Re: Proposal for new PKITS tests

Subject: Re: Proposal for new PKITS tests
From: Steve Hanna <steve.hanna@sun.com>
Date: Mon, 18 Aug 2003 15:16:44 -0400
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms9F76736CA40BB1517A2ADD5D"
References: <3F3D2117.6050302@nist.gov>

Yes, I agree that this would be a good idea. Building
and verifying a separate path to the CRL issuer is
a less known requirement of RFC 3280.

Thanks,

Steve

"David A. Cooper" wrote:
> 
> All,
> 
> In some discussions that I have seen having with Santosh Chokani, he
> asked me whether PKITS included any tests that verified that a relying
> party would only use a CRL if the signature on the CRL could be verified
> using an authenticated public key.
> 
> PKITS already includes some such tests in the Basic Certificate
> Revocation Tests section, including tests where the CRL has a bad
> signature and the CRL has the wrong issuer name.  However, there are no
> tests to verify that a CRL will only be used if there is a valid
> certification path to the verification key, since in almost every test
> the certification path is the same for the CRL and the certificate being
> verified.
> 
> I have attached a figure depicting three new tests that could be added
> to the Basic Certificate Revocation Tests section that (1) would verify
> that relying parties can use CRLs even if the certification path leading
> to the CRL verification key is different than the one leading to the
> certificate being verified and (2) would verify that relying parties
> will not use a CRL if the certification path for the verification key is
> invalid.
> 
> In the first two tests, the trust anchor has issued two certificates to
> the intermediate CA: one certifying the CA's certificate signing key and
> one certifying the CA's CRL signing key.  In one test, the end entity's
> certificate is valid and in the other the end entity's certificate has
> been revoked.
> 
> In the third test, the trust anchor has again issued two certificates to
> the intermediate CA:  one certifying the CA's certificate signing key,
> which is valid, and one certifying the CA's CRL signing key, which has
> been revoked.  Since the certificate issued to the intermediate CA's CRL
> signing key has been revoked, the signature on the CRL can not be
> validated and so the status of the end entity certificate can not be
> determined.
> 
> Do people believe that these would be worthwhile tests to add?
> 
> Thanks,
> 
> Dave
> 
>   ------------------------------------------------------------------------
>                     Name: new_tests.pdf
>    new_tests.pdf    Type: Acrobat (application/pdf)
>                 Encoding: base64

S/MIME Cryptographic Signature

References:
- Proposal for new PKITS tests
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: Proposal for new PKITS tests
Next by Date: Licensing question
Prev by thread: Proposal for new PKITS tests
Next by thread: test cases 4.5.4 and 4.5.5

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov