IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL

David von Oheimb <nl0@von-Oheimb.de> Mon, 11 October 2021 15:16 UTC

Return-Path: <nl0@von-Oheimb.de>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 870843A0A22 for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 08:16:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.797
X-Spam-Level:
X-Spam-Status: No, score=-1.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MvVDBTSGO_Oz for <spasm@ietfa.amsl.com>; Mon, 11 Oct 2021 08:16:52 -0700 (PDT)
Received: from server8.webgo24.de (server8.webgo24.de [185.30.32.8]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05CD33A0A21 for <spasm@ietf.org>; Mon, 11 Oct 2021 08:16:50 -0700 (PDT)
Received: from [192.168.178.115] (dynamic-077-009-019-147.77.9.pool.telefonica.de [77.9.19.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server8.webgo24.de (Postfix) with ESMTPSA id C0C5C421E9B; Mon, 11 Oct 2021 17:16:47 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------lVNtnWRphQVLs2teVSAm6o05"
Message-ID: <0b24c287-a6ac-593e-e0e4-3fd0b9373208@von-Oheimb.de>
Date: Mon, 11 Oct 2021 17:16:47 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
Content-Language: en-US
To: Russ Housley <housley@vigilsec.com>, Lijun Liao <lijun.liao@gmail.com>
Cc: "spasm@ietf.org" <spasm@ietf.org>, "david.von.oheimb@siemens.com" <david.von.oheimb@siemens.com>, John Gray <John.Gray@entrust.com>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
References: <AM0PR10MB24181E0CB7F13C5969337F56FEB09@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <C81D6269-EA75-4A0F-9C47-63ED46BA43E0@vigilsec.com> <DM6PR11MB25853662F94B5B12933C23F9EAB09@DM6PR11MB2585.namprd11.prod.outlook.com> <VI1PR10MB24298128902B438BCAF406D4FEB19@VI1PR10MB2429.EURPRD10.PROD.OUTLOOK.COM> <FD4EBC6E-77CE-4D96-8D9E-D929C27159D6@vigilsec.com> <AM0PR10MB2418E1DE7004C868C0E3AEA2FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <EDA2ACBF-E745-430A-A13F-A144B08125AC@vigilsec.com> <AM0PR10MB241887D39072B393C56FB28AFEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <8D6D333A-14A3-4487-967F-CFCAC22D856C@vigilsec.com> <AM0PR10MB241865E9784CC03F81AA9D39FEB29@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <B92F36D2-605F-4E60-A654-AA0F89E310CA@vigilsec.com> <CANNx7D8AaT3+7Ah7tZHXUYRkcgx7CW_ExgciJ4nB90WAuP6tzw@mail.gmail.com> <E5F845E3-4281-4409-9085-28CC68751DB3@vigilsec.com> <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
From: David von Oheimb <nl0@von-Oheimb.de>
In-Reply-To: <AM0PR10MB241822FCF1E83E6444FDFAE5FEB59@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vAZQlETilyjvmE8RM1dezVMZAbQ>
Subject: Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a current CRL
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 15:16:57 -0000

Interesting discussion!

It looks to me that the currently open issue boils down to uniquely 
identifying the (latest) CRL information currently known to the client.
Even when scoped, indirect, and delta CRLs need to be taken into account,
according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.3
apparently the following data should be sufficient for unique 
identification:

     CRL issuer, scope, and CRL Number,

or am I missing something?

And how is the scope defined/encoded?
I'm having a hard time getting this nailed down from RFC 5280 and other 
sources,
but according to https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5
<https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.5>it looks 
like the scope is the combination of the following fields:

         onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
         onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
         onlySomeReasons            [3] ReasonFlags OPTIONAL,
         indirectCRL                [4] BOOLEAN DEFAULT FALSE,
         onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }

right?

     David


On 11.10.21 08:28, Brockhaus, Hendrik wrote:
>
> Russ
>
> Thank you for this proposal. It looks straight forward.
>
> I will need to dig a little deeper into the partitioning of CRLs and 
> check the requirements of our use case for CRL retrieval via CMP to 
> better understand the complexity needed.
>
> Hendrik
>
> *Von:* Russ Housley <housley@vigilsec.com>
> *Gesendet:* Samstag, 9. Oktober 2021 21:07
> *An:* Lijun Liao <lijun.liao@gmail.com>
> *Cc:* Brockhaus, Hendrik (T RDA CST SEA-DE) 
> <hendrik.brockhaus@siemens.com>; spasm@ietf.org; von Oheimb, David (T 
> RDA CST SEA-DE) <david.von.oheimb@siemens.com>; John Gray 
> <John.Gray@entrust.com>
> *Betreff:* Re: [lamps] [EXTERNAL] Re: [CMP Updates] Requesting a 
> current CRL
>
> This is an interesting observation, but it does not seem to cover a 
> certificate with multiple CRL distribution points, indirect CRLs, and 
> delta CRLs.  I'm not sure we want all of that complexity here.  That 
> said, it does make sense to me to list a distribution point name and 
> the thisUpdate for each one.
>
> CRLStatusList ::= SEQUENCE OF CRLStatus
>
> CRLStatus ::= SEQUENCE {
>
>    crldpn    DistributionPointName,
>
>    thisUpdate    Time }
>
> CRLs ::= SEQUENCE OF CertificateList
>
>    GenMsg:    {id-it TBD}, CRLStatusList
>
>    GenRep:    {id-it TBD}, CRLs  |  < absent >
>
> Russ
>
>
>
>     On Oct 8, 2021, at 4:10 PM, Lijun Liao <lijun.liao@gmail.com> wrote:
>
>     Please also consider the following some complicated scenarios:
>
>     1. The CA may have multiple CRLs with different scopes. In RFC
>     4210, id-it 6
>     seems to work only for the CA with maximal one CRL scope.
>
>     2. The CA may issue full CRL and delta CRLs. Between the period of
>     two full
>     CRLs, one or more delta CRLs will be issued.
>
>     Specifying only thisUpdate does not cover above scenarios, I will
>     suggest to
>     define a new GenMesage (following the direction of Option B) as
>     follows:
>
>     New Section
>     5.3.19.x Extended CRL Retrieval
>
>     CRLGenMsg: {id-it TBD}, ExtendedCRLRetrieval
>
>     ExtendedCRLRetrieval ::= SEQUENCE {
>        lastCRL    LastCRL OPTIONAL,
>                   -- the meta data of last CRL known to the client
>        crlNumber  INTEGER OPTIONAL
>                   -- only CRL with this number will be returned
>     }
>
>     LastCRL ::= SEQUENCE {
>        thisUpdate          TIME,
>        sha256DigestValue   OCTET STRING
>                            -- SHA256 Fingerprint of CRL
>     }
>
>     GenRep: {id-it TBD}, SEQUENCE (0..MAX) OF CertificateList
>                          -- The CA may have multiple CRLs with
>     different scopes
>
>     At the first time, the client sends an ExtendedCRLRetrieval with
>     an empty
>     SEQUENCE, and the CA returns the current CRLs of all scopes.
>
>     For the case without delta CRL, the client sends the following
>     request to
>     get the current CRL only if it is generated after the lastCRL.
>
>     ExtendedCRLRetrieval
>        lastCRL
>            thisUpdate
>            sha256DigestValue
>
>     The field sha256DigestValue is needed to identify the scope of CRL.
>
>     If the current CRL is a delta CRL, the client has to get the full
>     CRL on
>     which this delta CRL bases on. It sends the following request:
>
>     ExtendedCRLRetrieval
>         lastCRL   -- required only if there is more than 1 scope, since
>                   -- RFC 5280 allows two CRLs with different scopes to
>     have
>                   -- the same crlNumber
>         crlNumber
>
>
>     Since the response is a sequence of CertificateList, option 1A
>     cannot be
>     applied here.
>
>     Lijun
>
>     On Fri, Oct 8, 2021 at 6:41 PM Russ Housley <housley@vigilsec.com>
>     wrote:
>
>
>
>             On Oct 8, 2021, at 12:36 PM, Brockhaus, Hendrik
>             <hendrik.brockhaus@siemens.com> wrote:
>
>             My question is, is it OK to reuse id-it-currentCrl
>             together with id-it-crlThisUpdate like this
>
>                GenMsg:    {id-it 6}, < absent >
>                GenRep:    {id-it 6}, CertificateList  |  < absent >
>
>         Yes, because <absent> is exactly the same response that would
>         be given if {id-it 6} is unrecognized by the server.
>
>         Russ
>
>         _______________________________________________
>         Spasm mailing list
>         Spasm@ietf.org
>         https://www.ietf.org/mailman/listinfo/spasm
>         <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C9080fd68d327480c486108d98b57fade%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637694032670329792%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=C%2FdOQpYcbCwqFEqoy2EbrVhigeEomECxvLXArmDdWs8%3D&reserved=0>
>
>
>
>     -- 
>
>     Lijun Liao
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email