Re: [pkix] Errata in section 5.3 from RFC 5280
Sharon Boeyen <sharon.boeyen@entrust.com> Mon, 27 August 2012 16:39 UTC
Return-Path: <sharon.boeyen@entrust.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B6C721F8557 for <pkix@ietfa.amsl.com>; Mon, 27 Aug 2012 09:39:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnI1KXXmep20 for <pkix@ietfa.amsl.com>; Mon, 27 Aug 2012 09:39:16 -0700 (PDT)
Received: from ipedge2.entrust.com (ipedge2.entrust.com [216.191.252.25]) by ietfa.amsl.com (Postfix) with ESMTP id D128721F8534 for <pkix@ietf.org>; Mon, 27 Aug 2012 09:39:15 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.80,321,1344225600"; d="scan'208,217";a="1792852"
Received: from unknown (HELO SOTTEXCHCAS2.corp.ad.entrust.com) ([10.4.51.224]) by ipedge2.entrust.com with ESMTP; 27 Aug 2012 12:39:12 -0400
Received: from SOTTEXCH10.corp.ad.entrust.com ([fe80::389b:f45b:7ea1:79b7]) by SOTTEXCHCAS2.corp.ad.entrust.com ([::1]) with mapi id 14.02.0318.001; Mon, 27 Aug 2012 12:39:12 -0400
From: Sharon Boeyen <sharon.boeyen@entrust.com>
To: Russ Housley <housley@vigilsec.com>
Thread-Topic: [pkix] Errata in section 5.3 from RFC 5280
Thread-Index: AQHNgWwH3CKKlFKDe0yhDO+TlkrrvJdt1YVg
Date: Mon, 27 Aug 2012 16:39:10 +0000
Message-ID: <65DA4BEA501AFC409DF274CC71ED01A53A551F2B@SOTTEXCH10.corp.ad.entrust.com>
References: <OFCA1B2349.15BDB7F8-ONC1257A62.005BE395-C1257A62.005D4F63@bull.net> <20120822204613.717341A1A8@ld9781.wdf.sap.corp> <OF7212BDF4.EECB268F-ONC1257A63.005BBEF7-C1257A63.005FB3BF@bull.net> <3115DBF8-631C-46A1-827B-E6E93B532A47@vigilsec.com> <B83745DA469B7847811819C5005244AF36299E28@scygexch7.cygnacom.com> <BB6C1CE6-3F04-402A-9AEA-F114FA164050@vigilsec.com>
In-Reply-To: <BB6C1CE6-3F04-402A-9AEA-F114FA164050@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.4.161.14]
Content-Type: multipart/alternative; boundary="_000_65DA4BEA501AFC409DF274CC71ED01A53A551F2BSOTTEXCH10corpa_"
MIME-Version: 1.0
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Errata in section 5.3 from RFC 5280
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 16:39:31 -0000
Russ, I realize the RFC 5280 references the 2005 edition of X.509. However the 2009 edition (freely available at http://www.x500standard.com/index.php?n=Ig.LatestAvail ) revises this text again slightly and I think makes the intent even clearer. It states (as part of the main text and no longer a note): If an extension affects the treatment of the list (e.g., multiple CRLs need to be scanned to examine the entire list of revoked certificates, or an entry may represent a range of certificates), then either that extension or a related extension shall be indicated as critical in the crlExtensions field. Therefore, a critical extension in the crlEntryExtensions field of an entry shall affect only the certificate specified in that entry, unless there is a related critical extension in the crlExtensions field that advertises a special treatment for it. The only example of this situation defined in this Specification is the certificateIssuer CRL entry extension and the related issuingDistributionPoint CRL extension when the indirectCRL Boolean from that extension is set to TRUE. This is clearly the case for certificateIssuer as you indicate below and as you note below the only other 2 standard crl entry extensions are irrelevant as they can only ever be non-critical and affect only the single identified revoked certificate. Any private extension that might be defined as a crlEntry extension would also have to follow that same rule to be compliant with the base standard. I do believe the 2005 text was clear but offer this 2009 as additional confirmation of the intent (I personally find this text even clearer). Cheers, Sharon From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Russ Housley Sent: Thursday, August 23, 2012 4:15 PM To: Santosh Chokhani Cc: IETF PKIX Subject: Re: [pkix] Errata in section 5.3 from RFC 5280 Santosh: RFC 5280 describes three CRL Entry Extensions, and all of them come from X.509: 5.3.1. Reason Code 5.3.2. Invalidity Date 5.3.3. Certificate Issuer The first two do not have the concern that you describe, and the third one should only be present if the CRL includes the