aia in crls
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 8

AIA in CRLs - PowerPoint PPT Presentation

  • Uploaded on

AIA in CRLs. Stefan Santesson – Microsoft Russ Housley – Vigil Security. AIA in CRL status report. 5 Issues recorded Solution proposed for each. Issue #1. Denis: CRL issuer certs MUST be issued by the certificate issueing CA

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'AIA in CRLs' - ornice

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
aia in crls


Stefan Santesson – Microsoft

Russ Housley – Vigil Security

aia in crl status report
AIA in CRL status report
  • 5 Issues recorded
  • Solution proposed for each
issue 1
Issue #1
  • Denis: CRL issuer certs MUST be issued by the certificate issueing CA
  • Respone: No - There is no such requirement and this document is not the place to handle any such requirement. 
issue 2
Issue #2
  • Denis: Construction of a CRL path is not discussed in RFC 3280
  • Response: Wrong. It is discussed in section " signatureValue”
  • Comment: It is obvious that a certification path of the CRL signer must be generated and validated as part of CRL verification 
issue 3
Issue #3
  • Denis: Objections to introductory text which says that says that SIA and other solutions are "not generally applicable"
  • Response: The text is motivating the solution specifed in this document
  • Comment: SIA works in the situations that Denis advocates, but CRL AIA works in those situations and ones that SIA does not work, such as when Indirect CRLs are used
issue 4
Issue #4
  • Matt Cooper: Clarify that any MIME encoding of the type of file content is performed at the protocol layer and not embeded as part of the file content.
  • Response: Text proposed on the mail list:

"When the HTTP scheme is specified, the URI MUST specify the location of a certificate containing file. The file MUST contain either a single binary DER encoded certificate (indicated by the .cer file extension) or one or more certificates encapsulated in a CMS certs-only (PKCS#7) message [ref] (indicated by the .p7c file extension).HTTP server implementations accessed via the URI SHOULD use the appropriate MIME [ref] content-type for the certificate containing file.Specifically, the HTTP server SHOULD use the content-type application/pkix-cert [ref] for a single DER encoded certificate and application/pkcs7-mime [ref] for CMS certs-only (PKCS#7). Consuming clients may use the MIME type and file extension as a hint to the file content, but should not depend solely on the presence of the correct MIME type or file extension in the server response."

issue 5
Issue #5
  • Harmonizing required and recommended supported access methods between this draft and RFC 3280bis.
    • directoryName allowed (may be used for DAP or LDAP)
    • uniformResourceIdentifier allowed (may be used for, LDAP, HTTP, and FTP)
    • When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI
  • Crlaia-00:
    • All present accessLocation values MUST use the uniformResourceIdentifier [URI] form, and the values MUST use either the ldap scheme [LDAP] or the http scheme [HTTP/1.1].
  • Resolution: Propose harmonizing with 3280bis. Confirm with the mail list.
way forward
Way Forward
  • Post issue 5 to the mail list
  • Post revised ID by end of March
  • Ready for WG Last call in April