pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CRLs (was Re: Chance to fix X.509)

1993-10-01 06:27:00
from [Anish Bhimani] [Permanent Link] 



So, does anyone have any defects to X.509 which relate to authentication in 
the Directory system ?

I would like to see addition of a nextIssue date to CRLs


OK, now I'm confused. Don't CRLs already have a "nextUpdate" field? 
In fact, this was one of the things which confused me most about the 
current CRL mechanism.

As I understand it, a CRL is issued, and the "lastUpdate" field is 
set to that issue date. This CRL will be valid until the time noted 
in the "nextUpdate" field, at which point a new CRL will be issed to 
replace the expired one. During the time in between, it is possible 
that one or more certificates may be revoked. Hoewever, that revocation 
will not be reflected until the nextUpdate of the CRL.

This seems fine, with one exception (as many have pointed out). It a 
recipient wishes to verify a certificate which has been revoked since 
the lastUpdate, he will obtain the CRL from the CA/PCA. However, the 
revocation will not be reflected in the CRL, and the unknowing recipient 
will accept the CRL as gospel. Depending on the content of the message, 
this could have disastrous consequences.


It seems as though what we want is for CAs/PCAs to keep copies of the 
"most recent" CRLs, regardless of the last issue date. Moreover, by 
providing the user with a retrieval mechanism of CRLs from CAs/PCAs, 
the user could always be assured that he/she has the most recently 
updated CRL.

However, this does tend to obsolesce the "nextUpdate" field. With 
such a mechanism as I have described, users will likely look at the 
"lastUpdate" field as a "valid as of" date, treating the CRL as a 
"snapshot" of the validity of certificates at that time. Instead of 
vouching for the validity of certificates during the time in-between 
updates, the CRL will vouch for the validity of a certificate up 
through a given date, and no later.

The "nextUpdate" field, then, would only be used to guarantee that 
a new CRL would be issued NO LATER than the time indicated therein, 
even if no certificates are revoked in the meantime.

----------------------------------------------------------------------------
Anish Bhimani                           | "LAPD - We treat you like a King."
Enterprise Network Integrity, Bellcore  | -- T-shirt seen on Venice Beach
anish(_at_)ctt(_dot_)bellcore(_dot_)com 
(908) 699-5571 (phone) (908) 336-2969 (fax)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  CRL updates, jueneman%wotan
Next by Thread:  How close to X.509 is PEM?, Christian Huitema
Indexes:  [Date] [Thread] [Top] [All Lists]