Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 11 October 2021 16:20 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86F993A0C06 for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 09:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYc7TNwWzOpw for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 09:20:32 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30085.outbound.protection.outlook.com [40.107.3.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B69D13A0BF9 for <spasm@ietf.org>; Mon, 11 Oct 2021 09:20:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TMe+N8Ldb8k6d2OtUI33C5o4BNlJbdqUIwiGqYrhBlhLdA3olj4w2uW2EWYYZQS8ThDzLu15d4R1Nk6qZjPJ3grIK+ahS9d/4Ld2g1CfkhX5STInPJx1CO5FfdD5/og42heHeTgsZFIH0PKTF1gbYCaMt3H/IppTQXsEmxVSeWbEQ8ui/0et7jqI7aHJ4Zq+ioaxHg1SOQ/AWMXONBmKAq7YJmoBFOrm7FeMOqfZFQkozTH2z+Ly1s+YX08xblOQxV53EtVHVhkIAfavSm4QlChiHn2j2+Cjy4z0SsPRnzafOW0uCiKsDvuj9TP5Ea5Kp23AGVh9p041BAiTvdtaFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jJ0s3Ul+2i3R1kDM8lu+GfWqg+XnHFUbpFT4ZAWChUM=; b=HgrrtZjYGQCO9Si4EbyZRiLBFHqb+X/tFW0zbeENCdnAwx+UBBRcxGDUd/LLzC2sqc8KAENnWfEnj+gXODgDqhT8N9l4A7QJ0xCg5A7tSGsVnilrN0oCbmtQmWUWakfsf4S536/n1EsuCx5wTzB+NlQIR11gVcu3PMqMcyJEMvy8A82THMxJmQy92FF7EVWOCG+Ep96GbUXnlta6sgMUs9i1I2zfOx+iRQvDgCH6Yz/qC87IjyIn1NzbCQnfCPEqZd+rsCrCUy8j5m0l+zg+fUnmeXVCCLBJoyhBYQYLCRE/wTx83dHVFuSoc+c9dogi6YooSes4thNrlVNgeC/c9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jJ0s3Ul+2i3R1kDM8lu+GfWqg+XnHFUbpFT4ZAWChUM=; b=FfyyQ1MT1R2OStZou1Of06SCCtzpmU7EuDrjdLkBl58xVG6w9eEdvT3AIK6Ekbbe9DyRjStMaXhg3TO5qcK+ySKVopTgyxqCe8Ql8OCE49uU3xKgGu2Du4JnQajz/aZwOsCnbD2G2esrlvcp++KVQu1Cn/02YAYMRZbglgQ2Gsg=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM9PR10MB4449.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:269::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.24; Mon, 11 Oct 2021 16:20:25 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29%5]) with mapi id 15.20.4587.026; Mon, 11 Oct 2021 16:20:25 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>, David von Oheimb <nl0@von-Oheimb.de>
CC: Lijun Liao <lijun.liao@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>, John Gray <John.Gray@entrust.com>
Thread-Topic: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
Thread-Index: AQHXvICw5lKlXeFImkiFFvAECAJpoqvLCKYAgAJP4sCAAJR6gIAAAnsAgAAOYZA=
Date: Mon, 11 Oct 2021 16:20:25 +0000
Message-ID: <AM0PR10MB2418B4A2D6498C6E4A7CC6D9FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com> <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com> <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <0b24c287-a6ac-593e-e0e4-3fd0b9373208@von-Oheimb.de> <B48AB092-BE17-42AE-BBA8-7ACDBDBF75D7@vigilsec.com>
In-Reply-To: <B48AB092-BE17-42AE-BBA8-7ACDBDBF75D7@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-10-11T16:20:24Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=2aae02dc-ab3b-463a-808e-699af6886601; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 37ca6e9a-faf9-4ff9-007b-08d98cd30887
x-ms-traffictypediagnostic: AM9PR10MB4449:
