Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
David von Oheimb <nl0@von-Oheimb.de> Mon, 11 October 2021 21:43 UTC
Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50F2D3A0C94 for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 14:43:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pjL1VTwiJO4U for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 14:43:05 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6225E3A0CA6 for <spasm@ietf.org>; Mon, 11 Oct 2021 14:42:57 -0700 (PDT)
Received: from [127.0.0.1] (dynamic-077-009-019-147.77.9.pool.telefonica.de [77.9.19.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 64B30421D9D; Mon, 11 Oct 2021 23:42:53 +0200 (CEST)
Date: Mon, 11 Oct 2021 21:42:51 +0000
From: David von Oheimb <nl0@von-Oheimb.de>
To: Russ Housley <housley@vigilsec.com>
Cc: Lijun Liao <lijun.liao@gmail.com>, LAMPS WG <spasm@ietf.org>, John Gray <John.Gray@entrust.com>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Message-ID: <3c4aab30-7900-40aa-8105-57b392552eab@von-Oheimb.de>
In-Reply-To: <29024D4D-A638-44AA-855A-6081F66D4A24@vigilsec.com>
References: <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com> <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com> <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <0b24c287-a6ac-593e-e0e4-3fd0b9373208@von-Oheimb.de> <B48AB092-BE17-42AE-BBA8-7ACDBDBF75D7@vigilsec.com> <AM0PR10MB241 8B4A2D6498C6E4A7CC6D9FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C5546F9B-8AF0-48FA-9B9E-FE10C9B700F9@vigilsec.com> <CANNx7D-y4Sju8DN8=AmOQnq+GhrPAbmgZnhwYoDoSy_iB6gfpQ@mail.gmail.com> <29024D4D-A638-44AA-855A-6081F66D4A24@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Correlation-ID: <3c4aab30-7900-40aa-8105-57b392552eab@von-Oheimb.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PheppLMKBbkoKGOHBTXB4F7xlXw>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 21:43:10 -0000
So in the end the whole IssuingDistributionPoint structure determines the scope. David 11 Oct 2021 21:46:09 Russ Housley <housley@vigilsec.com>: > Lijun: > > Yes, I agree. That us the reason for crldpn in the syntax that I suggested. > > Russ > > On Oct 11, 2021, at 3:26 PM, Lijun Liao <lijun.liao@gmail.com> wrote: > > The URL specified in the extension CRL DP, should be able to identify the scope. > > > Russ Housley <housley@vigilsec.com> schrieb am Mo., 11. Okt. 2021, 20:11: >> Hendrik: >> >> As the introduction to Section 5 od RFC 5280 says, the scope can be based on "arbitrary local information". Consider the example that I gave in my earlier response, where a CA uses multiple CRL distribution points. One distribution point could be associated with NIST employees located in Boulder and a separate distribution point could be for NIST employees in Gaithersburg. There are certainly other ways to do this, including indirect CRLs, but this is one straightforward approach. >> >> Russ >> >> On Oct 11, 2021, at 12:20 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com> wrote: >> >> Russ >> >> The introduction to Section 5 gives some examples on different scopes. >> I du understand how to express theses scopes by using the flags David mentioned. * >> "all certificates issued by CA X" * >> "all CA certificates issued by CA X" * >> "all certificates issued by CA X that have been revoked for reasons of key compromise and CA compromise", >> >> But I have issues to understand how "all certificates issued to the NIST employees located in Boulder" would be expressed. >> Can you give an example? >> >> Hendrik >> >> *Von:* Russ Housley <housley@vigilsec.com> >> *Gesendet:* Montag, 11. Oktober 2021 17:26 >> *An:* David von Oheimb <nl0@von-Oheimb.de> >> *Cc:* Lijun Liao <lijun.liao@gmail.com>; spasm@ietf.org; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com>; John Gray <John.Gray@entrust.com> >> *Betreff:* Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL >> >> David: >> >> These flags are clearly part of the scope. The use of CRL distribution points in certificates can be used to divide the population of certificates across many different CRLs. >> >> Russ >> >> >> On Oct 11, 2021, at 11:16 AM, David von Oheimb <nl0@von-Oheimb.de> wrote: >> >> Interesting discussion! >> It looks to me that the currently open issue boils down to uniquely identifying the (latest) CRL information currently known to the client. >> Even when scoped, indirect, and delta CRLs need to be taken into account, >> according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.3[https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.3&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504801460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vQVV1IHUgSbjezDqvu%2F01JXhEGZ6Zpnarlmjs3z%2Famg%3D&reserved=0] >> apparently the following data should be sufficient for unique identification: >> CRL issuer, scope, and CRL Number, >> or am I missing something? >> And how is the scope defined/encoded? >> I'm having a hard time getting this nailed down from RFC 5280 and other sources, >> but according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5 >> [https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.5&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504811454%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TfKtJ1iJ1vgi3rDWO9iUC3dr7pyzCpliVbHFEmuFPds%3D&reserved=0]it looks like the scope is the combination of the following fields: >> onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, >> onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, >> onlySomeReasons [3] ReasonFlags OPTIONAL, >> indirectCRL [4] BOOLEAN DEFAULT FALSE, >> onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } >> right? >> David >> >> On 11.10.21 08:28, Brockhaus, Hendrik wrote: >> … >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm[https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504821448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gb6HS9iVC5ymX804Hud7r1qIUOUWu4lzIx7CxUitVJI%3D&reserved=0] >> >> _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm >> > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] [CMP Updates] Requesting a current CRL Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Requesting a current CRL Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik