Re: Hongkong Post Root Inclusion Request

Tue, 24 Feb 2009 09:56:08 -0800 

Frank Hecker wrote:
> I understand your concern. Both RFC 3280 and RFC 5280 clearly allow for 
> multiple names to be listed with the CRL DP extension; however they also 
> say that
> 
>    If the DistributionPointName contains multiple values, each name
>    describes a different mechanism to obtain *the same CRL*.  For
>    example, the same CRL could be available for retrieval through both
>    LDAP and HTTP. [emphasis added]

Note that it refers to the DistributionPoint*Name*, not the
DistributionPoint itself - i.e. the CDP extension of a certificate can
certainly include multiple HTTP URIs (all pointing to the same CRL).

Looking at a real-world sample, this is the CDP extension we see in
server certs of a pretty well-known CA:

  SEQUENCE {
    SEQUENCE {
      [0] {
        [0] {
          [6]
            'http://crl.comodoca.com/UTN-USERFirst-Hardware.c'
            'rl'
          }
        }
      }
    SEQUENCE {
      [0] {
        [0] {
          [6]
            'http://crl.comodo.net/UTN-USERFirst-Hardware.crl'
          }
        }
      }
    }
  }

I.e., it's a sequence of two distribution points, each with an URI
specifying the HTTP mechanism for accessing the (same) CRL. What the
paragraph you're quoting actually deals with, however, is the case where
one of these DPs itself would have multiple values, i.e. the ASN.1
structure would look like (the second URI is completely fictitious, NB):

  SEQUENCE {
    SEQUENCE {
      [0] {
        [0] {
          [6]
            'http://crl.comodoca.com/UTN-USERFirst-Hardware.c'
            'rl'
          [6]
            'ldap://ldap.comodoca.com/cn=UTN-USERFirst-Hardwa'
            're,dc=usertrust,dc=com?certificateRevocationList'
            '?base?objectClass=cRLDistributionPoint'
          }
        }
      }
    }
  }

The second form is probably pretty rarely seen (and only in this case
would the requirement for different mechanisms apply).

Kaspar


---

FWIW, here's the definition from RFC 5280, which might help in
determining all the nesting levels:

   id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 }

   CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

   DistributionPoint ::= SEQUENCE {
        distributionPoint       [0]     DistributionPointName OPTIONAL,
        reasons                 [1]     ReasonFlags OPTIONAL,
        cRLIssuer               [2]     GeneralNames OPTIONAL }

   DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to