IssuingDistributionPoint CRL extension, and that extension includes the indirectCRL set to TRUE. The IssuingDistributionPoint CRL extension must be critical. RFC 5280 says: The issuing distribution point is a critical CRL extension that identifies the CRL distribution point and scope for a particular CRL, and it indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, attribute certificates only, or a limited set of reason codes. Although the extension is critical, conforming implementations are not required to support this extension. However, implementations that do not support this extension MUST either treat the status of any certificate not listed on this CRL as unknown or locate another CRL that does not contain any unrecognized critical extensions. To my mind, the support for the critical IssuingDistributionPoint CRL extension includes the proper support for the Certificate Issuer CRL entry extension. Russ On Aug 23, 2012, at 4:01 PM, Santosh Chokhani wrote: Russ, The problem with Denis's proposal is that he wants to replace the text of not using the CRL. I have cited a specific example in 5280 itself where an entry extension scope goes beyond that of the entry. It potentially impacts subsequent entries. Thus, Denis's proposal is unacceptable. If he just wanted to add the sentence as opposed to replace, it would be fine. In general, unless 5280 and X.509 stated that an entry extension cannot impact semantics of anything in the CRL other than the entry itself, what you say is unacceptable and potentially insecure. From: pkix-bounces@ietf.org<mailto:pkix-bounces@ietf.org> [mailto:pkix-bounces@ietf.org]<mailto:[mailto:pkix-bounces@ietf.org]> On Behalf Of Russ Housley Sent: Thursday, August 23, 2012 3:50 PM To: denis.pinkas@bull.net<mailto:denis.pinkas@bull.net> Cc: IETF PKIX Subject: Re: [pkix] Errata in section 5.3 from RFC 5280 I agree with the proposal that Denis makes. I support his proposed text. This validates my text proposal which still is: If a CRL contains a critical CRL entry extension that the application cannot process, then the application MUST NOT use that CRL entry to determine the status of this certificate". : Russ
- Re: [pkix] Errata in section 5.3 from RFC 5280 Russ Housley
- [pkix] Errata in section 5.3 from RFC 5280 denis.pinkas
- Re: [pkix] Errata in section 5.3 from RFC 5280 Paul Hoffman
- Re: [pkix] Errata in section 5.3 from RFC 5280 Santosh Chokhani
- Re: [pkix] Errata in section 5.3 from RFC 5280 Martin Rex
- Re: [pkix] Errata in section 5.3 from RFC 5280 denis.pinkas
- Re: [pkix] Errata in section 5.3 from RFC 5280 Rich Smith
- Re: [pkix] Errata in section 5.3 from RFC 5280 Russ Housley
- Re: [pkix] Errata in section 5.3 from RFC 5280 Santosh Chokhani
- Re: [pkix] Errata in section 5.3 from RFC 5280 Russ Housley
- [pkix] Proposed change in section 5.3 from RFC 52… Paul Hoffman
- Re: [pkix] Errata in section 5.3 from RFC 5280 Piyush Jain
- Re: [pkix] Errata in section 5.3 from RFC 5280 Piyush Jain
- Re: [pkix] Errata in section 5.3 from RFC 5280 Santosh Chokhani
- Re: [pkix] Errata in section 5.3 from RFC 5280 Martin Rex
- Re: [pkix] Errata in section 5.3 from RFC 5280 Piyush Jain
- Re: [pkix] Errata in section 5.3 from RFC 5280 Erwann Abalea
- Re: [pkix] Errata in section 5.3 from RFC 5280 Sharon Boeyen
- Re: [pkix] Errata in section 5.3 from RFC 5280 Russ Housley
- Re: [pkix] Errata in section 5.3 from RFC 5280 Sharon Boeyen
- Re: [pkix] Errata in section 5.3 from RFC 5280 denis.pinkas
- Re: [pkix] Errata in section 5.3 from RFC 5280 Sean Turner
- Re: [pkix] Errata in section 5.3 from RFC 5280 Santosh Chokhani
- Re: [pkix] Errata in section 5.3 from RFC 5280 Piyush Jain
- Re: [pkix] Errata in section 5.3 from RFC 5280 denis.pinkas
- Re: [pkix] Errata in section 5.3 from RFC 5280 Sean Turner
- Re: [pkix] Errata in section 5.3 from RFC 5280 Sharon Boeyen
- Re: [pkix] Errata in section 5.3 from RFC 5280 Martin Rex
- Re: [pkix] Errata in section 5.3 from RFC 5280 Martin Rex
- Re: [pkix] Errata in section 5.3 from RFC 5280 Jon Doyle (AzureCoast)
- Re: [pkix] Errata in section 5.3 from RFC 5280 Piyush Jain
- Re: [pkix] Errata in section 5.3 from RFC 5280 denis.pinkas
- Re: [pkix] Errata in section 5.3 from RFC 5280 Martin Rex