On Wed, Oct 12, 2022 at 1:02 PM Corey Bonnell <[email protected]>
wrote:
> My interpretation of this passage is that it is defining the required
> scope of the CRL in the absence of the distributionPoint field. Namely, all
> revoked certificates issued by the CA must be contained within the scope of
> the CRL. However, it sounds like your interpretation is that the CRL must
> contain all revoked certificates that are within its scope. This sounds
> tautological or seemingly indicates that it is somehow possible to
> recursively scope CRLs (i.e., a scope within a scope) by including the
> distributionPoint field.
>
Ah, I see, your reading is "If the distributionPoint field is absent, then
the CRL MUST have a scope which contains all certificates issued by the CRL
issuer".
This reading would be nice, but in my opinion is plainly not the actual
meaning of the sentence. To see why, ask the question: with this reading,
*what* must be within the scope of the CRL? What is the object of the verb
"contain"? The answer from your interpretation is "entries for all revoked
unexpired certificates issued by the CRL issuer":
"the CRL MUST contain (entries for all revoked unexpired certificates
issued by the CRL issuer, if any) within the scope of the CRL".
First, note that this is not how one would usually construct an English
sentence: we don't like to repeat the subject of the sentence ("the CRL")
twice. If this were the intended reading, the sentence would be constructed
as:
"the CRL MUST contain (entries for all revoked unexpired certificates
issued by the CRL issuer, if any) within *its scope*"; or
"the CRL MUST contain *within its scope* (entries for all revoked unexpired
certificates issued by the CRL issuer, if any)"; or best yet
"the CRL's scope MUST contain (all revoked unexpired certificates issued by
the CRL issuer, if any)".
But even more tellingly, CRL scopes do not contain "entries", CRL scopes
contain "certificates": RFC 5280 Section 5 "The CRL scope is the set of
certificates that could appear on a given CRL.". So since we know that this
noun phrase cannot be the object of the verb "contains", what other
candidate is there? The only option is the whole rest of the sentence:
"the CRL MUST contain (entries for all revoked unexpired certificates
issued by the CRL issuer, if any, within the scope of the CRL)".
And here it's clear that "within the scope of the CRL" is a modifier on the
object of the sentence, not the second half of a split subject of the
sentence.
> Can you expand upon how your interpretation would work in practice?
>
Sure. RFC 5280 makes a distinction between the "scope" of a CRL (which
again is the set of *certificates* which *could* appear on a CRL), and
whether or not that CRL contains revocations for all reason codes (which it
refers to as "partitioning"). In particular, the Issuing Distribution Point
extension can (and must) indicate when a CRL only contains revocations for
some reason codes, but does not serve a purpose in identifying any other
scope that a CRL may be limited to:
"The reason codes associated with a distribution point MUST be specified in
onlySomeReasons. If onlySomeReasons does not appear, the distribution
point MUST contain revocations for all reason codes. CAs may use CRL
distribution points to partition the CRL on the basis of compromise and
routine revocation."
Thus, a CA could issue two separate CRLs with different scopes (say, odd vs
even serial numbers), and not be required to include a distributionPoint
field and an Issuing Distribution Point extension in their CRLs. But if
they instead wanted to issue four CRLs, with the same scopes but
additionally partitioned by revocation reason (say, keyCompromise vs all
other reasons), then they would be required to include the Issuing
Distribution Point extension and the onlySomeReasons field... *and* the
distributionPoint field, because the CRLs no longer contain entries for all
revoked unexpired certs within their scope.
With this understanding, we see that RFC 5280 is invested in the CRL having
a distributionPoint field if it does not contain all certificates within
its scope -- i.e. if certificates within its scope but which were revoked
for other reasons appear on a different CRL. RFC 5280 does not care about
the distributionPoint field as long as all certificates within the CRL's
scope have their entries in this CRL -- i.e. it is not additionally
partitioned by reasonCode.
Again, I'm not saying this is a good requirement to have, but it does seem
like the plainest interpretation of the language contained in the standard.
Aaron
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErdahyxP%3D4JeAWnQj0wY%3DBL9j36e77vprEBpqwxm7Ou_Vg%40mail.gmail.com.
