IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

Russ Housley <housley@vigilsec.com> Sat, 09 October 2021 19:07 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55AA03A0855 for <spasm@ietfa.amsl.com>; Sat, 9 Oct 2021 12:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PPdySKTvmyj9 for <spasm@ietfa.amsl.com>; Sat, 9 Oct 2021 12:07:04 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E0793A0774 for <spasm@ietf.org>; Sat, 9 Oct 2021 12:07:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 2C693300C2F for <spasm@ietf.org>; Sat, 9 Oct 2021 15:07:04 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id eRQUj0ACUfOb for <spasm@ietf.org>; Sat, 9 Oct 2021 15:07:00 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id E59AB3005D8; Sat, 9 Oct 2021 15:06:59 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2F2C6582-8578-48A6-AC54-07259056374E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Sat, 09 Oct 2021 15:06:56 -0400
In-Reply-To: <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com>
Cc: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, "spasm@ietf.org" <spasm@ietf.org>, David von Oheimb <david.von.oheimb@siemens.com>, John Gray <John.Gray@entrust.com>
To: Lijun Liao <lijun.liao@gmail.com>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/udl8taLAqsNEMnMqLuOwCIAw5JI>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2021 19:07:17 -0000

This is an interesting observation, but it does not seem to cover a certificate with multiple CRL distribution points, indirect CRLs, and delta CRLs.  I'm not sure we want all of that complexity here.  That said, it does make sense to me to list a distribution point name and the thisUpdate for each one.

CRLStatusList ::= SEQUENCE OF CRLStatus

CRLStatus ::= SEQUENCE {
   crldpn    DistributionPointName,
   thisUpdate    Time }

CRLs ::= SEQUENCE OF CertificateList

   GenMsg:    {id-it TBD}, CRLStatusList
   GenRep:    {id-it TBD}, CRLs  |  < absent >

Russ


> On Oct 8, 2021, at 4:10 PM, Lijun Liao <lijun.liao@gmail.com> wrote:
> 
> Please also consider the following some complicated scenarios:
> 
> 1. The CA may have multiple CRLs with different scopes. In RFC 4210, id-it 6
> seems to work only for the CA with maximal one CRL scope.
> 
> 2. The CA may issue full CRL and delta CRLs. Between the period of two full
> CRLs, one or more delta CRLs will be issued.
> 
> Specifying only thisUpdate does not cover above scenarios, I will suggest to
> define a new GenMesage (following the direction of Option B) as follows:
> 
> New Section
> 5.3.19.x Extended CRL Retrieval
> 
> CRLGenMsg: {id-it TBD}, ExtendedCRLRetrieval
> 
> ExtendedCRLRetrieval ::= SEQUENCE {
>    lastCRL    LastCRL OPTIONAL, 
>               -- the meta data of last CRL known to the client 
>    crlNumber  INTEGER OPTIONAL
>               -- only CRL with this number will be returned
> }
> 
> LastCRL ::= SEQUENCE {
>    thisUpdate          TIME,
>    sha256DigestValue   OCTET STRING
>                        -- SHA256 Fingerprint of CRL
> }
> 
> GenRep: {id-it TBD}, SEQUENCE (0..MAX) OF CertificateList
>                      -- The CA may have multiple CRLs with different scopes 
> 
> At the first time, the client sends an ExtendedCRLRetrieval with an empty
> SEQUENCE, and the CA returns the current CRLs of all scopes.
> 
> For the case without delta CRL, the client sends the following request to
> get the current CRL only if it is generated after the lastCRL.
> 
> ExtendedCRLRetrieval
>    lastCRL
>        thisUpdate
>        sha256DigestValue
> 
> The field sha256DigestValue is needed to identify the scope of CRL.
> 
> If the current CRL is a delta CRL, the client has to get the full CRL on
> which this delta CRL bases on. It sends the following request:
> 
> ExtendedCRLRetrieval
>     lastCRL   -- required only if there is more than 1 scope, since
>               -- RFC 5280 allows two CRLs with different scopes to have
>               -- the same crlNumber
>     crlNumber 
> 
> 
> Since the response is a sequence of CertificateList, option 1A cannot be
> applied here.
> 
> Lijun
> 
> On Fri, Oct 8, 2021 at 6:41 PM Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
> 
> 
>> On Oct 8, 2021, at 12:36 PM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com <mailto:hendrik.brockhaus@siemens.com>> wrote:
>> 
>> My question is, is it OK to reuse id-it-currentCrl together with id-it-crlThisUpdate like this
>> 
>>    GenMsg:    {id-it 6}, < absent >
>>    GenRep:    {id-it 6}, CertificateList  |  < absent >
> 
> Yes, because <absent> is exactly the same response that would be given if {id-it 6} is unrecognized by the server.
> 
> Russ
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>
> 
> 
> -- 
> Lijun Liao

v2.23.0 | Report a Bug | By Email