:19:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KIDGOVacAgdL52fQG/gahtfGajntQ+I4Tvkam+/iLyva8Zl95wRo4YooukHwhGn3EjXjCcjKbnjFeMCB1SQW8WwzqbdhDGe32HY2QfiaTZRkDF5szN3slIezBb6+3xvpjSfWep/q+si2yJbK9vMgX8ZgzAXwun+yX31CqD1ccnvCCUYYNOoL5H4L2feceE0mqmCUPdzn8cdNdpOQyQrbieUh46Ktfz6jxT76ULJuE14Ox5P1kUD5eOV4YyqtNIBqxcEmeIYXdDXNeyXAtSeGyAY+wteJdBu+CVgn/s1zCbR6Nx0TNrIfcj2H9MJkDW72yRapI6d30ksH+2xrctgwmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tZn+0vbwzE92oRra/M6eitP7jIJ8GBqrgYcdwDWvbYA=; b=iqx0UuarxtThMPLEzc+DIHQrMBfhvRZyRsH/kftKanTKcbbHBObiCY9qDZYujpNSFfkiNR+MmJYJ3NZ0d6UKwfQSY3xPcQKaJq4XqpGdJM+4hHpIEagNnv3y1gvRmu2slo3rXZWa2+A6UI36RRCI6z6JSQx1RWScjxcUKync9smGpq1EAGD26xxM122hkqqF4rDSnPqr+Q5oCblc6kJkhW3JYOy/pvIueMQZKeoOJdt/IpVyIl3jG96aFxNXi92Y+gnylkLDvhDuC6Ln+YYLTHvrdvp2aNohvC58O300obGNGyNla8xU46fhPZFLkGY49FT1xlUl3OKD6QNqE8SwYg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tZn+0vbwzE92oRra/M6eitP7jIJ8GBqrgYcdwDWvbYA=; b=V8lpNlgu8QrZ2jJKztwNAXOBXR2zkNs1XBYUyCNWZ7PTgWw+SPVkFMMPCgrDW8tODppl0OGTmYUnp8kAra29tC4d7ClKSl+T2H8CT4r5MjphR136x/uILucKTzviSXsn9cXDne9wOEAlobvaUertvFKxbj0jh/kspKHewxgzmBg=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM0PR10MB2291.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:e0::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Fri, 8 Oct 2021 15:19:37 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29%5]) with mapi id 15.20.4587.020; Fri, 8 Oct 2021 15:19:37 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>, John Gray <John.Gray@entrust.com>
Thread-Topic: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
Thread-Index: AQHXu59CGogx/PCmf0qwFmmBtFhi4avIj6JAgACiGYCAAAShwA==
Date: Fri, 08 Oct 2021 15:19:37 +0000
Message-ID: <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com>
In-Reply-To: <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-10-08T15:19:36Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=d9b5eed9-b2ab-4a78-831d-34eb7b9c09e8; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 03456cf7-52b4-46c5-6291-08d98a6f0ae8
x-ms-traffictypediagnostic: AM0PR10MB2291:
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR10MB2291E4C9AAC60D91C488D605FEB29@AM0PR10MB2291.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9X+32A8oIR2nW7NCko61h5UXzB3s2z0oXS/iaC3DkskHPPgMFMXjHVs+QugxKKEuOf2BxEQoiiKgaK2Okw10MyzALd61U41ipfeJJ972JJIMUyBXvxfscauktNP5kl3o4rtcKxVLeXWrlx8HV7cAz17NpOwrmDp7qx/rjfxIPUtJUDzNs9FItJCJ1A7uq73L52HEhCFBNnSOVVdlASFwF0Z6DoH1ue4pFaW45b1b2/+THtj0tInUH6F6ZbLcC8X+cfdUiUFN5Ydh/rSqo48uigw8DgesBpSATmpvrrqmq7MVEmrKAFZ0KSNimMT5GUUVM4DG4P3X7b9RulLYFpC0UoKmApZDORxd+95UOoZwJwj3PzyeHy8F1BsFZINzOGn2KS9gxduBfnBv9EueozBtWB5LYu2OZ0n2JJkQq64IgSmYMsCf/c/NqUTy30FZiZ6sdzC740KZwR/lYQAVCNqzmwkep97Oj9J95Wuw94lBRTgC6jvcuBoUScKy9R0SR5PwjWPSLbxZhmvCO4xPw9DEjwQlR6DvS5GPZ4iGgT+No52Kzu5jIe7AgJejpapLW5JLhACYEXkbKIozgk+As54WThTUjuVb2L0Odj44gh/JYWI7/OZXIM08F4UBcLkRIycz2usZ8sKg2oRe6WXxrmdbDg6foe6bPYHvhdMlNu+vG/y+pvOI9wl8MM6DcedrBvkkBXBPX8EakHNdtcDpVIX+E6Nqf9GfFK0kOOVr5pqRlc6dp4RuLo+pl8NTgFRhrT7erPmbxM2JEI0+9n6XClpIMK3u9/0/fqquhm2f3XK+e49B7mNbFV1voJqN8I2QyaopBg+WiXZ4v8XjFeDZdI1XHg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(30864003)(83380400001)(26005)(86362001)(66556008)(53546011)(7696005)(8936002)(8676002)(55016002)(54906003)(66476007)(66946007)(66446008)(9686003)(64756008)(6506007)(15650500001)(316002)(76116006)(2906002)(33656002)(5660300002)(6916009)(966005)(186003)(19627235002)(45080400002)(4326008)(38100700002)(508600001)(122000001)(71200400001)(38070700005)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Euv1/rNldLHGxPWd849053X/P8fT8Gs30A63ARK1O04BONzOn25NvXk3cMkG0nIb0KUC5YK6Co1f6NLjUnHJRnNNPuhOyvhREYmgza4WejF4lzv/zExdnaaSU7n4NohM61tITrydzvcrPHN/3okKUGYQsguMzaHrYSb5Zj44z1mdVm0zhdfC4vGb3EOq1HM+AlSYg3mwja9XeSzjDHUF57NQvFx+p06q/yngiSobxqWxFAanI6Ple2YdpsZtlAxmjM4BgOOm3mmu88k338G89NQcTFjDOoAj0g/46DYv8MQmi7huzBx6lvb3yT/pIvm0RcbSR28aQJq56fXOXDYLpYK/GH1u5wYzSUQn4VzgsTK13lAgzgOpmXohkPiStaY8d54IcEOhxolooNK+mpfyudsmI5POglk7pHUHEwDGlZSlISoSJZIN4E67IkYwaQOoFY3kpfsZJEvyUxpetHc92lvktnL/VGRNrly+i7XIGxby/38+ZyP32W+DFgt9+fbqQeDIgeli3CcBBAWlU/jgQBUT1uGPeK0EKhXiLufqMXxfjjQNqRKcgm0vvTB8mCqjRmMrYR9hyJ7CDYzS8uSa6JmsApf04CJXFfpS+LhWwMe0OCh6wyIUxr1zC4h+9uccpysyZECdYdVGDYpZDN+CLQo/9Y7qfEwmnbrrePj3/cot0IHBo9EPgBgfnYnyaOjbQ2BaLGlE0F3OtzyEcLRfgY4kkYhw4CEGXznbhG4mwkkFRqhIcv8lUtFtKa29SU9n6GyHGPo9fxiRcEsRzXA9RAfbQVDJsiuePg3u6fOd+xJkQw6KzvOXxNIX7ugINU+CDNGeYDz2LKJeJEVrIBAvRR4hQpc4PTV+qi7RYFeribEB628IqgnPMFv3ZAb3VoXPVKUZKuOXrHIqVo808h0KPQ76kGMgpbGWurQWLANftOEAPolGElydAfe3xKaQ1ufs39btOxDRY8lHmJutN1JGqRPG8M7Z8tHu8rhrNQe+ryYWA5vnSu50dDxNzmnw0+Pi2iIVGHUcSMn057ceRT9l5WxkUAT+X+en7reMcxP+65Fojbd0YB1TjbhjtaL17sFMkrN7B8KnYTuHQJNJ0eU7IOtWjwDVm8x5zvjKqx8k5/EWofuuwr6goaqVp1NSsxOTiqnWVOWpG8p+RsCb0R2Kle7acaH05SN7CxqXYsszQDYXP0i9Fc5Q7ZDDpDpe1GNT5kdDWOL3MNzSTVxmAzirbcPlntiod3RbM7h3Htn4NvDcYE/Ub/Sqt6sqnRwozk+hZkQSJOIC/FDvVCjBDyF+POWJtgl0gnf/U0qU999lA/cIloofBKdVvWWM9r6Zcmn2
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 03456cf7-52b4-46c5-6291-08d98a6f0ae8
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2021 15:19:37.7141 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CeeGlsNpfcBw1fQAOMvGrW9nArpHyx6MDu9s41KIk68Ff7n74CD1ThTkGIOuMrBWJZv/mWnE5I8qcNKR7fbCIXxbmXsU47HBLLkRWHJ0V18=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2291
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/DSm7jpWcf3Ys-y50Lycrxe7Rvs4>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 15:19:48 -0000
Russ Thank you for this explanation. > Von: Russ Housley <housley@vigilsec.com> > Gesendet: Freitag, 8. Oktober 2021 16:55 > > Hendrik: > > It is clear to me that either one will work. The better approach to me depends > on the better impact on existing code. > > In Option 1A: > > if the client does not send CrlThisUpdate, then the server acts exactly as RFC > 4210. > > If the server responds with <absent>, which is not permitted in RFC 4210, it is > unclear to me what a client implementation will do. The server should only answers with <absent> in case CrlThisUpdate was provided in the request. In this case the client indicates that it knows the updated syntax. Therefore, I thought it is backward compatible. > > In Option 1B: > > Section 5.3.19 of RFC 4210 does not offer much assistance; it explains the > syntax, but no real help about when <absent> is acceptable or unacceptable. I > do not know how CMP implementations really handle this. So, defining a new > InfoTypeAndValue should avoid concerns with the change: > > OLD: > > GenRep: {id-it 6}, CertificateList > > NEW: > > GenRep: {id-it 6}, CertificateList | < absent > I tried to find any indication in the ASN.1 module, but it looks like the ASN.1 module dies not differ if <absent> is allowed or not. Your proposal is to define a new OID with this update, right? Finally, if you think we should do this to be on the safe side, we could also use it together with CrlThisUpdate. I just wanted to prevent to define new ITAV if not necessary. Hendrik > > > On Oct 8, 2021, at 1:37 AM, Brockhaus, Hendrik > <hendrik.brockhaus@siemens.com> wrote: > > > > Russ > > > > You are right. Chaining general messages is not the intend of RFC 4210 Section > 5.3.19. Therefore, I agree dropping Option 2. > > > > Option 1A and 1B both use a single general message transaction. The > difference is how thisUpdate time is provided by the EE. > > Option 1A uses the generalInfo field. As I understand you proposal, Option 1B > uses the body of the GenMsg. > > > > RFC 4210 Section 5.1.1 specifies the generalInfo file like this: > > > > The generalInfo field may be used to send machine-processable > > additional data to the recipient. The following generalInfo > > extensions are defined and MAY be supported. > > > > CMP Updates already specifies two new ITAV to be carried in the generalInfo > field in Section 2.4 and 2.5. Theses new ITAV are used in the Lightweight CMP > Profile together with general messages. Therefore, I preferer Option 1A using > the same approach for requesting CRLs. > > > > Hendrik > > > >> Von: Russ Housley <housley@vigilsec.com> > >> Gesendet: Donnerstag, 7. Oktober 2021 19:16 > >> > >> Hendrik: > >> > >> After a quick skim of Section 5.3.19 of RFC 4210, I do not see any > >> other uses of PKI General Message Content where the value provided > >> with one request has an impact on the response provided by another. For > this reason, I prefer Option 1B. > >> > >> Russ > >> > >> > >>> On Oct 7, 2021, at 10:27 AM, Brockhaus, Hendrik > >> <hendrik.brockhaus@siemens.com> wrote: > >>> > >>> Thanks to John for his support and to Russ for his proposal. > >>> > >>> I had a slightly different approach in mind as Russ described. So I > >>> would name > >> the approach presented by Russ Option 1B and mine Option 1A. > >>> > >>> Option 1A would work like this: > >>> > >>> New Section: > >>> 5.1.1.X. CrlThisUpdate > >>> > >>> This is used by the EE to inform the CA about the thisUpdate of > >>> the most recent CRL it knows. > >>> > >>> crlThisUpdate OBJECT IDENTIFIER ::= {id-it TBD} > >>> CrlThisUpdate ::= Time > >>> > >>> Updated Section: > >>> 5.3.19.6. CRL > >>> > >>> This MAY be used by the client to get a copy of the latest CRL. > >>> > >>> GenMsg: {id-it 6}, < absent > > >>> GenRep: {id-it 6}, CertificateList | < absent > > >>> > >>> If crlThisUpdate is contained in the generalInfo field of the > >>> GenMsg, the CA MUST only return a more current CRL. > >>> > >>> Are there any preferences in the WG? > >>> > >>> Hendrik > >>> > >>>> Von: John Gray <John.Gray@entrust.com> > >>>> Gesendet: Mittwoch, 6. Oktober 2021 23:45 > >>>> > >>>> Yes, that is exactly what we are suggesting. > >>>> > >>>> As you know CRL's can become very large, and it would be a pity to > >>>> ask for the latest CRL, only to find out we already had the latest > >>>> CRL. 😊 We had also discussed possibly using a hash of the CRL > >>>> instead of the time value, but that would cost an extra hash > >>>> operation and we agreed thisUpdate should be good enough. I > >>>> wouldn't expect a CA to be fast enough to issue updated CRL's > >>>> within > >>>> 1 second of each other (thus having the same thisUpdate date). > >>>> > >>>> Cheers, > >>>> > >>>> John Gray > >>>> > >>>> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley > >>>> Sent: Wednesday, October 6, 2021 12:23 PM > >>>> > >>>> RFC 4210 says: > >>>> > >>>> 5.3.19.6. CRL > >>>> > >>>> This MAY be used by the client to get a copy of the latest CRL. > >>>> > >>>> GenMsg: {id-it 6}, < absent > > >>>> GenRep: {id-it 6}, CertificateList > >>>> > >>>> I think you are suggesting something like this for Option 1: > >>>> > >>>> 5.3.19.X. Conditional CRL Retrieval > >>>> > >>>> This MAY be used by the client to get a copy of the latest CRL if > >>>> a newer one is available. > >>>> > >>>> GenMsg: {id-it TBD}, Time > >>>> GenRep: {id-it TBD}, CertificateList | < absent > > >>>> > >>>> Where, Time is the thisUpdate of the most recent CRL known to the client. > >>>> > >>>> If that is the suggestion, then Option 1 seems to follow the > >>>> general design in RFC 4210. See Section 5.3.19.1 as an example. > >>>> > >>>> Russ > >>>> > >>>> > >>>>> On Oct 6, 2021, at 11:53 AM, Brockhaus, Hendrik > >>>> <hendrik.brockhaus@siemens.com> wrote: > >>>>> > >>>>> There are situations where CMP is used on networks that do not > >>>>> offer http or > >>>> coap, but other transport protocols specified at IEEE or IEC. > >>>>> In such case we use the general message as defined in RFC 4210 > >>>>> Section > >>>> 5.3.19.6 > >>>> > >> (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fda > >> tatrac > >> ker.ietf.org%2Fdoc%2Fhtml%2Frfc4210%23section- > >> > 5.3.19.6&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2a1f8 > >> > 11b31124e63d01b08d989b63743%7C38ae3bcd95794fd4addab42e1495d55a%7 > >> > C1%7C0%7C637692238717449200%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC > >> > 4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&a > >> > mp;sdata=4E9ffpU0dgD29BYAx9rqOX5tN0ObW1X7dsALJd3EABI%3D&reser > >> ved=0) for requesting CRLs. > >>>>> Currently the CMP server always send its most current CRL, > >>>>> regardless if the > >>>> CMP client already has this CRL. > >>>>> To avoid sending the same CRL multiple times, we would like to > >>>>> extend the > >>>> mechanism sending only more current CRLs than the CMP client already > has. > >>>>> > >>>>> Together with John Gray from Entrust, who we also like to add as > >>>>> co-author to > >>>> the CMP Updates Draft, we discussed mainly two implementation options. > >>>>> > >>>>> Option 1: > >>>>> Define a new generalInfo field to be provided in the request > >>>>> messages header > >>>> of the general message specified in RFC 4210 Section 5.3.19.6. This > >>>> ITAV shall contain the thisUpdate time of the most current CRL the > >>>> CMP client has. The CMP server shall return its CRL if it is more > >>>> current and otherwise with an empty body. > >>>>> > >>>>> Option 2: > >>>>> Define a new general message type. Sending this new general > >>>>> message, the > >>>> CMP client requests the thisUpdate time of the most current CRL the > >>>> CMP server has. If this is more current than the most current CRL > >>>> the CMP client has, it requests this CRL using the general message > >>>> specified in RFC 4210 Section 5.3.19.6. > >>>>> > >>>>> The authors would prefer option 1. What is the opinion of the WG? > >>>>> > >>>>> BTW, this is the last open issue of this draft. The authors hope > >>>>> that the next > >>>> update will be the last before WGLC. > >>>>> > >>>>> Hendrik > >>>>> > >>>>> > >>>>> Siemens AG > >>>>> Technology - Research in Digitalization and Automation Security > >>>>> Architecture mailto:hendrik.brockhaus@siemens.com > >>>>> > >>>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > >>>>> ur > >>>>> ld > >>>>> efense.com%2Fv3%2F__http%3A%2F%2Fwww.siemens.com__%3B!!FJ- > >>>> Y8qCqXTj2!K3 > >>>>> > >>>> > >> > &data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2cd8c2a53f27 > >>>> 42e2 > >>>>> > >>>> > >> > 6fac08d9891291b7%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C63 > >>>> 769153 > >>>>> > >>>> > >> > 5123328589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi > >>>> V2luMzI > >>>>> > >>>> > >> > iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Wzag2sbqWIEuWaJ > >>>> 4tUuNi > >>>>> VokUg6Bb%2BdDq7OyXroN43k%3D&reserved=0 > >>>>> 2dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05- > >>>> FtMawTzDIEdSOymuy8K9aaZnA$ > >>>>> > >>>>> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim > >>>>> Hagemann Snabe; Managing Board: Roland Busch, Chairman, President > >>>>> and Chief Executive Officer; Cedrik Neike, Matthias Rebellius, Ralf P. > >>>>> Thomas, Judith Wiese; Registered offices: Berlin and Munich, > >>>>> Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, > >>>>> Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > >>>>> > >>>>> _______________________________________________ > >>>>> Spasm mailing list > >>>>> Spasm@ietf.org > >>>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F > >>>>> ur > >>>>> ld > >>>>> > >>>> > >> > efense.com%2Fv3%2F__https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo > >>>> %2F > >>>>> > >>>> > >> > spas&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2cd8c2a5 > >>>> 3f27 > >>>>> > >>>> > >> > 42e26fac08d9891291b7%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0% > >>>> 7C6376 > >>>>> > >>>> > >> > 91535123328589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ > >>>> QIjoiV2l > >>>>> > >>>> > >> > uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sWEzRWabxIrH > >>>> U2Ry4 > >>>>> 2sy2YZewT7kDNOq1lIMP9ymOAE%3D&reserved=0 > >>>>> m__;!!FJ- > >> Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05- > >>>> FtMaw > >>>>> TzDIEdSOymuy8xYOrR-E$ > >>>> > >>>> _______________________________________________ > >>>> Spasm mailing list > >>>> Spasm@ietf.org > >>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fu > >>>> rl > >>>> defens > >>>> > >> > e.com%2Fv3%2F__https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsp > >>>> asm__%3B!!FJ- > >>>> Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05- > >>>> FtMawTzDIEdSOymuy8xYOrR- > >>>> > >> > E%24&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2cd8c2a > >>>> > >> > 53f2742e26fac08d9891291b7%7C38ae3bcd95794fd4addab42e1495d55a%7C1% > >>>> > >> > 7C0%7C637691535123328589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > >>>> > >> > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s > >>>> > >> > data=mZrMYo45HQGV0FLd8f6TfQKNLgeS0s420sJpXUvaVVM%3D&reserve > >>>> d=0 > >>>> Any email and files/attachments transmitted with it are > >>>> confidential and are intended solely for the use of the individual > >>>> or entity to whom they are addressed. If this message has been sent > >>>> to you in error, you must not copy, distribute or disclose of the > >>>> information it contains. Please notify Entrust immediately and > >>>> delete the message from > >> your system. > >>> _______________________________________________ > >>> Spasm mailing list > >>> Spasm@ietf.org > >>> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > >>> > >> > ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.broc > >> k > >>> > >> > haus%40siemens.com%7C2a1f811b31124e63d01b08d989b63743%7C38ae3bcd > >> 95794f > >>> > >> > d4addab42e1495d55a%7C1%7C0%7C637692238717459201%7CUnknown%7CT > >> WFpbGZsb3 > >>> > >> > d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > >> D%7 > >>> > >> > C3000&sdata=XdAzbm5lVFFCWz0bC0FmrwJT3APVOChsXe4SAZa5LkE%3D& > >> amp;res > >>> erved=0 > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > > > ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.broc > k > > > haus%40siemens.com%7C20647c6817d644d3bae008d98a6ba4a6%7C38ae3bcd > 95794f > > > d4addab42e1495d55a%7C1%7C0%7C637693017805521807%7CUnknown%7CT > WFpbGZsb3 > > > d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 > D%7 > > > C3000&sdata=4bcIohNWsDgGugoLRr59S7G24wo0fvUjSrJ4HIhdfmw%3D&a > mp;res > > erved=0
- [lamps] [CMP Updates] Requesting a current CRL Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Requesting a current CRL Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik