IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

John Gray <John.Gray@entrust.com> Wed, 06 October 2021 21:45 UTC

Return-Path: <John.Gray@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9129D3A095A for <spasm@ietfa.amsl.com>; Wed, 6 Oct 2021 14:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSty2Fw1iwxL for <spasm@ietfa.amsl.com>; Wed, 6 Oct 2021 14:45:08 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39F7F3A094E for <spasm@ietf.org>; Wed, 6 Oct 2021 14:45:07 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 196HQLmb002537; Wed, 6 Oct 2021 16:45:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=svzX0bV4r1AT2nlX1gRWqTN+exJukrGqBTpD+TwZDgU=; b=Np7UJLwehXHZexyvOtPSi/US/smbumSDA+n2xPsi9tDFqMIzMCtKTuDtbOaoFXcFy/yA ItR2zH4woSbHRzX8XotVw8UC8QKUdZjmfJXepZ6Y0r6PLxeeq5omd6CsM55DT4uMUv9R 0DQXQixqAhJiGWoVt7HMD+RI6j6PvlgrRscMplQsuU3Q9RscM8mukXTfS3kGm/txqBiY 5Uj3usq/3iGjYW2OnRcb/A094QndGgnkjR7rMzC0xtnKlRF5Qz0ywBXwu/DeTSnjljOd zEZ3iugyiULFc4BIKMzDVss6B/JntG6o8+3SEZ+5dzut/pNvvCzocnXGLnjhw/V6IFhR lw==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2176.outbound.protection.outlook.com [104.47.55.176]) by mx08-0015a003.pphosted.com with ESMTP id 3bhg6v8mu2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Oct 2021 16:45:05 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X1CBMMDQqsEJoxYkblFJAVDrVVeJdCRul2cKNQW7YMa4ojNjVHSsjAyv8m73i2/TddEaUrkJ47wWIEjFHZQAxpfj0IJyzO8UAfpOyLT8mly11BbZrvLPNOk5T2b+/3MLcBxdI0mYR1NVOt3h7TylmWSzouS9gAHHk+kSGilp53vYhzyGgiycBuak/5oZvYlkF3CAa8x/K5sHeIciwUyBvOlSbLjcsQajVviNcrwKc0NkEMBbxqk1NiIdUtmrEC0ajbX2rHvqkkQWG0tBWDTkYj+WfWCV83Uq2PhSSCowRR++DLf7qeiCmYEdeIgIIUrttQ84cajasLW4TuIU58sfsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=svzX0bV4r1AT2nlX1gRWqTN+exJukrGqBTpD+TwZDgU=; b=fx1WrxUVTacLrzwL/83+ur/VQcy7yzpoXzYa1m6Rys3/2fNKYuuJLNh/kO4sKQajan93zRLj31n/6+fI1rhtsWr4tulizgfKA4GE+SQJjrq6VL7GIjW/3r272hXbfe9KT0GA7D8EkB9CiUYhGV82fnxTVI8Qj/4sDNzsNtQ/n9gnEw/7e8fDKzdr478Gncan3cDKqGj6tHkG2HGyjBbQMtoEgxzKGFUOj4SJBuDcBRoS8i9fcphawekR1zlWdW2ux2teyKk0M6nWCZFNF5A12WmBCXmXCZg0okzATXOAdcnI2JzhfSbC6AYggOEOiWOUcvst7c9wNpl76k4k23045Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM6PR11MB2585.namprd11.prod.outlook.com (2603:10b6:5:ce::22) by DM5PR11MB1564.namprd11.prod.outlook.com (2603:10b6:4:d::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.19; Wed, 6 Oct 2021 21:45:03 +0000
