I-D Action: draft-hamilton-crlwhitelist-00.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : Certificate Revocation List (CRL) Extensions for Backward-Compatible Whitelist Provision
	Author(s)       : Kyle Hamilton
	Filename        : draft-hamilton-crlwhitelist-00.txt
	Pages           : 7
	Date            : 2011-11-22

   We describe two extensions to the Certificate Revocation List v2 to
   more strongly identify revoked and legitimately issued certificates.
   This creates a means for non-CA OCSP responders which are fed by CRL
   and can parse these extensions to presume that unlisted or non-
   matching certificates from that Issuer are REVOKED rather than
   UNKNOWN, as well as creating a means by which the Issuer can provide
   digest values for stronger certificate authentication.

   Placing issuance data within the CRL in some ways violates the
   original intent of the CRL, but CRLv2 has places for Extensions.  It
   is a logical extension to permit existing buildout to address newly-
   exploited vulnerabilities in the model.

   A new crlEntryExtension is defined to permit the optional provision
   of several hashes of each certificate on the list of revoked
   certificates.  In addition, a new crlExtension is defined to provide
   serial numbers and hashes of issued certificates.  Neither of these
   extensions needs to be marked critical, and the original semantics
   are preserved for existing clients.

   Notably, no data format or protocol of PKIX can currently utilize
   any extra hashes to provide any extra authentication or security.
   Nevertheless, until there is a standard way for the CA issuer to
   provide these digest values, it's impossible to build anything which
   uses them.

   The downside: Whitelist CRLs with strong certificate authentication
   data are *huge*.  The canonical 1MB CRL example would, if extended
   with this extra information, balloon to at a minimum 2.5MB
   (presuming random 20-byte serial numbers) to a single-digest maximum
   of approximately 400MB.  CAs are encouraged not to alter their
   current CRL production, and produce these extensions only when
   needed by a certificate status server or consuming client.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-hamilton-crlwhitelist-00.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-hamilton-crlwhitelist-00.txt

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt


[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux