Partitioned CRL's support

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Partitioned CRL's support

hagai yaffe-2

Hello,

 

I am using openssl (version 0.9.7) to support PKI authentication to my product and I would like to implement revocation support, I have successfully implemented support for a CA that publish a full CRL but I have a problem working with CA’s that publishes partitioned CRL’s.

 

For the verification process I am adding the CRL’s into an X509_STORE and in this store every CRL is identified by it’s issuer, when working with partitioned CRL’s there would be a few CRL’s with the same issuer so I cannot use the current mechanism to support partitioned CRL’s.

 

I can create my own CRL’s cache and add / remove them from the X509_STORE according to the current certificate that I would like to check for revocation but first I wanted to consult to see if there is a better way to do this that I am not aware of it or if there is a plan to add this feature to openssl in the future.

 

Any info regarding this issue would help me a lot.

 

Thanks,

Hagai.

Reply | Threaded
Open this post in threaded view
|

Re: Partitioned CRL's support

Dr. Stephen Henson
On Wed, Jul 20, 2005, Hagai Yaffe wrote:

> Hello,
>  
>
> I am using openssl (version 0.9.7) to support PKI authentication to my
> product and I would like to implement revocation support, I have
> successfully implemented support for a CA that publish a full CRL but I
> have a problem working with CA's that publishes partitioned CRL's.
>  
>
> For the verification process I am adding the CRL's into an X509_STORE
> and in this store every CRL is identified by it's issuer, when working
> with partitioned CRL's there would be a few CRL's with the same issuer
> so I cannot use the current mechanism to support partitioned CRL's.
>  
>
> I can create my own CRL's cache and add / remove them from the
> X509_STORE according to the current certificate that I would like to
> check for revocation but first I wanted to consult to see if there is a
> better way to do this that I am not aware of it or if there is a plan to
> add this feature to openssl in the future.
>
> Any info regarding this issue would help me a lot.
>

By a "partitioned CRL" which extension is being used for the partitioning? Is
it IDP partitioning by reason code?

If so this *may* be looked at at some point along with the X509_STORE issues
you mention.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Partitioned CRL's support

hagai yaffe-2
In reply to this post by hagai yaffe-2
I am not familiar with the term "IDP partitioning" (does IDP stands for
"Issuing Distribution Point"?).

The partitioning is not by reason codes, Every X certificates are
pointed to a certain CDP to reduce CRL's size, CRL's are separated by
the Issuing Distribution Point extension.

I am sorry but I didn't quite understand from your answer if there is an
intention to support this in openssl future versions? (I know that I am
pushing it a little by if there is such a plan I would also like to know
approximately when it is planed to be done).

Thanks a lot for your help.

Hagai.


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, July 20, 2005 8:12 PM
To: [hidden email]
Subject: Re: Partitioned CRL's support

On Wed, Jul 20, 2005, Hagai Yaffe wrote:

> Hello,
>  
>
> I am using openssl (version 0.9.7) to support PKI authentication to my
> product and I would like to implement revocation support, I have
> successfully implemented support for a CA that publish a full CRL but
I

> have a problem working with CA's that publishes partitioned CRL's.
>  
>
> For the verification process I am adding the CRL's into an X509_STORE
> and in this store every CRL is identified by it's issuer, when working
> with partitioned CRL's there would be a few CRL's with the same issuer
> so I cannot use the current mechanism to support partitioned CRL's.
>  
>
> I can create my own CRL's cache and add / remove them from the
> X509_STORE according to the current certificate that I would like to
> check for revocation but first I wanted to consult to see if there is
a
> better way to do this that I am not aware of it or if there is a plan
to
> add this feature to openssl in the future.
>
> Any info regarding this issue would help me a lot.
>

By a "partitioned CRL" which extension is being used for the
partitioning? Is
it IDP partitioning by reason code?

If so this *may* be looked at at some point along with the X509_STORE
issues
you mention.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Partitioned CRL's support

Dr. Stephen Henson
On Wed, Jul 20, 2005, Hagai Yaffe wrote:

> I am not familiar with the term "IDP partitioning" (does IDP stands for
> "Issuing Distribution Point"?).
>

Yes IDP is Issuing Distribution Point.

> The partitioning is not by reason codes, Every X certificates are
> pointed to a certain CDP to reduce CRL's size, CRL's are separated by
> the Issuing Distribution Point extension.
>

Does that follow any particular standard and are the CRLs publically
available?

> I am sorry but I didn't quite understand from your answer if there is an
> intention to support this in openssl future versions? (I know that I am
> pushing it a little by if there is such a plan I would also like to know
> approximately when it is planed to be done).
>

An interest has been expressed in adding support for IDP, however nothing is
definite at present so I can't be precise as to when or even if it will be
done, sorry.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]