Re: PSM and crl distribution point
Julien Pierre wrote: Jean-Marc Desperrier wrote: Is there a way to get PSM to make any use of the crl distribution point (crldp) extension ? How is it handled within NSS ? (I could check the source/doc. I will if nobody feels inclined to respond) Or you could type distribution point in bugzilla query before posting :-). This is not currently supported in NSS. See bugzilla 133191 . At this time, the only CRL format supported by NSS is full CRLs. Sorry Julien, there's a confusion here. The one I was talking about is the certificate extension, which is named CRL Distribution Points usually abbreviated crldp, while the crl extension you're talking about is named Issuing Distribution Point, usually abbreviated idp. This is the nomenclature used in RFC3280. I had seen the bug 133191, but I had seen also it was not what I was looking for. I've been looking in the code through lxr this time (BTW http://lxr.mozilla.org/security/ doesn't work, had to use http://lxr.mozilla.org/mozilla/), and it seems the functions NSS provides to handle the cert crldp are CERT_FindCRLDistributionPoints and CERT_DecodeCRLDistributionPoints/CERT_EncodeCRLDistributionPoints at a lower level. And the source of Mozilla/PSM does not have a single call to CERT_FindCRLDistributionPoints, so it seems clear there's is no support for it. As CERT_DecodeCRLDistributionPoints is only called by certutil and from CERT_FindCRLDistributionPoints, there's no chance even the view details of PSM will display it, and experience confirms it. I have done some work on distribution point as well, and this is reflected in the CRL cache, but it is not complete either and is even lower priority than delta CRLs. Look for the word XCRL and #if 0 in mozilla/security/nss/lib/certdb/certi.h . Some reflexions about IDP. There's two cases : A - All revocation information for 1 certificate can be obtained from 1 crl B -revocation information for 1 certificate must be aggregated from several crl If the IDP does *not* use onlySomeReasons or indirectCRL, we're in case A, and the code can support the extension just by making sure that the cert matches the information inside the IDP (has a CRLDP that matches IDP's distributionPoint, is of the right type: CA, user, Attribute). The question stays of how the cache will be populated with all the needed CRL, and how the right CRL will be selected when checking a certificate. I see some of the #if 0 modification in certi.h suggest a way of handling at least the second part of this. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: PSM and crl distribution point
Jean-Marc Desperrier wrote: [In case the CRL doesn't include onlySomeReasons in the IDP] [...] the code can support the extension just by making sure that the cert matches the information inside the IDP (has a CRLDP that matches IDP's distributionPoint, is of the right type: CA, user, Attribute). In fact, implementing point (b)(2) subpoints (i),(ii),(iii) and (iv) of 6.3.3 CRL Processing inside RFC3280. The coverage of the onlySomeReasons is point (d) (1)(2)(3)(4). Also it shows certs that have a CRLDP extension including reasons should be refused, because the CRL revocation code in NSS dosn't support them. Also the presence of a cRLIssuer in the CRLDP DP might be a reason to refuse them, but I'm not too sure because a CRL without IDP might be considered valid. Or at least, it will be valid to have several CRLDP and another one pointing to a full CRL without IDP that NSS can handle. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: PSM and crl distribution point
Jean-Marc, Jean-Marc Desperrier wrote: This is not currently supported in NSS. See bugzilla 133191 . At this time, the only CRL format supported by NSS is full CRLs. Sorry Julien, there's a confusion here. The one I was talking about is the certificate extension, which is named CRL Distribution Points usually abbreviated crldp, while the crl extension you're talking about is named Issuing Distribution Point, usually abbreviated idp. This is the nomenclature used in RFC3280. You are right. Regardless, the other half of my response stands, at this time only full CRLs are supported, without critical extensions. Some reflexions about IDP. There's two cases : A - All revocation information for 1 certificate can be obtained from 1 crl B -revocation information for 1 certificate must be aggregated from several crl If the IDP does *not* use onlySomeReasons or indirectCRL, we're in case A, and the code can support the extension just by making sure that the cert matches the information inside the IDP (has a CRLDP that matches IDP's distributionPoint, is of the right type: CA, user, Attribute). Indeed, implementing case A should be fairly simple. Case B is the more complex part. I did not think it would be wise to try to support such a small subset of the extensions (crldp, case A). I think if and when the CRL extension work gets prioritized, most likely I would add support for all of them at the same time. The question stays of how the cache will be populated with all the needed CRL, and how the right CRL will be selected when checking a certificate. I see some of the #if 0 modification in certi.h suggest a way of handling at least the second part of this. Yes, in the header file - I started the design, but there needs to be code for this as well and there is not that much corresponding ifdef'ed code for XCRL in crl.c . ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
PSM and crl distribution point
Is there a way to get PSM to make any use of the crl distribution point (crldp) extension ? How is it handled within NSS ? (I could check the source/doc. I will if nobody feels inclined to respond) ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: PSM and crl distribution point
Jean-Marc, Jean-Marc Desperrier wrote: Is there a way to get PSM to make any use of the crl distribution point (crldp) extension ? How is it handled within NSS ? (I could check the source/doc. I will if nobody feels inclined to respond) Or you could type distribution point in bugzilla query before posting :-). This is not currently supported in NSS. See bugzilla 133191 . At this time, the only CRL format supported by NSS is full CRLs. delta CRLs support should be fairly easy to add given the current design of the CRL cache, but it has not been a priority. See bugzilla 148214 . I have done some work on distribution point as well, and this is reflected in the CRL cache, but it is not complete either and is even lower priority than delta CRLs. Look for the word XCRL and #if 0 in mozilla/security/nss/lib/certdb/certi.h . ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
