AIA%20in%20CRLs - PowerPoint PPT Presentation

About This Presentation
Title:

AIA%20in%20CRLs

Description:

Denis: CRL issuer certs MUST be issued by the certificate issueing CA. Respone: No - There is no such ... directoryName allowed (may be used for DAP or LDAP) ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 9
Provided by: stef158
Learn more at: https://www.ietf.org
Category:
Tags: 20crls | 20in | aia | dap

less

Transcript and Presenter's Notes

Title: AIA%20in%20CRLs


1
AIA in CRLs
  • Stefan Santesson Microsoft
  • Russ Housley Vigil Security

2
AIA in CRL status report
  • 5 Issues recorded
  • Solution proposed for each

3
Issue 1
  • Denis CRL issuer certs MUST be issued by the
    certificate issueing CA
  • Respone No - There is no such requirement and
    this document is not the place to handle any such
    requirement. 

4
Issue 2
  • Denis Construction of a CRL path is not
    discussed in RFC 3280
  • Response Wrong. It is discussed in section
    "5.1.1.3 signatureValue
  • Comment It is obvious that a certification path
    of the CRL signer must be generated and validated
    as part of CRL verification 

5
Issue 3
  • Denis Objections to introductory text which says
    that says that SIA and other solutions are "not
    generally applicable"
  • Response The text is motivating the solution
    specifed in this document
  • Comment SIA works in the situations that Denis
    advocates, but CRL AIA works in those situations
    and ones that SIA does not work, such as when
    Indirect CRLs are used 

6
Issue 4
  • Matt Cooper Clarify that any MIME encoding of
    the type of file content is performed at the
    protocol layer and not embeded as part of the
    file content.
  • Response Text proposed on the mail list
  • "When the HTTP scheme is specified, the URI
    MUST specify the location of a certificate
    containing file. The file MUST contain either a
    single binary DER encoded certificate (indicated
    by the .cer file extension) or one or more
    certificates encapsulated in a CMS certs-only
    (PKCS7) message ref (indicated by the .p7c
    file extension). HTTP server implementations
    accessed via the URI SHOULD use the appropriate
    MIME ref content-type for the certificate
    containing file.Specifically, the HTTP server
    SHOULD use the content-type application/pkix-cert
    ref for a single DER encoded certificate and
    application/pkcs7-mime ref for CMS certs-only
    (PKCS7). Consuming clients may use the MIME
    type and file extension as a hint to the file
    content, but should not depend solely on the
    presence of the correct MIME type or file
    extension in the server response."

7
Issue 5
  • Harmonizing required and recommended supported
    access methods between this draft and RFC
    3280bis.
  • directoryName allowed (may be used for DAP or
    LDAP)
  • uniformResourceIdentifier allowed (may be used
    for, LDAP, HTTP, and FTP)
  • When the id-ad-caIssuers accessMethod is used, at
    least one instance SHOULD specify an
    accessLocation that is an HTTP or LDAP URI
  • Crlaia-00
  • All present accessLocation values MUST use the
    uniformResourceIdentifier URI form, and the
    values MUST use either the ldap scheme LDAP or
    the http scheme HTTP/1.1.
  • Resolution Propose harmonizing with 3280bis.
    Confirm with the mail list.

8
Way Forward
  • Post issue 5 to the mail list
  • Post revised ID by end of March
  • Ready for WG Last call in April
Write a Comment
User Comments (0)
About PowerShow.com