pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: CRLs and COST-PEM System

1993-06-11 08:57:00
from [John Lowry] [Permanent Link] 
Mr. Muftic,


From: Sead Muftic <sead(_at_)dsv(_dot_)su(_dot_)se>
Date: Fri, 11 Jun 93 15:57:44 EDT
To: nesset(_at_)ocfmail(_dot_)ocf(_dot_)llnl(_dot_)gov, 
pem-dev(_at_)tis(_dot_)com
Subject: CRLs and COST-PEM System
Sender: pem-dev-relay(_at_)tis(_dot_)com




I  don't know whether you are making the mistake or not, but
since (a) CRLs are not quite worked out in PEM RFCs, and (b)
we  also  didn't  pay  such  a  serious  attention  to   CRL
management,  may  be  there are some mutual MISUNDERSTANDINGS
about the issue, so  let  me  explain  the  essence  of  our
certificate system:


CRLs are worked out quite well, can you provide supporting evidence ?
I agree that there must have been a misunderstanding which led you 
pay little attention to CRL management.  CRLs are a critical component
of certificate validation.

...


2.   When  you  initialy register, generate your certificate
and send it to your CA for signature, you will receive  back
from  your  local  CA:  (1) your own signed certificate, (2)
your CA's certificate, and  (3)  all  certificates  at  your
branch,  up to the top of the hierarchy.  In the moment when
you receive them, your user  PEM  agent  will  automatically
verify them and if OK, store them in your local database. 

You didn't mention whether or not there was a CRL present in the
data returned by the CA.  If there is not a valid CRL for each and every
CA in the hierarchy then BY DEFINITION there can be no certificate
validation.


3.   When  you  receive the PEM letter from someone, it will
contain two certificates: partner's and  his/her  CA's.   If
that is not enough for verification (since these may belong,
completely  or  partially,  to a certificate path outside of
yours), PEM  user  agent  will  automatically  send  special
Ceritificate   request  letter  to  the  first  CA  in  your
partner's path whose certificate is missing.  The reply will
contain the required, plus all certificates up to the top of
the partner's path.  When received, all  these  certificates
will be again verified and stored in your database.

Same remark, the CRLs must be checked.

...


As  the conclusion, we believe that you don't need CRLs each
time, since the situations when you  really  need  them  are
very rare.  We have no practical experience, but we have the
feeling that its much "cheaper" to ask for the CRL which you
need  (occasionally) than to receive all of them every time,
even if you don't need them at all.  We  also  believe  that
PEM  designers (or all of us) should put a little additional
efforts into certificate management functions within PEM  in
RFC  1424.   As  I  said,  we  have  already some of our own
extentions to that system.

Again, you are wrong about CRLs.  You need valid CRLs for each
and every CA in a certificate path in order to perform validation.
This is a major flaw in your system and makes it unworkable
and non-compliant with the PEM standards.


Regards,



Sead Muftic
COST Computer Security Technologies AB
Stockholm, Sweden



!


John Lowry
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  CRLs and COST-PEM System, Sead Muftic
Next by Date:  Re: (Non-PEM) self-signed certifi, Hoyt Kesterson
Previous by Thread:  CRLs and COST-PEM System, Sead Muftic
Next by Thread:  Re: CRLs and COST-PEM System, Dan Nessett
Indexes:  [Date] [Thread] [Top] [All Lists]