1 / 7

Certificates in CRLs

Certificates in CRLs. Stefan Santesson Micfrosoft stefans@microsoft.com. Scope. To add an optional CRL extension The extension may hold a sequence of certificates These certificate MAY be used to validate the CRL

mateja
Download Presentation

Certificates in CRLs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Certificates in CRLs Stefan Santesson Micfrosoft stefans@microsoft.com

  2. Scope • To add an optional CRL extension • The extension may hold a sequence of certificates • These certificate MAY be used to validate the CRL • Draft 00 available: http://www.ietf.org/internet-drafts/draft-santesson-pkix-vccrl-00.txt

  3. Rationale • Useful when the Certificate path differs from the CRL path • Makes CRLs easier to manage, no caching needed. Easier to package validation data for future historical validation • Eliminates an extra wire retreival to obtain validation certificates

  4. Rationale • Only to be used where it makes sense • The advantages may seem minor but it is a reasonable update that bring enough positive enhancements to CRLs to be justified • Compare that most signed objects have a way to include validation certificates, e.g. OCSP responses, S/MIME etc. Why not CRLs?

  5. Alternative solution • Store the CRL in a pkcs#7 file with CRL and validation certificates • Issues: • Not legal to make a http ref to a p7 file using CDP • Is this more attractive?

  6. Syntax id-pe-validationCerts OBJECT IDENTIFIER ::= { id-pe nn } ValidationCertificates ::= SEQUENCE of Certificate

  7. Way forward • Where do we go from here ? • Mike is open

More Related