IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

David von Oheimb <nl0@von-Oheimb.de> Mon, 11 October 2021 21:43 UTC

Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50F2D3A0C94 for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 14:43:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pjL1VTwiJO4U for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 14:43:05 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6225E3A0CA6 for <spasm@ietf.org>; Mon, 11 Oct 2021 14:42:57 -0700 (PDT)
Received: from [127.0.0.1] (dynamic-077-009-019-147.77.9.pool.telefonica.de [77.9.19.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id 64B30421D9D; Mon, 11 Oct 2021 23:42:53 +0200 (CEST)
Date: Mon, 11 Oct 2021 21:42:51 +0000
From: David von Oheimb <nl0@von-Oheimb.de>
To: Russ Housley <housley@vigilsec.com>
Cc: Lijun Liao <lijun.liao@gmail.com>, LAMPS WG <spasm@ietf.org>, John Gray <John.Gray@entrust.com>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Message-ID: <3c4aab30-7900-40aa-8105-57b392552eab@von-Oheimb.de>
In-Reply-To: <29024D4D-A638-44AA-855A-6081F66D4A24@vigilsec.com>
References: <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com> <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com> <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <0b24c287-a6ac-593e-e0e4-3fd0b9373208@von-Oheimb.de> <B48AB092-BE17-42AE-BBA8-7ACDBDBF75D7@vigilsec.com> <AM0PR10MB241 8B4A2D6498C6E4A7CC6D9FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C5546F9B-8AF0-48FA-9B9E-FE10C9B700F9@vigilsec.com> <CANNx7D-y4Sju8DN8=AmOQnq+GhrPAbmgZnhwYoDoSy_iB6gfpQ@mail.gmail.com> <29024D4D-A638-44AA-855A-6081F66D4A24@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Correlation-ID: <3c4aab30-7900-40aa-8105-57b392552eab@von-Oheimb.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PheppLMKBbkoKGOHBTXB4F7xlXw>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 21:43:10 -0000

So in the end the whole   IssuingDistributionPoint
structure determines the scope.

  David

11 Oct 2021 21:46:09 Russ Housley <housley@vigilsec.com>:

> Lijun:
> 
> Yes, I agree.  That us the reason for crldpn in the syntax that I suggested.
> 
> Russ
> 
> On Oct 11, 2021, at 3:26 PM, Lijun Liao <lijun.liao@gmail.com> wrote:
> 
> The URL specified in the extension CRL DP, should be able to identify the scope.
> 
> 
> Russ Housley <housley@vigilsec.com> schrieb am Mo., 11. Okt. 2021, 20:11:
>> Hendrik:
>> 
>> As the introduction to Section 5 od RFC 5280 says, the scope can be based on "arbitrary local information".  Consider the example that I gave in my earlier response, where a CA uses multiple CRL distribution points.  One distribution point could be associated with NIST employees located in Boulder and a separate distribution point could be for NIST employees in Gaithersburg.  There are certainly other ways to do this, including indirect CRLs, but this is one straightforward approach.
>> 
>> Russ
>> 
>> On Oct 11, 2021, at 12:20 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com> wrote:
>> 
>> Russ
>>  
>> The introduction to Section 5 gives some examples on different scopes.
>> I du understand how to express theses scopes by using the flags David mentioned.
* >> "all certificates issued by CA X"
* >> "all CA certificates issued by CA X"
* >> "all certificates issued by CA X that have been revoked for reasons of key compromise and CA compromise",
>>  
>> But I have issues to understand how "all certificates issued to the NIST employees located in Boulder" would be expressed.
>> Can you give an example?
>>  
>> Hendrik
>>  
>> *Von:* Russ Housley <housley@vigilsec.com> 
>> *Gesendet:* Montag, 11. Oktober 2021 17:26
>> *An:* David von Oheimb <nl0@von-Oheimb.de>
>> *Cc:* Lijun Liao <lijun.liao@gmail.com>spasm@ietf.org; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com>; John Gray <John.Gray@entrust.com>
>> *Betreff:* Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
>>  
>> David:
>>  
>> These flags are clearly part of the scope.  The use of CRL distribution points in certificates can be used to divide the population of certificates across many different CRLs.
>>  
>> Russ
>> 
>> 
>> On Oct 11, 2021, at 11:16 AM, David von Oheimb <nl0@von-Oheimb.de> wrote:
>>  
>> Interesting discussion!
>> It looks to me that the currently open issue boils down to uniquely identifying the (latest) CRL information currently known to the client.
>> Even when scoped, indirect, and delta CRLs need to be taken into account, 
>> according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.3[https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.3&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504801460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vQVV1IHUgSbjezDqvu%2F01JXhEGZ6Zpnarlmjs3z%2Famg%3D&reserved=0]
>> apparently the following data should be sufficient for unique identification: 
>>     CRL issuer, scope, and CRL Number,
>> or am I missing something?
>> And how is the scope defined/encoded?
>> I'm having a hard time getting this nailed down from RFC 5280 and other sources, 
>> but according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
>> [https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.5&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504811454%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TfKtJ1iJ1vgi3rDWO9iUC3dr7pyzCpliVbHFEmuFPds%3D&reserved=0]it looks like the scope is the combination of the following fields:
>>         onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
>>         onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
>>         onlySomeReasons            [3] ReasonFlags OPTIONAL,
>>         indirectCRL                [4] BOOLEAN DEFAULT FALSE,
>>         onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
>> right?
>>     David
>>  
>> On 11.10.21 08:28, Brockhaus, Hendrik wrote:
>> …
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm[https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504821448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gb6HS9iVC5ymX804Hud7r1qIUOUWu4lzIx7CxUitVJI%3D&reserved=0]
>>  
>> _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
>> 
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email