Received: from DM6PR11MB2585.namprd11.prod.outlook.com ([fe80::b9a1:6f57:a0c5:88ad]) by DM6PR11MB2585.namprd11.prod.outlook.com ([fe80::b9a1:6f57:a0c5:88ad%5]) with mapi id 15.20.4566.022; Wed, 6 Oct 2021 21:45:03 +0000
From: John Gray <John.Gray@entrust.com>
To: Russ Housley <housley@vigilsec.com>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>
Thread-Topic: [EXTERNAL] Re: [lamps] [CMP Updates] Requesting a current CRL
Thread-Index: Ade6xq1Zr0mYiftjThSrgvJihCAOJAAB7gsAAAqwJTA=
Date: Wed, 06 Oct 2021 21:45:03 +0000
Message-ID: <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com>
In-Reply-To: <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: vigilsec.com; dkim=none (message not signed) header.d=none;vigilsec.com; dmarc=none action=none header.from=entrust.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5463c058-691f-4260-281c-08d989128dd5
x-ms-traffictypediagnostic: DM5PR11MB1564:
x-microsoft-antispam-prvs: <DM5PR11MB15647B163AF3A6A81BE79DCEEAB09@DM5PR11MB1564.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fBQW6J6f+rfoeBIuxqspdnBTvus/IvxfWeyv+ByF8meFPlXFRCUSd3Ar21ifX04WBxnQ260twpmHJkSCcVQ3TqUPnE/DjQ/BBNK6AgHzdHBNncGU4OBDLUi/fgU8IjyLtm5GAgT8DEbBf/7/5K4+9OJMhcFxGs1E5i9SLMc+O4qM3uLdf0Jo5V+Vv6xrKmU8kUPioRBYZgaFvPzpazZih7hcIlF+02Gj1wn9/t4kIQjkeJwCjn/xmeAexvyW1MOvQtnMKKdT7xh2YFcqXU5GJB0rXtAPFHz5gQBr8Sgiy+iHu8dGFZVleELqgASuefW3ndPygt2Fe44MXhlV3BB715qe4MrjUfNT2HxYMrEKLoQnj5hLChfUyOaGsCzXZ1xrANenxITERxOpY0rjnsb3+cKfuK5B3svBZbbcZCxiMlY/OjMLIdIlJIeTttUltsak90TdfNypO1hTYcxw04UpbC8JWLkakFtEEBcmJEvLCCDfZua859jcDaQoqCZKkDTilnZU8+QNM1DSoKhSZ1zoSwqYFjk3GU16/+8ygO+ou7NpkCJskFJHvLDSYyhPCx2Vg8qnP5Km6ctIHTXNg5VZhVLKkbkVK8kdorgSZrz384EDVWiJRC2q+2H4b2I00mfkRFDHIS0KgG7RXms6Iw0tfAI0d9TOzqIwRSkt2fpo7i+X0E4dna9zbFkk76c5zzZeGzntvzCmLW4o1wCrDX9DEwSL6RJJpU8su0Ytl8C6F8VHLCdaeqX+jTU+70ELw6xQ14FRuYwMDTQ7AhH1YRSTz7bIfhWrxB6Wr1/e5VLjHqMjwDVfIkqcNyiJumGqcPfaTmNSLQb3vDrl0qLfX+Cm/g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR11MB2585.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(966005)(55016002)(71200400001)(8936002)(8676002)(86362001)(15650500001)(38100700002)(2906002)(33656002)(38070700005)(122000001)(66476007)(66556008)(186003)(9686003)(64756008)(53546011)(54906003)(110136005)(6506007)(508600001)(83380400001)(66446008)(4326008)(316002)(26005)(76116006)(52536014)(7696005)(5660300002)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: gAwbV3vmU3h85bLznc9TDTol3r2CyTIY175yWXgASaG47gpjF72K5CWGhGQ4j/ndffs7gq57BgO9ilhphZPoT18xa//CemiwD4K2xyhACaCQXBcxueJp6Qy0u/bIrEUb7/NfLThVm6EZU+dVq3UbTAJQdycphkKbF6Sc/eqVsbbcEZi66AAOIFLNVVQPeEe5o9+um1siHvP+QBiTJp7zEpaYv60nJC7/KM/8k6iysDOhQsBRfiLMkk7dsPv/9/Y0ykGVvO3NyRPzUKQTCJpIjUKaOpLSBXNsybFtCtfy0cBnWpgcHMJswjy/wOHva0GXf6L6t+DEJ3e7nhDWmBSmpKg7cy1pZ5tubvLggW/q276uzvC5D+wwYHAMwdrcCLZmvIutyEyzqVyrP64rVQwS/MqKDg0w5Xh9AbHkqiWjSMpibnTwDzESWqAxDAcJYMM3OiYNdSSt0EdUkcSHLpVqkguJpLEGC6EO4q8sS/VWOVekJALHBZlHkBE6dCXZK4r4YgXTGbAonFPe+H9oA5h6454heAJ8hk8BCmDIAOdplAOsBbXV4tHy7nKxvBPYzCMj6QH7Igk+3FMfGL4cYGL1TnJUFpaEkuar63vCKo77x5m+rCAcQPgu1VQseB9xuDRMCTRGx/gOm4LGCLQrZ1SxVLlvGM+aJ0o7NMJFYLnZETTHfg6/GjFvNHm8YMne347+gxd/ecKRc1ZO3Xl18cAytHFS0KQFjZhWalJJT/Kzajx/f8f4BRlTGlobZv8BoLP2LbTAjPbGAwZs4p5VDLruJ6XwTy5xFECoV3mQKhfiRpuOIqljArxokRwCGe4BYiqGKS2v8U+ZqXpqXZaZHAT/ng73Kpo3oXI+hDI0PMrnPGW3jz2LLgCypQCz7Bmmdoi5MeBS6Veow3QH3Fqkd6ox/LgBp7Tfb8IC3Y7cpNQHKtG/1NYrxLEksO/bkP5msSaAVC5qRPhGha9fmB0fmn7SAC4fSzo2n8on00BlCAVsk8NAlAA/Eytnv3ra8l/Rd+bMSbhJ5U4OKjMKR58YgNPowCeawBBh/DVgWhDyk0c1e7nCZnckSA80NfZl8vuBBQqA5qbV3U6fvRURrFCPyGKQyts4kPJKszUMt9otfEb37bSm/+Q47zzFYjljKgMcPQEnyMhJcnPn5saYvN1yu11G8voHlcyv/uQ45KJd5JN8nlwP90YYLa9eoUGZqhW9MNH/OUzQxdJnXQgliRtebfZYR6SKI9VFTtGCeOWyGN2V0Wwvtbn2BQkkftwF0nHbc90UtDSw5mPFUV7Ez6X3x8uR/3ZD05CLg2YYpvRKICWoTSJcL50vKDtohbU9FJUU3E3L
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2585.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5463c058-691f-4260-281c-08d989128dd5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Oct 2021 21:45:03.0859 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GlLB3WyCS6ZnQ6SwjsYeF+CpR/foxR1jD7GrKFnjxmKyRbde5uJg/HeRAgxm7qD2DclrLWgNQmKKFIndxnl+tA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1564
X-Proofpoint-GUID: HYPXtFCgS80dxmn5VKEzvLkgNKic3Dg9
X-Proofpoint-ORIG-GUID: HYPXtFCgS80dxmn5VKEzvLkgNKic3Dg9
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-10-06_04,2021-10-06_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 malwarescore=0 lowpriorityscore=0 mlxscore=0 clxscore=1015 impostorscore=0 priorityscore=1501 spamscore=0 mlxlogscore=999 adultscore=0 bulkscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110060135
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/t2OirwO9Mgg6rGW2h7R09xH7WsM>
X-Mailman-Approved-At: Fri, 08 Oct 2021 08:07:57 -0700
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 21:45:15 -0000

Yes, that is exactly what we are suggesting.

As you know CRL's can become very large, and it would be a pity to ask for the latest CRL, only to find out we already had the latest CRL.  😊 We had also discussed possibly using a hash of the CRL instead of the time value, but that would cost an extra hash operation and we agreed thisUpdate should be good enough.  I wouldn't expect a CA to be fast enough to issue updated CRL's within 1 second of each other (thus having the same thisUpdate date).

Cheers,

John Gray

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Wednesday, October 6, 2021 12:23 PM
To: Brockhaus, Hendrik <hendrik.brockhaus@siemens.com>
Cc: spasm@ietf.org; david.von.oheimb@siemens.com; John Gray <John.Gray@entrust.com>
Subject: [EXTERNAL] Re: [lamps] [CMP Updates] Requesting a current CRL

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
RFC 4210 says:

5.3.19.6.  CRL

   This MAY be used by the client to get a copy of the latest CRL.

      GenMsg:    {id-it 6}, < absent >
      GenRep:    {id-it 6}, CertificateList

I think you are suggesting something like this for Option 1:

5.3.19.X.  Conditional CRL Retrieval

   This MAY be used by the client to get a copy of the latest CRL if a newer one is available.

      GenMsg:    {id-it TBD}, Time
      GenRep:    {id-it TBD}, CertificateList | < absent >

Where, Time is the thisUpdate of the most recent CRL known to the client.

If that is the suggestion, then Option 1 seems to follow the general design in RFC 4210.  See Section 5.3.19.1 as an example.

Russ


> On Oct 6, 2021, at 11:53 AM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com> wrote:
>
> There are situations where CMP is used on networks that do not offer http or coap, but other transport protocols specified at IEEE or IEC.
> In such case we use the general message as defined in RFC 4210 Section 5.3.19.6 (https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc4210*section-5.3.19.6__;Iw!!FJ-Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05-FtMawTzDIEdSOymuy8jpWMedE$ ) for requesting CRLs.
> Currently the CMP server always send its most current CRL, regardless if the CMP client already has this CRL.
> To avoid sending the same CRL multiple times, we would like to extend the mechanism sending only more current CRLs than the CMP client already has.
>
> Together with John Gray from Entrust, who we also like to add as co-author to the CMP Updates Draft, we discussed mainly two implementation options.
>
> Option 1:
> Define a new generalInfo field to be provided in the request messages header of the general message specified in RFC 4210 Section 5.3.19.6. This ITAV shall contain the thisUpdate time of the most current CRL the CMP client has. The CMP server shall return its CRL if it is more current and otherwise with an empty body.
>
> Option 2:
> Define a new general message type. Sending this new general message, the CMP client requests the thisUpdate time of the most current CRL the CMP server has. If this is more current than the most current CRL the CMP client has, it requests this CRL using the general message specified in RFC 4210 Section 5.3.19.6.
>
> The authors would prefer option 1. What is the opinion of the WG?
>
> BTW, this is the last open issue of this draft. The authors hope that the next update will be the last before WGLC.
>
> Hendrik
>
>
> Siemens AG
> Technology - Research in Digitalization and Automation Security
> Architecture mailto:hendrik.brockhaus@siemens.com
>
> https://urldefense.com/v3/__http://www.siemens.com__;!!FJ-Y8qCqXTj2!K3
> 2dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05-FtMawTzDIEdSOymuy8K9aaZnA$
>
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> Hagemann Snabe; Managing Board: Roland Busch, Chairman, President and
> Chief Executive Officer; Cedrik Neike, Matthias Rebellius, Ralf P.
> Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany;
> Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB
> 6684; WEEE-Reg.-No. DE 23691322
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spas
> m__;!!FJ-Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05-FtMaw
> TzDIEdSOymuy8xYOrR-E$

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!K32dsgB2GqHGjdnUPkY_QKkcXyA_WG_c9clb1EI8fIW05-FtMawTzDIEdSOymuy8xYOrR-E$
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email