pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PEM CRL registration for storage in X.500 databases

1993-06-01 08:13:00
from [Dan Nessett] [Permanent Link] 
Below is a message from Peter Williams describing how UCL has registered
PEM CRLs as an X.500 attribute syntax. I thought people on this list might
want to know about it.

Dan Nessett

===========================================================================

To: nessett(_at_)ocfmail(_dot_)ocf(_dot_)llnl(_dot_)gov (Dan Nessett)
Cc: J(_dot_)Crowcroft(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk, Peter Williams 
<P(_dot_)Williams(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk>
Subject: Re: X.500 syntax registration for PEM CRLs
Date: Fri, 28 May 93 12:06:25 +0100
From: Peter Williams <P(_dot_)Williams(_at_)cs(_dot_)ucl(_dot_)ac(_dot_)uk>
Status: RO



   >From: nessett(_at_)gov(_dot_)llnl(_dot_)ocf(_dot_)ocfmail (Dan Nessett)
   >Subject: X.500 syntax registration for PEM CRLs
   >Date: Thu, 27 May 1993 13:05:12 -0800

The PASSWORD project (piloting all this low-assurance authentication
technology) sought to use ccitt.data.pss.ucl.pilot.pilotAttributeType.0
(mastered by UCL-CS, and formalized under RFC 1274 for
COSINE/INTERNET-wide purposes).

Then it was discovered that no formal registration had taken place. The
manager objected. Said project will decide another, or register in
time. Meantime we use our familiar
ccitt.data.pss.ucl.pem.pemattributeType.1 (ccitt.data.pss.ucl.109.4.1)
where the pem subtree _has_ been formally registered (by me!) as the
repository for the pem definitions used by DRA/PEM implementations and
pilot. DRA/PEM-X.500-based implementation (only) built by UCL-CS also
registers ccitt.data.pss.ucl.pem.pemstandardObjectClass.1
(ccitt.data.pss.ucl.109.6.1) as the objectClass for pemrevocation.


From my (ISODE) tables:


data:                           ccitt.9
pss:                            data.2342
ucl:                            pss.19200300

quipu:                          ucl.99
pilot:                          ucl.100
locator:                        ucl.101
oldPSI:                         ucl.102
pp:                             ucl.103
phoneBook:                      ucl.104
car:                            ucl.105
bulk:                           ucl.106
password:                       ucl.107
oda:                            ucl.108
pem:                            ucl.109
thorn:                          ucl.110
pkcsapps:                       ucl.111

...

pemmodule:                      pem.1
pemattributeType:               pem.4
pemstandardObjectClass:         pem.6

pemrevocation:                  pemmodule.1


Also, for relevant attributes, and their syntaxes (ignore non-PEM)

# PEM

PEMRevocationList:              pemattributeType.1      :PEMCertificateList

# Security

#ODAprivate:                    odaattributeType.1      :octetstring
#PKCSprivate:                   pkcsattributeType.1     :octetstring
#OSISECPrivateRSAKey:           pkcsattributeType.2     :octetstring
ODAprivate:                     odaattributeType.1      :ODA
PKCSprivate:                    pkcsattributeType.1     :PKCS5
OSISECPrivateRSAKey:            pkcsattributeType.2     :PKCS5
PEMprivate:                     pemattributeType.2      :ia5string

Also, ObjectClass, and inheritance:

pEMCRL:   pemstandardObjectClass.1: top: PEMRevocationList :

It was suggested by my boss that we came to an IETF to get all this
formally agreed, and profiled. However, I despair of any progress
their, so at UCL-CS/DRA we proceed independently; We will be happy to
adopt anything any largish group wishes to actually do, "in practice".
Discussing security in open committee is an inherently pointless procedure,
in terms of producing consensual results.

On another of our fronts, you might consider this:

The DMS Unclassified Directory Schema, which proform appropriate profiling
for SDNS.702 syntaxes.

sndsCertificateRevocationList ATTRIBUTE
 WITH ATTRIBUTE SYNTAX CaCertificateRevocationList
 ::= id-sdnsCertificateRevocationList

where, CaCertificateRevocationList = Pem CRL, in all but name.

id-sdnsCertificateRevocationList =
joint.country.us.organization.usgov.dod.id-infosec(1).id-attributes(5).44

where

ca-sdns OBJECT-CLASS
SUBCLASS of top
MAY CONTAIN {
sdnsCASignatureCertificate,
sdnsCertificateRevocationList
} ::= id-ca-sdns

id-ca-sdns =
joint.country.us.organization.usgov.dod.id-infosec(1).id-ovject-classes(4).4

Note: I dont claim to know how to operate SDNS.702 _in practice_. The
definitions are all sensible, but, who knows how you are
supposed to build a certification profile out of them all!

I think this is all I know. You might circulate this to get some
reaction community-wide to the underlying need to get _a_ value fixed.

   >Peter and John,
   >
   >I have been trying to find out whether anyone has registered a syntax for
   >PEM CRLs. A graduate student of mine wants to store PEM CRLs in an X.500
   >data base and doesn't know the attribute name or OID to use. Thanks for any
   >help you are able to give.
   >
   >Cheers,
   >
   >Dan Nessett
   >
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: CBC*3 flame, Carl Ellison
Next by Thread:  Re: PEM CRL registration for storage in X.500 databases, Mike Roe
Indexes:  [Date] [Thread] [Top] [All Lists]