IETF Logo Mail Archive

Re: [pkix] Errata in section 5.3 from RFC 5280

Sharon Boeyen <sharon.boeyen@entrust.com> Mon, 27 August 2012 16:39 UTC

Return-Path: <sharon.boeyen@entrust.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B6C721F8557 for <pkix@ietfa.amsl.com>; Mon, 27 Aug 2012 09:39:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnI1KXXmep20 for <pkix@ietfa.amsl.com>; Mon, 27 Aug 2012 09:39:16 -0700 (PDT)
Received: from ipedge2.entrust.com (ipedge2.entrust.com [216.191.252.25]) by ietfa.amsl.com (Postfix) with ESMTP id D128721F8534 for <pkix@ietf.org>; Mon, 27 Aug 2012 09:39:15 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.80,321,1344225600"; d="scan'208,217";a="1792852"
Received: from unknown (HELO SOTTEXCHCAS2.corp.ad.entrust.com) ([10.4.51.224]) by ipedge2.entrust.com with ESMTP; 27 Aug 2012 12:39:12 -0400
Received: from SOTTEXCH10.corp.ad.entrust.com ([fe80::389b:f45b:7ea1:79b7]) by SOTTEXCHCAS2.corp.ad.entrust.com ([::1]) with mapi id 14.02.0318.001; Mon, 27 Aug 2012 12:39:12 -0400
From: Sharon Boeyen <sharon.boeyen@entrust.com>
To: Russ Housley <housley@vigilsec.com>
Thread-Topic: [pkix] Errata in section 5.3 from RFC 5280
Thread-Index: AQHNgWwH3CKKlFKDe0yhDO+TlkrrvJdt1YVg
Date: Mon, 27 Aug 2012 16:39:10 +0000
Message-ID: <65DA4BEA501AFC409DF274CC71ED01A53A551F2B@SOTTEXCH10.corp.ad.entrust.com>
References: <OFCA1B2349.15BDB7F8-ONC1257A62.005BE395-C1257A62.005D4F63@bull.net> <20120822204613.717341A1A8@ld9781.wdf.sap.corp> <OF7212BDF4.EECB268F-ONC1257A63.005BBEF7-C1257A63.005FB3BF@bull.net> <3115DBF8-631C-46A1-827B-E6E93B532A47@vigilsec.com> <B83745DA469B7847811819C5005244AF36299E28@scygexch7.cygnacom.com> <BB6C1CE6-3F04-402A-9AEA-F114FA164050@vigilsec.com>
In-Reply-To: <BB6C1CE6-3F04-402A-9AEA-F114FA164050@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.4.161.14]
Content-Type: multipart/alternative; boundary="_000_65DA4BEA501AFC409DF274CC71ED01A53A551F2BSOTTEXCH10corpa_"
MIME-Version: 1.0
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Errata in section 5.3 from RFC 5280
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 16:39:31 -0000

Russ, I realize the RFC 5280 references the 2005 edition of X.509. However the 2009 edition (freely available at http://www.x500standard.com/index.php?n=Ig.LatestAvail ) revises this text again slightly and I think makes the intent even clearer. It states (as part of the main text and no longer a note):

If an extension affects the treatment of the list (e.g., multiple CRLs need to be scanned to examine the entire list of revoked certificates, or an entry may represent a range of certificates), then either that extension or a related extension shall be indicated as critical in the crlExtensions field. Therefore, a critical extension in the crlEntryExtensions field of an entry shall affect only the certificate specified in that entry, unless there is a related critical extension in the crlExtensions field that advertises a special treatment for it. The only example of this situation defined in this Specification is the certificateIssuer CRL entry extension and the related issuingDistributionPoint CRL extension when the indirectCRL Boolean from that extension is set to TRUE.


This is clearly the case for certificateIssuer as you indicate below and as you note below the only other 2 standard crl entry extensions are irrelevant as they can only ever be non-critical and affect only the single identified revoked certificate. Any private extension that might be defined as a crlEntry extension would also have to follow that same rule to be compliant with the base standard. I do believe the 2005 text was clear but offer this 2009 as additional confirmation of the intent (I personally find this text even clearer).

Cheers,
Sharon


From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Russ Housley
Sent: Thursday, August 23, 2012 4:15 PM
To: Santosh Chokhani
Cc: IETF PKIX
Subject: Re: [pkix] Errata in section 5.3 from RFC 5280

Santosh:


RFC 5280 describes three CRL Entry Extensions, and all of them come from X.509:

            5.3.1.  Reason Code
            5.3.2.  Invalidity Date
            5.3.3.  Certificate Issuer

The first two do not have the concern that you describe, and the third one should only be present if the CRL includes the IssuingDistributionPoint CRL extension, and that extension includes the indirectCRL set to TRUE.  The IssuingDistributionPoint CRL extension must be critical.  RFC 5280 says:

   The issuing distribution point is a critical CRL extension that
   identifies the CRL distribution point and scope for a particular CRL,
   and it indicates whether the CRL covers revocation for end entity
   certificates only, CA certificates only, attribute certificates only,
   or a limited set of reason codes.  Although the extension is
   critical, conforming implementations are not required to support this
   extension.  However, implementations that do not support this
   extension MUST either treat the status of any certificate not listed
   on this CRL as unknown or locate another CRL that does not contain
   any unrecognized critical extensions.

To my mind, the support for the critical IssuingDistributionPoint CRL extension includes the proper support for the Certificate Issuer CRL entry extension.

Russ


On Aug 23, 2012, at 4:01 PM, Santosh Chokhani wrote:


Russ,

The problem with Denis's proposal is that he wants to replace the text of not using the CRL.

I have cited a specific example in 5280 itself where an entry extension scope goes beyond that of the entry.  It potentially impacts subsequent entries.

Thus, Denis's proposal is unacceptable.  If he just wanted to add the sentence as opposed to replace, it would be fine.

In general, unless 5280 and X.509 stated that an entry extension cannot impact semantics of anything in the CRL other than the entry itself, what you say is unacceptable and potentially insecure.

From: pkix-bounces@ietf.org<mailto:pkix-bounces@ietf.org> [mailto:pkix-bounces@ietf.org]<mailto:[mailto:pkix-bounces@ietf.org]> On Behalf Of Russ Housley
Sent: Thursday, August 23, 2012 3:50 PM
To: denis.pinkas@bull.net<mailto:denis.pinkas@bull.net>
Cc: IETF PKIX
Subject: Re: [pkix] Errata in section 5.3 from RFC 5280


I agree with the proposal that Denis makes.  I support his proposed text.

This validates my text proposal which still is:

   If a CRL contains a critical CRL entry extension that the application
  cannot process, then the application MUST NOT use that CRL entry to
  determine the status of this certificate". :

Russ

v2.23.0 | Report a Bug | By Email