Download
1 / 7
70 likes | 194 Vues
This document proposes an optional extension for Certificate Revocation Lists (CRLs) that allows a sequence of certificates to validate the CRL itself. This is particularly useful when the certificate path is different from the CRL path, simplifying CRL management and reducing the need for caching. By packaging validation data alongside CRLs, we eliminate additional network retrievals for validation certificates, thus enhancing usability. The proposed update, although seemingly minor, brings significant improvements to the management of CRLs and is a reasonable step forward in certificate validation practices.
E N D
Certificates in CRLs Stefan Santesson Micfrosoft stefans@microsoft.com
Scope • To add an optional CRL extension • The extension may hold a sequence of certificates • These certificate MAY be used to validate the CRL • Draft 00 available: http://www.ietf.org/internet-drafts/draft-santesson-pkix-vccrl-00.txt
Rationale • Useful when the Certificate path differs from the CRL path • Makes CRLs easier to manage, no caching needed. Easier to package validation data for future historical validation • Eliminates an extra wire retreival to obtain validation certificates
Rationale • Only to be used where it makes sense • The advantages may seem minor but it is a reasonable update that bring enough positive enhancements to CRLs to be justified • Compare that most signed objects have a way to include validation certificates, e.g. OCSP responses, S/MIME etc. Why not CRLs?
Alternative solution • Store the CRL in a pkcs#7 file with CRL and validation certificates • Issues: • Not legal to make a http ref to a p7 file using CDP • Is this more attractive?
Syntax id-pe-validationCerts OBJECT IDENTIFIER ::= { id-pe nn } ValidationCertificates ::= SEQUENCE of Certificate
Way forward • Where do we go from here ? • Mike is open
