Re: Hongkong Post Root Inclusion Request

Wed, 11 Feb 2009 08:25:15 -0800 

kathleen95...@yahoo.com wrote:

As reported inhttps://bugzilla.mozilla.org/show_bug.cgi?id=408949#c27
this CA uses partitioned CRLs with CRL IDP extensions marked critical.
NSS does not handle partitioned CRLs at this time, and any CRLs with
critical CRL IDP extensions are rejected due to the presence of
unknown critical extensions.  At present, this causes no problem
because Firefox and NSS do not automatically fetch CRLs using the
CRL DP extension.  But we're working on that, and when we implement
it, it may well cause problems.


Comments #35 and #36 had updates on this:
"Exactly, our design of full CRL is inline with your recommendation.
Our full
CRL (http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL1.crl) does not
carry the
CIDP extensions."



The recommended way of handling such a situation should be then to 
include in the certificates *two* CRL DP :

- the CRL DP of the crl with a CRL IDP extension,
- next the CRL DP of the full crl.


I'll check as soon as I have time, but I think I remember RFC5280 
explicitly recommends that, that it's not just something that makes 
sense when you do have a full crl in addition to the partitioned one.



Otherwise I'm surprised at the way they use the CRL DP/CRL IDP 
extensions and from what I remember of the norm my first reaction would 
be that their method is technically wrong, but I'll first take the time 
to recheck the norm.



More precisely it seems they use the CRL IDP in order to restrain the 
validity of the CRL so that's it's valid only for the certificates that 
have been signed by the CA cert with serial number "03 ed" (obviously in 
order to make the CRL invalid for the new CA certificates on the day 
they'll renew the CA cert).



But I'm not sure this work the way it's been done, because AFAIR the 
rule is that the content of the IDP *must* match the content of the DP, 
and there's no reference to the CA cert with serial number "03 ed" in 
the DP. But yes, it's indeed the CA cert that signed this certificate as 
referenced by the AKI, so it might just be me not remembering the rule 
that makes this case work.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to