Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
Russ Housley <housley@vigilsec.com> Thu, 07 October 2021 17:16 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8724C3A0C63 for <spasm@ietfa.amsl.com>; Thu, 7 Oct 2021 10:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_Ccm0RU-2_n for <spasm@ietfa.amsl.com>; Thu, 7 Oct 2021 10:16:35 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6434A3A0C5C for <spasm@ietf.org>; Thu, 7 Oct 2021 10:16:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 88940300C49 for <spasm@ietf.org>; Thu, 7 Oct 2021 13:16:35 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3vc0epQUlF9H for <spasm@ietf.org>; Thu, 7 Oct 2021 13:16:32 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id EDD01300B89; Thu, 7 Oct 2021 13:16:31 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM>
Date: Thu, 07 Oct 2021 13:16:28 -0400
Cc: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>, John Gray <John.Gray@entrust.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/KIje9Ytr74ZmGM2wRSxEIQAeZEs>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2021 17:16:41 -0000
Hendrik: After a quick skim of Section 5.3.19 of RFC 4210, I do not see any other uses of PKI General Message Content where the value provided with one request has an impact on the response provided by another. For this reason, I prefer Option 1B. Russ > On Oct 7, 2021, at 10:27 AM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com> wrote: > > Thanks to John for his support and to Russ for his proposal. > > I had a slightly different approach in mind as Russ described. So I would name the approach presented by Russ Option 1B and mine Option 1A. > > Option 1A would work like this: > > New Section: > 5.1.1.X. CrlThisUpdate > > This is used by the EE to inform the CA about the thisUpdate of the > most recent CRL it knows. > > crlThisUpdate OBJECT IDENTIFIER ::= {id-it TBD} > CrlThisUpdate ::= Time > > Updated Section: > 5.3.19.6. CRL > > This MAY be used by the client to get a copy of the latest CRL. > > GenMsg: {id-it 6}, < absent > > GenRep: {id-it 6}, CertificateList | < absent > > > If crlThisUpdate is contained in the generalInfo field of the GenMsg, the > CA MUST only return a more current CRL. > > Are there any preferences in the WG? > > Hendrik > >> Von: John Gray <John.Gray@entrust.com> >> Gesendet: Mittwoch, 6. Oktober 2021 23:45 >> >> Yes, that is exactly what we are suggesting. >> >> As you know CRL's can become very large, and it would be a pity to ask for the >> latest CRL, only to find out we already had the latest CRL. 😊 We had also >> discussed possibly using a hash of the CRL instead of the time value, but that >> would cost an extra hash operation and we agreed thisUpdate should be good >> enough. I wouldn't expect a CA to be fast enough to issue updated CRL's within >> 1 second of each other (thus having the same thisUpdate date). >> >> Cheers, >> >> John Gray >> >> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley >> Sent: Wednesday, October 6, 2021 12:23 PM >> >> RFC 4210 says: >> >> 5.3.19.6. CRL >> >> This MAY be used by the client to get a copy of the latest CRL. >> >> GenMsg: {id-it 6}, < absent > >> GenRep: {id-it 6}, CertificateList >> >> I think you are suggesting something like this for Option 1: >> >> 5.3.19.X. Conditional CRL Retrieval >> >> This MAY be used by the client to get a copy of the latest CRL if a newer one is >> available. >> >> GenMsg: {id-it TBD}, Time >> GenRep: {id-it TBD}, CertificateList | < absent > >> >> Where, Time is the thisUpdate of the most recent CRL known to the client. >> >> If that is the suggestion, then Option 1 seems to follow the general design in RFC >> 4210. See Section 5.3.19.1 as an example. >> >> Russ >> >> >>> On Oct 6, 2021, at 11:53 AM, Brockhaus, Hendrik >> <hendrik.brockhaus@siemens.com> wrote: >>> >>> There are situations where CMP is used on networks that do not offer http or >> coap, but other transport protocols specified at IEEE or IEC. >>> In such case we use the general message as defined in RFC 4210 Section >> 5.3.19.6 >> (https://datatracker.ietf.org/doc/html/rfc4210#section-5.3.19.6) for requesting CRLs. >>> Currently the CMP server always send its most current CRL, regardless if the >> CMP client already has this CRL. >>> To