I suppose that we could have a critical extension that applied to the entire
LIST of CRLs, and in addition a critical extension that applies to only one
certificate being revoked? Does the syntax support that?
There are two places in the CRL where extensions are possible: next to a
specific certificate serial number, and outside of the set of revocations.
There could be a critical extension put in the latter that would apply to the
entire list. (Warwick Ford has mentioned that several critical extensions for
the entire CRL are being defined).
I would have thought that perhaps there would only be a CRL entry critical
extension if some form of 'special handling' of the revoked certificate was
required, which would indicate that this certificate was only being used in
a particular application. Thus there probably should have been a
complementary critical extension in the issued certificate itself, so that
a user outside of this application, unable to perform this special handling,
would never be using the certificate.
Not necessarily. Suppose that we have an extension field which indicates the
reason for the revocation. If the reason is an innocuous one, i.e., change of
name after marriage, or change of address, then there is no reason to actually
reject a document that was signed using that certificate -- it may just be
arriving late.
This seems to imply that the certificate is still valid for some applications
(e.g. document handling) but possibly not valid for others (e.g. login).
It could be argued as to whether the Reason of Revocation field _should_ be
marked as critical -- we should discuss that further -- but it is clear that
there is no corresponding extension in the certificate itself. (This may not
always be the case, however.)
I would suggest that perhaps there is a critical extension that would need to
be placed in all certificates issued by this [P]CA: the extension (of syntax
SET OF OBJECT IDENTIFIER) would be defined as:
If this certificate is ever revoked the application must be
capable of correctly interpreting the semantics of all the CRL
entry extensions listed here, regardless of their criticality.
If it could not and the certificate were revoked the application
in its handling of the revocation might violate the [P]CA policy,
and thus should not make use of this certificate for any purpose.
Suppose that a certificate includes the granting of several kinds of
authorities. Would it be possible to revoke only one of those authorities,
leaving the others intact? If so, that extension should be marked critical,
and
if the processing software can't handle that the entire certificate should be
rejected. A new certificate should be made available in either case, but it
might not be necessary to go get one immediately.
My point is that those authority-granting extensions in the certificate would
be particular to an application. If the subject was participating in multiple
applications, would they have
1. been issued a single certificate with all these extensions
non-critical,
(revoking a particular authority by putting the certificate# on
the CRL, with either a non-critical or critical extension,
will have the effect of removing all authorities in other
applications)
2. or been issued multiple certificates (different serial #), one
for use with each application, with those application's extensions
marked as critical.
(revoke a particular authority by putting the certificate# for
that application on the CRL. If some kind of "partial
revocation" is needed, put a critical extension on that
CRL entry. Other applications could not have been using that
certificate and are unaffected)
------------------------------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium;
http://www.isode.com/