x-microsoft-antispam-prvs: <AM9PR10MB444927AF83B544043B6F07F9FEB59@AM9PR10MB4449.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4WVC4OypKoynorSzIeszHFEF6DDRmICfvKpxiECa7JgETUp8lgH9M6n4WqN1E77kggbkFJNtEM19T+PtdSbn0mJo2FmctEFkUWY1P0tpamhjyezdNROK2Ad1DbboICiHqfSPpcMVbxeWsmVGS/3WjTa/xYtn3fXDuhvHUAvqeVmAW4scDV+3M9SFB/5t8rCT7eD7R0j6UDxcDJmCUrHS44jCqFMYB0Kg5bsXFqxK0t7K1s0+zN65XTW4az1iYpXVmgUIQDAKCce9A7voYAkPeuro0TOzFLsVJAM+2X9ok1PN9i1qGUFK7hzsPCXTWQ5kR6jizJv49zpc79j0ic5xdzKslpq2EGbqEqV4XLIGeLEC3sO6ZaXdL6dYERbZLXPfAejdpJnXBb9b+T2KR0cjUTq7eJZDQpfcTOmimHy8PJ0HUyxbBpHi2hwquQlk8B95voeKjuGBPUCAdjBX22yHhsFx28dah/brARg+tz3yYsfmfPFGOkgp7iUk3cQnx01y0uj5zvSwznVl56zzDCQhy+7Wj5WlSNybOBE4y7i0LLPOdhD25LUCSzhHRQe5iO0diEx2LXBEgeswE5d6NIEB6bBfQMO03bEKeKLKbSbDF5toEDyrDQ5DyTbf4N8CCazDQREQUZ3+8KUjbAIb7XJ4RXn/HoyNw+1TpbVqh4HWFyOsja235p0OFTkzJ7ghiC6lY5PaHOqtaLE8Shg7FASPxuWiogH9wVzFj6KU1XhRNhQLKM6Hwe3io5q2ZNHb1rVfScbSzcC7at3Pyd9KwgX4BCE5nSh9QEAfSFMVjtgrwU+4Cwtbol7B/ysNYWV26X4yDgwAJFrPS1f7mkzwkWNNWA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(5660300002)(66946007)(66556008)(64756008)(9686003)(55016002)(15650500001)(966005)(508600001)(2906002)(166002)(38100700002)(122000001)(38070700005)(71200400001)(66476007)(66446008)(76116006)(83380400001)(33656002)(8676002)(52536014)(26005)(7696005)(316002)(6506007)(86362001)(110136005)(8936002)(54906003)(4326008)(53546011)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7F7R4nfZ2AeQgBGL3XMMJ9tvdNOSgu4NRWKQeaZz/0cnA6/xHVewjGyYHkPKpPxjPix+ltd5YAztOZAT4JC1YXcDdUQgiJc02yV9WhfHteU3la/GyWHoNwMnFDPO8UF196hc/rOwNaakHB3bsGtozsK+aQZOZkLgYEW3i+Xfqrg2W59vy6KZc4Jr8ITXKIRKwaIkt7SfVeVZMx1IB8Jc18G3jkx5IG7dhoTUh7v0oObQIU/tzoabFs3uuI7xHzC0/FmpAPr/LnZARjNZ262Jg/TqDMAIgo6vN6UwIJ+PkWx2yg4Pg6S2cBsYwSsQMRfxN5ueh9wrc4rbroBId3EH3OvsfywYgSXtxUlDiL/zLH3Vf+TcJEyy6AFtqtq5BGb3EbheQvOD4zWhYYtaQKFlNAWsWOUnucWPfUWgqFKNIxEI1pFS518ysIcgfy8dbMtmL/Xvs6yDquMlM7a2Xo4rMV/FelVClYI/FfWtL610zcnqXq7VQAzJCi0PNkB04+8sPcdo3t2IPFyICkOxS+eJLKXslEuFVK3FlUCZIjYjQSSWP8s5msJwCTNZ13M0e/ngH6tOsPLl2PC9wO7ZVhET1AxdaJkZ+ukcI7JTqsLuZ3lXNUlf6h/B02xkomKNufI9Aj7EgT0R50DEtYhKRdB91n2KhAV0LkT1oCMD/nKupA4NSKLbxlFUUxK0N9kuyN1z+nBP0TLyMHiuoU4xSEyVO7ufX22RkNlMoCpiyjLEukfG7CXv8JqhCkvEWOjX2p5auPaQrKIzjW+3ZuJn8fmNL0PBcWHjLB+RFDmH2E4u6fzeWLy0UoiSW8+ImE/0YNA/09301QFK3jJ4KGXCtNQjp+bkbDgRjbYQ4B0J5qofyFqfUGLBX+UdeN+IAka4Uc3ttx5F3GaIFEXo4WhI5J+L1KIfnULaRkgtt8Eb97ghOTRt2zW2QOC1Li98ZW5eI94Xs1uNMwUPfxAuXlRfTy+VdLCHTTdJG7/gZJXp9wvFPTXT3Rs/OegahNCTgyXJI7q0Jw3YQKOy+I8XUuqUlLG2lhzHrIUNe+AY1253xKAwU17HFyS9GvuEmLRUu8p0XV+EP1M8G6OBsqwcDY/p0gtjJ8tjEHBOe2cLV629uImxqBHkz34FnzIBAKmuor20J2uit1/z5UJvWTrMWk83l06gITJ7zElS9Pnu6UEho0j25E33IsvjBJC19zIP30f3S19Mzf612Kbij/Zf/Yhg9Dv7rbsRCtNKMdv6E9L9EawwSMeGfrIJ5Fou9CV9OOh2bqn2bZEz3e35VemnZbuyTmxp2XvIWE1HNFcwOLwMRk+HtTLEJ3QXLCd2vB9INpMK1ikL
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR10MB2418B4A2D6498C6E4A7CC6D9FEB59AM0PR10MB2418EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 37ca6e9a-faf9-4ff9-007b-08d98cd30887
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2021 16:20:25.7120 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 67t57cJDFQuOFh4xKwIjwU88z9/r73IO/S2qF8AwbU1hzcpMDUxQHgKPOcHYeSgA18cAQiu7EuYss66lgJVddndv4/HPdUFtehkkPk+6VlA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4449
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Y9Bp4hfb25o5QglXtXAxU2RbEN0>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 16:20:37 -0000
Russ The introduction to Section 5 gives some examples on different scopes. I du understand how to express theses scopes by using the flags David mentioned. * "all certificates issued by CA X" * "all CA certificates issued by CA X" * "all certificates issued by CA X that have been revoked for reasons of key compromise and CA compromise", But I have issues to understand how "all certificates issued to the NIST employees located in Boulder" would be expressed. Can you give an example? Hendrik Von: Russ Housley <housley@vigilsec.com> Gesendet: Montag, 11. Oktober 2021 17:26 An: David von Oheimb <nl0@von-Oheimb.de> Cc: Lijun Liao <lijun.liao@gmail.com>; spasm@ietf.org; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com>; John Gray <John.Gray@entrust.com> Betreff: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL David: These flags are clearly part of the scope. The use of CRL distribution points in certificates can be used to divide the population of certificates across many different CRLs. Russ On Oct 11, 2021, at 11:16 AM, David von Oheimb <nl0@von-Oheimb.de<mailto:nl0@von-Oheimb.de>> wrote: Interesting discussion! It looks to me that the currently open issue boils down to uniquely identifying the (latest) CRL information currently known to the client. Even when scoped, indirect, and delta CRLs need to be taken into account, according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.3<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.3&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504801460%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vQVV1IHUgSbjezDqvu%2F01JXhEGZ6Zpnarlmjs3z%2Famg%3D&reserved=0> apparently the following data should be sufficient for unique identification: CRL issuer, scope, and CRL Number, or am I missing something? And how is the scope defined/encoded? I'm having a hard time getting this nailed down from RFC 5280 and other sources, but according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc5280%23section-5.2.5&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504811454%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TfKtJ1iJ1vgi3rDWO9iUC3dr7pyzCpliVbHFEmuFPds%3D&reserved=0>it looks like the scope is the combination of the following fields: onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE, onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE } right? David On 11.10.21 08:28, Brockhaus, Hendrik wrote: Russ Thank you for this proposal. It looks straight forward. I will need to dig a little deeper into the partitioning of CRLs and check the requirements of our use case for CRL retrieval via CMP to better understand the complexity needed. Hendrik Von: Russ Housley <housley@vigilsec.com><mailto:housley@vigilsec.com> Gesendet: Samstag, 9. Oktober 2021 21:07 An: Lijun Liao <lijun.liao@gmail.com><mailto:lijun.liao@gmail.com> Cc: Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com><mailto:hendrik.brockhaus@siemens.com>; spasm@ietf.org<mailto:spasm@ietf.org>; von Oheimb, David (T RDA CST SEA-DE) <david.von.oheimb@siemens.com><mailto:david.von.oheimb@siemens.com>; John Gray <John.Gray@entrust.com><mailto:John.Gray@entrust.com> Betreff: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL This is an interesting observation, but it does not seem to cover a certificate with multiple CRL distribution points, indirect CRLs, and delta CRLs. I'm not sure we want all of that complexity here. That said, it does make sense to me to list a distribution point name and the thisUpdate for each one. CRLStatusList ::= SEQUENCE OF CRLStatus CRLStatus ::= SEQUENCE { crldpn DistributionPointName, thisUpdate Time } CRLs ::= SEQUENCE OF CertificateList GenMsg: {id-it TBD}, CRLStatusList GenRep: {id-it TBD}, CRLs | < absent > Russ On Oct 8, 2021, at 4:10 PM, Lijun Liao <lijun.liao@gmail.com<mailto:lijun.liao@gmail.com>> wrote: Please also consider the following some complicated scenarios: 1. The CA may have multiple CRLs with different scopes. In RFC 4210, id-it 6 seems to work only for the CA with maximal one CRL scope. 2. The CA may issue full CRL and delta CRLs. Between the period of two full CRLs, one or more delta CRLs will be issued. Specifying only thisUpdate does not cover above scenarios, I will suggest to define a new GenMesage (following the direction of Option B) as follows: New Section 5.3.19.x Extended CRL Retrieval CRLGenMsg: {id-it TBD}, ExtendedCRLRetrieval ExtendedCRLRetrieval ::= SEQUENCE { lastCRL LastCRL OPTIONAL, -- the meta data of last CRL known to the client crlNumber INTEGER OPTIONAL -- only CRL with this number will be returned } LastCRL ::= SEQUENCE { thisUpdate TIME, sha256DigestValue OCTET STRING -- SHA256 Fingerprint of CRL } GenRep: {id-it TBD}, SEQUENCE (0..MAX) OF CertificateList -- The CA may have multiple CRLs with different scopes At the first time, the client sends an ExtendedCRLRetrieval with an empty SEQUENCE, and the CA returns the current CRLs of all scopes. For the case without delta CRL, the client sends the following request to get the current CRL only if it is generated after the lastCRL. ExtendedCRLRetrieval lastCRL thisUpdate sha256DigestValue The field sha256DigestValue is needed to identify the scope of CRL. If the current CRL is a delta CRL, the client has to get the full CRL on which this delta CRL bases on. It sends the following request: ExtendedCRLRetrieval lastCRL -- required only if there is more than 1 scope, since -- RFC 5280 allows two CRLs with different scopes to have -- the same crlNumber crlNumber Since the response is a sequence of CertificateList, option 1A cannot be applied here. Lijun On Fri, Oct 8, 2021 at 6:41 PM Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote: On Oct 8, 2021, at 12:36 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote: My question is, is it OK to reuse id-it-currentCrl together with id-it-crlThisUpdate like this GenMsg: {id-it 6}, < absent > GenRep: {id-it 6}, CertificateList | < absent > Yes, because <absent> is exactly the same response that would be given if {id-it 6} is unrecognized by the server. Russ _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504811454%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=saZZx1bqimOUHA9XuVQRKWiZGRQd%2Bb5QkzF6XoI%2FdFc%3D&reserved=0> -- Lijun Liao _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504821448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gb6HS9iVC5ymX804Hud7r1qIUOUWu4lzIx7CxUitVJI%3D&reserved=0> _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C730a6cf99cfe45f6b1e508d98ccb6733%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637695627504821448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gb6HS9iVC5ymX804Hud7r1qIUOUWu4lzIx7CxUitVJI%3D&reserved=0>
- [lamps] [CMP Updates] Requesting a current CRL Brockhaus, Hendrik
- Re: [lamps] [CMP Updates] Requesting a current CRL Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Lijun Liao
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… David von Oheimb
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… John Gray
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesti… Brockhaus, Hendrik