avoid sending the same CRL multiple times, we would like to extend the >> mechanism sending only more current CRLs than the CMP client already has. >>> >>> Together with John Gray from Entrust, who we also like to add as co-author to >> the CMP Updates Draft, we discussed mainly two implementation options. >>> >>> Option 1: >>> Define a new generalInfo field to be provided in the request messages header >> of the general message specified in RFC 4210 Section 5.3.19.6. This ITAV shall >> contain the thisUpdate time of the most current CRL the CMP client has. The >> CMP server shall return its CRL if it is more current and otherwise with an empty >> body. >>> >>> Option 2: >>> Define a new general message type. Sending this new general message, the >> CMP client requests the thisUpdate time of the most current CRL the CMP server >> has. If this is more current than the most current CRL the CMP client has, it >> requests this CRL using the general message specified in RFC 4210 Section >> 5.3.19.6. >>> >>> The authors would prefer option 1. What is the opinion of the WG? >>> >>> BTW, this is the last open issue of this draft. The authors hope that the next >> update will be the last before WGLC. >>> >>> Hendrik >>> >>> >>> Siemens AG >>> Technology - Research in Digitalization and Automation Security >>> Architecture mailto:hendrik.brockhaus@siemens.com >>> >>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld >>> efense.com%2Fv3%2F__http%3A%2F%2Fwww.siemens.com__%3B!!FJ- >> Y8qCqXTj2!K3 >>> >> &data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2cd8c2a53f27 >> 42e2 >>> >> 6fac08d9891291b7%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C63 >> 769153 >>> >> 5123328589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi >> V2luMzI >>> >> iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Wzag2sbqWIEuWaJ >> 4tUuNi >>> VokUg6Bb%2BdDq7OyXroN43k%3D&reserved=0 >>> 2dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05- >> FtMawTzDIEdSOymuy8K9aaZnA$ >>> >>> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim >>> Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and >>> Chief Executive Officer; Cedrik Neike, Matthias Rebellius, Ralf P. >>> Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; >>> Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB >>> 6684; WEEE-Reg.-No. DE 23691322 >>> >>> _______________________________________________ >>> Spasm mailing list >>> Spasm@ietf.org >>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld >>> >> efense.com%2Fv3%2F__https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo >> %2F >>> >> spas&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2cd8c2a5 >> 3f27 >>> >> 42e26fac08d9891291b7%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0% >> 7C6376 >>> >> 91535123328589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ >> QIjoiV2l >>> >> uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sWEzRWabxIrH >> U2Ry4 >>> 2sy2YZewT7kDNOq1lIMP9ymOAE%3D&reserved=0 >>> m__;!!FJ-Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05- >> FtMaw >>> TzDIEdSOymuy8xYOrR-E$ >> >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefens >> e.com%2Fv3%2F__https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fsp >> asm__%3B!!FJ- >> Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05- >> FtMawTzDIEdSOymuy8xYOrR- >> E%24&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C2cd8c2a >> 53f2742e26fac08d9891291b7%7C38ae3bcd95794fd4addab42e1495d55a%7C1% >> 7C0%7C637691535123328589%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL >> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&s >> data=mZrMYo45HQGV0FLd8f6TfQKNLgeS0s420sJpXUvaVVM%3D&reserve >> d=0 >> Any email and files/attachments transmitted with it are confidential and are >> intended solely for the use of the individual or entity to whom they are >> addressed. If this message has been sent to you in error, you must not copy, >> distribute or disclose of the information it contains. Please notify Entrust >> immediately and delete the message from your system. > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] [CMP Updates] Requesting a current CRL Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Requesting a current CRL Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik