Hi Patrick and Steve, Just to confirm one last thing about the NIST/RFC3280 discussion below again: if there is no CRL present at all for a given CA and we are doing string revocation information checking, then we fail the associated request? Or in other words, is absence of a CRL for a given CA not good enough to allow the request using that CA to pass through?
If the answer to this is yes then I do not see any test-case in NIST test-suite that covers this simple test-case: use a CA with no CRL and expect path validation for that CA to fail. And if that is indeed the case (absence of this test-case), then doesn't this mean then that all NIST tests pass regardless of whether we successfully validate CA paths with no associated CRLs? Vineet On Wed, Oct 15, 2008 at 1:51 PM, Patrick Patterson <[EMAIL PROTECTED]> wrote: > Vineet Kumar wrote: >> Yes, but it looks like if openssl has to conform to JITC tests then in >> order to accept an EE, a CRL **signed by EE's CA** better be present. >> It doesn't matter if a CRL is present but signed by some other CA in >> the cert-chain, no? This strictness of who the CRL's signer should be >> can make sense in real world but it doesn't look like openssl has any >> flag to conform to such rules. Pl. correct me if I am wrong. >> > The case where the CRL is signed by someone other than the certificate's > signer is the reason that the CRL Issuer field of the CRL Distribution > point is available. > > From RFC3280: > > "If the certificate issuer is not the CRL issuer, then the cRLIssuer > field MUST be present and contain the Name of the CRL issuer." > > > This makes it VERY unambiguous - the CRL for a given certificate must be > signed by it's immediate issuer. > > Consequently, that is why the NIST test that you mentioned before fails. > It is not good enough to have some "CRL signed by some other CA in the > Cert Chain". Absent the CRLIssuer field, the CRL *MUST* be signed by the > same CA as that which signed the End Certificate. > > Have fun. > > Patrick. > > >> Vineet >> >> On Wed, Oct 15, 2008 at 1:26 PM, Dr. Stephen Henson <[EMAIL PROTECTED]> >> wrote: >>> On Wed, Oct 15, 2008, Vineet Kumar wrote: >>> >>>> It doesn't look like cert_crl() in openssl code follows what you refer >>>> to as "strict" revocation check. Neither does the RFC. Is there a >>>> doc/RFC that outlines strict revocation criteria? Am I right in saying >>>> that openssl does not do that? >>>> >>> OpenSSL has several options relating to CRL checking. It can perform no >>> checking, checking of just the EE cert and the whole chain. >>> >>> The RFC3280 behaviour in the absence of a CRL is determined by the last >>> paragraph of 6.3.3 where the status is UNDETERMINED. >>> >>> It has to be this way or an attacker could block the downloading of a CRL >>> and >>> allow a revoked certificate to be used. >>> >>> Steve. >>> -- >>> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >>> OpenSSL project core developer and freelance consultant. >>> Homepage: http://www.drh-consultancy.demon.co.uk >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> Development Mailing List [email protected] >>> Automated List Manager [EMAIL PROTECTED] >>> >> ______________________________________________________________________ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
