Nelson,
Nelson B Bolyard wrote:
Eddy Nigg wrote, On 2009-01-12 14:51:
On 01/13/2009 12:37 AM, Julien R Pierre - Sun Microsystems:
I agree. The person who wrote that page must have misunderstood the
meaning of the CRL Issuing Distribution Points extension. This extension
is required to be critical in RFC 3280 and 5280 for good reason - it
defines the scope of the CRL. Unless the client software understands the
scope, the CRL is meaningless to it. It should not be confused with a
full CRL.
I don't know that the presence of a CIDP necessary means that the CRL is
not a full CRL. The original comment arose in the context of a CA that
was putting CIDP into their full CRLs.
Why would they do that ?
The whole purpose of the IDP extension is to define a scope other than
that of a full CRL, ie. a partial CRL, or to be an indirect CRL (ie. a
CRL for another CA).
In that particular case, if a CA wants to create a full CRL for
themselves, the proper behavior would be to omit the IDP extension
altogether, not to include it but make it non-critical.
I think this was Kathleen, however based on comments from here. As I
understood (from Nelson), CRLs with critical CIDP extension fail to load
properly with NSS. Is this correct?
Yes. And that's appropriate for partial CRLs.
The IDP extension is defined as follows :
issuingDistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
onlySomeReasons [3] ReasonFlags OPTIONAL,
indirectCRL [4] BOOLEAN DEFAULT FALSE,
onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
I suppose you can technically construct a full CRL, if you set all 4
boolean fields to false, and omit the optional DistributionPointName and
ReasonFlags. However, at that point, the IDP extension no longer serves
any purpose whatsoever - there is no other useful field left.
And as RFC3280 notes in section 5.2.5 :
"Although the extension is
critical, conforming implementations are not required to support this
extension."
Thus, any CA that is creating full CRLs with an IDP encoded as I
described above is just shooting themselves in the foot, as their full
CRLs will not decode with compliant implementations that don't
understand IDP - as is currently the case for NSS.
I also don't think the CAs should be violating RFC3280 by making the
extension non-critical. They just need to omit the IDP extension if it's
not needed.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
