IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 11 October 2021 06:28 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00E353A0A0C for <spasm@ietfa.amsl.com>; Sun, 10 Oct 2021 23:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wibYJLJqphiT for <spasm@ietfa.amsl.com>; Sun, 10 Oct 2021 23:28:39 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50078.outbound.protection.outlook.com [40.107.5.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E10C3A0A08 for <spasm@ietf.org>; Sun, 10 Oct 2021 23:28:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PCcekn6HEaurP0I1rwCE9E8HS5SEfcTvsFoF3qRD5BJzXQMIOUkEOmwUm8936ToYmXMGBFS0EXviY/W882pPSKEbwd0MsOrVOazXk+s2bMk2uTUKWBdVoTtfRiCVrR3a10pgvMIBj+7gpcFHoZwLZLLNwah0eNyfWv7wl9L7aarEok2oawqM8qqhfq5fhtg8S12w86FklVI2o4wG6SeHxbFgBa7UmpHIJWHaAWfSGKpVjQv6Q9HrlDyFJKTh1N7UAF407RyZrKsefWxW4FY/dj1HXqz+DZgTSXzAAZPirl4X+nrZxTaTFYa6aojAK1Yw00CbUpujHCpY8G5dO8rtNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5oK+/QQ+Ylp9rVNaXwPGu1k+GsgwomDHek+BgpAj6QU=; b=FjPy4eGwl+WvXkdj8WcsyMS/gfEOpKj0t4PRzD0KU076ahSUHbiWW3q7iEBBD+VAXEGlMeKd1ojXTngMhYvwS5FF4F8y2RJ4fgB/WOKgpZZRRkolpXAI/mhx5Z7zKtzGwnlAjHrY1QdMtnmoGXPtg48noxGwY3IYxY4776I/Lq/q8QrNYkc8J1zwH2Dq+baVgji9J7Cpi2v2NJ2IUT2zYQlbJmQ1nHPNOtWQJk0y+xoTe9suzdlWeyj1GfGB2YjJtTGvPODro7c3BtNgUFv8GELX55zraxIRCpdn86laAdvyoDs7qvLU47zun5BJhO8GIsmic9ZVVrU2GspJ8xCvoQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5oK+/QQ+Ylp9rVNaXwPGu1k+GsgwomDHek+BgpAj6QU=; b=YakFjuU9zbeEHPUK8ynPOXFes96DG9tFH/JnUDsI9buzjxDslOiK24Ytr5wdZrhS756iH0ARQqk+YU5LePOiZZHgjSdRt5AJK7ARBpgmArSrPlH67JN6EWrn9EkN3legb7EYOm/0PbccSteqbqpjahW4aOnpY+ULy2SI1w6mmvM=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM4PR1001MB1330.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:200:9a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4587.18; Mon, 11 Oct 2021 06:28:33 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::dd30:5800:70a4:8b29%5]) with mapi id 15.20.4587.026; Mon, 11 Oct 2021 06:28:33 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>, Lijun Liao <lijun.liao@gmail.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>, John Gray <John.Gray@entrust.com>
Thread-Topic: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
Thread-Index: AQHXvICw5lKlXeFImkiFFvAECAJpoqvLCKYAgAJP4sA=
Date: Mon, 11 Oct 2021 06:28:33 +0000
Message-ID: <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com> <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com>
In-Reply-To: <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-10-11T06:28:32Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=b4b6bb9f-4e26-4db6-b416-141045da1cb6; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ddf7b10b-6993-423c-2a38-08d98c8059b7
x-ms-traffictypediagnostic: AM4PR1001MB1330:
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM4PR1001MB1330A9D3E4DBEE4225CA3D85FEB59@AM4PR1001MB1330.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: l1USHaf7kVuMzL3+CColR10nPOBrt9lDwzcEjn0Jas+n+BDBot0WIhnYI7wGeph/NLj/JxEnPr+UvLV9vaDQmQNt6K55cwwKH8xoJr1kU/TzPYduzpUQg0kIqp6qPubXVptgxLwW16fz6GkYRs3T3l8VQZts7no3iS9RLaExDon0fzzOlVbWYaX4ZxYlq5L+88IZX41ttXtSUEhhh/7BQNEOqWAAhXcItdX3JbVTRRAkiNvSIkHJygpBSySozsjFTYqjAEyCnBE3IX7irpbEL9zxKCEUGFxRa/5kTRMhmydRb5nkSPw1AHDu8H5VyJtKPEj39NSFsL/hzmW8oPkAlyYtb1xIUjXe05007c2/HLaEbPmrU8Su+Ym8HV6EQ/9pyVixrZzHWWLdMZdcXkxL3rpLfN46MxpaU4DbYbIzpc0UOBxP7c/BUhJBR1vq3SgKn9+HkGcyTLJKywasyx7u1K5EFhMQPI7LOhtGcVHFLSJOZ5rAwSamVvFinKOK0tEUtVyZFQGbQVqKExTx5CF1OOvabmnILO7yq/J8FsS/CuqzwX+3tB+hdJBpt/4N2bCrKcGNl6fIY0BPpFNGyGgBZG9frNTIU+05JVplLugtlpVtNQLz3UKRBX1pwZar0ucnW04y2bJ6wv/PdBi6gu3whxGYkzQ4wrKO2tY3iUVPn8Y5RJiDuAilLALwe0hhx9qLTOww04cndmokEWQIvV4y0wrGNJcFuxbhRKRqjHdKlmrNaGvMorMEIsd/0AtYQRQ93S7scksFuK5awRQTlRsyuYQmxs1lRgfq93sv7K17wUk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(55016002)(15650500001)(71200400001)(66476007)(8936002)(66946007)(66446008)(64756008)(316002)(86362001)(66556008)(110136005)(52536014)(5660300002)(54906003)(166002)(8676002)(38070700005)(186003)(26005)(7696005)(966005)(53546011)(76116006)(83380400001)(9686003)(6506007)(4326008)(38100700002)(508600001)(122000001)(33656002)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: OH4Et8RLL1vNfD/ggfQLlZQB6kFnzoT/FyciYI5n1ixID0ojEl6iZkwXXsh3bY05PiNkJHDVrxc3D3/3FWb4VJZeMdZss+Yb18Fvfe7kTwsVNCIBmmcCVx7Dr1RRhBFE8gZWmJg4x+s0aDaJY3ynstUW2AUWWuIk4sFrhWriNFGuCD/01YF3hpz5LEbJCRuFuxHsxiBlYHVuaLsSonU371wZFVUYjmzCfWWSAapRfaAejDzuRnMgPKqML2pBEiOPQ29AhXUrds23YL9wj/qUH50zmVNYM4i/yTPDKeEg0h+q2FeXyYIqImEb/MJ0OcNaXCsp/aYQbFM2WwEQeZr70X1Mnv9CYy3mEMJodKq81ONNm+vE0yVwZJtAm0cyJ9o+QhD0EgM89UafkfqtdQ5Z2wVLMZMCFyfN5W55CTmUS3q3bvgK0mHiO5Zsq42mnJujYO4/6dsoleh6Xq+JfVECY+yP6XFseqi7jbsiC+1zwi3gkWzmewedykAyjgvn3t5YTHRqSHKPg6VAaMlBizlp/0Ai1J4yTxbw6Aa/toLv377wTicPR/9m/m5DrUJBBrnkCI/e7XMcJsx/4PsjzYPo9n43YxSax5z6W1AdF/sDC3sJ9DxpQ39GFRsay3bgefLVDrffOUPpIo3ZmbwY2/RuDUhe7qNcdlU6k7Gm7WMKNBBADC6ViUYOr/wX3Wg59u70+vQFbNs3juisASldmWq3fHlM+QcNe6uf0+KiUS77NIBRNdDWxapELY9AozCFusBGEFDqSRXkq838vMFhouE+TJv5fX+ZHVS6ZQeyMB9TuolEmJUwpy4tOqVPuOuRpG6j8iZCu+qWcSSFP///kOGMAdCH+BRGEMYNaKjIZy5WQrZsf2LFXEYqaK0xYuDaBB0umog51zLc0YJqUpkhYUQ2NjuAosGfZi9WljvChrOZ1ATimVA0xQOBLzb/z8NUlGByyTLbfCFQMz273ae62RoOR6TxhaRQO55RGL6OL11Ay3Xltj1xheGmW9zfDD58CCxBXzVLeRZFLvTVchvR7b/LKdxHxtSJBxsgKNnjd6A8qoNFYCIgcDOeZKfjcCe1Olxkn4otUx8/Ye3jQhK94GR1AWNUWAIe6RKFHA9kMPyMmqPbejfwLKfxjGhkg6all61YwucgFSw9EAYY3yrLoyokUXvP4ToNcsNVpHt+HhPx51tNJb0/4YdWDLe5hTcjMou8PkccISZHJJidmaUYKmcLG7laQd3q9cW2NBsC6SIH0nOrlacbnm16gy2f9dr4H7hHH+AfkhmLAzz77HaUHNDiVHVY16u03CG3CH6cViKZXrvdAx58tcwL4iW8da62olE4
Content-Type: multipart/alternative; boundary="_000_AM0PR10MB241822FCF1E83E6444FDFAE5FEB59AM0PR10MB2418EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ddf7b10b-6993-423c-2a38-08d98c8059b7
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2021 06:28:33.8034 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ROOVqk7AbIofptDdJgh+itWau3MJQWoyAeiXaklEOdRAFJnJy2CARZd3s+kXmmloQgVVwZEiJhu2BzTx9AUdK9gxlPWt4DPAgpUZS+0TDKw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR1001MB1330
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dC51NlKu2OGQEtinGb2gM34BcKs>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 06:28:45 -0000

Russ

Thank you for this proposal. It looks straight forward.
I will need to dig a little deeper into the partitioning of CRLs and check the requirements of our use case for CRL retrieval via CMP to better understand the complexity needed.

Hendrik

Von: Russ Housley <housley@vigilsec.com>
Gesendet: Samstag, 9. Oktober 2021 21:07
An: Lijun Liao <lijun.liao@gmail.com>
Cc: Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com>; spasm@ietf.org; von Oheimb, David (T RDA CST SEA-DE) <david.von.oheimb@siemens.com>; John Gray <John.Gray@entrust.com>
Betreff: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

This is an interesting observation, but it does not seem to cover a certificate with multiple CRL distribution points, indirect CRLs, and delta CRLs.  I'm not sure we want all of that complexity here.  That said, it does make sense to me to list a distribution point name and the thisUpdate for each one.

CRLStatusList ::= SEQUENCE OF CRLStatus

CRLStatus ::= SEQUENCE {
   crldpn    DistributionPointName,
   thisUpdate    Time }

CRLs ::= SEQUENCE OF CertificateList

   GenMsg:    {id-it TBD}, CRLStatusList
   GenRep:    {id-it TBD}, CRLs  |  < absent >

Russ



On Oct 8, 2021, at 4:10 PM, Lijun Liao <lijun.liao@gmail.com<mailto:lijun.liao@gmail.com>> wrote:

Please also consider the following some complicated scenarios:

1. The CA may have multiple CRLs with different scopes. In RFC 4210, id-it 6
seems to work only for the CA with maximal one CRL scope.

2. The CA may issue full CRL and delta CRLs. Between the period of two full
CRLs, one or more delta CRLs will be issued.

Specifying only thisUpdate does not cover above scenarios, I will suggest to
define a new GenMesage (following the direction of Option B) as follows:

New Section
5.3.19.x Extended CRL Retrieval

CRLGenMsg: {id-it TBD}, ExtendedCRLRetrieval

ExtendedCRLRetrieval ::= SEQUENCE {
   lastCRL    LastCRL OPTIONAL,
              -- the meta data of last CRL known to the client
   crlNumber  INTEGER OPTIONAL
              -- only CRL with this number will be returned
}

LastCRL ::= SEQUENCE {
   thisUpdate          TIME,
   sha256DigestValue   OCTET STRING
                       -- SHA256 Fingerprint of CRL
}

GenRep: {id-it TBD}, SEQUENCE (0..MAX) OF CertificateList
                     -- The CA may have multiple CRLs with different scopes

At the first time, the client sends an ExtendedCRLRetrieval with an empty
SEQUENCE, and the CA returns the current CRLs of all scopes.

For the case without delta CRL, the client sends the following request to
get the current CRL only if it is generated after the lastCRL.

ExtendedCRLRetrieval
   lastCRL
       thisUpdate
       sha256DigestValue

The field sha256DigestValue is needed to identify the scope of CRL.

If the current CRL is a delta CRL, the client has to get the full CRL on
which this delta CRL bases on. It sends the following request:

ExtendedCRLRetrieval
    lastCRL   -- required only if there is more than 1 scope, since
              -- RFC 5280 allows two CRLs with different scopes to have
              -- the same crlNumber
    crlNumber


Since the response is a sequence of CertificateList, option 1A cannot be
applied here.

Lijun

On Fri, Oct 8, 2021 at 6:41 PM Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:



On Oct 8, 2021, at 12:36 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote:

My question is, is it OK to reuse id-it-currentCrl together with id-it-crlThisUpdate like this

   GenMsg:    {id-it 6}, < absent >
   GenRep:    {id-it 6}, CertificateList  |  < absent >

Yes, because <absent> is exactly the same response that would be given if {id-it 6} is unrecognized by the server.

Russ
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C9080fd68d327480c486108d98b57fade%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637694032670329792%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=C%2FdOQpYcbCwqFEqoy2EbrVhigeEomECxvLXArmDdWs8%3D&reserved=0>


--
Lijun Liao

v2.23.0 | Report a Bug | By Email