Re: nextUpdate

Subject: Re: nextUpdate
From: "David A. Cooper" <david.cooper@nist.gov>
Date: Wed, 24 Mar 2004 17:15:17 -0500
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=us-ascii
In-Reply-To: <A5DE1E40B650B94892DC25C31279B41F04291FE6@emsssp3.ncr.disa.mil>
References: <A5DE1E40B650B94892DC25C31279B41F04291FE6@emsssp3.ncr.disa.mil>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031010

Title:

Paul,

The PKITS test suite explicitly states:

4.4 Basic Certificate Revocation Tests
The application must be able to retrieve valid revocation data for each certificate in the path. If the application is unable to retrieve valid revocation data for one or more certificates in the path, it must reject the certification path. In the following tests, it is assumed that if an application is unable to find valid, up-to-date certificate status information (e.g., a CRL) for each certificate in the path, that either path validation will fail or the application will display a warning to the user indicating that the status of the certificate can not be determined.

So, there is no mandate that all activity stop if one is unable to obtain an up-to-date CRL. In the case of an interactive application, a warning could be displayed to the user, who could then make a judgment about how proceed. In other cases, such as when an application can not simply provide user feedback (e.g., PKI-based login), the application itself could make a determination of how to proceed based on the warning returned by the path validation logic and configuration information provided by the administrator.

Also note that the nextUpdate times in the CRLs in the tests below are January 1, 2002 and January 1, 1999, so in neither test is it the case that the CRL is only slightly out-of-date.

Dave

Friedrichs, Paul (Contractor) wrote:

Hi Everyone,

It was brought to my attention that
http://csrc.nist.gov/pki/testing/PKITS.pdf in sections 4.4.11 and 4.4.12 on
pages 18-29, says:

4.4.11 Invalid Old CRL nextUpdate Test11

In this test the intermediate CA's CRL has a nextUpdate time that 
is in the past, indicating that the CA has already issued updated 
revocation information. Since the information in the CRL is 
out-of-date and a more up-to-date CRL (that should have already 
been issued) can not be obtained, the end entity certificate should 
be rejected due to the lack of sufficiently fresh certificate 
status information.

Procedure: Validate Invalid Old CRL nextUpdate Test11 EE using the 
default settings or open and verify Signed Test Message 6.2.2.28 
using the default settings.

Expected Result: The path should not validate successfully since 
the status of the end entity's certificate can not be determined.

and

4.4.12 Invalid pre2000 CRL nextUpdate Test12

In this test the intermediate CA's CRL has a nextUpdate time that 
is in 1999 indicating that the CA has already issued updated 
revocation information. Since the information in the CRL is outof-date 
and a more up-to-date CRL (that should have already been issued) can 
not be obtained, the end entity certificate should be rejected due to 
the lack of sufficiently fresh certificate status information.

Procedure: Validate Invalid pre2000 CRL nextUpdate Test12 EE using the 
default settings or open and verify Signed Test Message 6.2.2.29 using 
the default settings.

Expected Result: The path should not validate successfully since the 
status of the end entity's certificate can not be determined.

References:
- nextUpdate
  - From: "Friedrichs, Paul (Contractor)" <FriedriP@ncr.disa.mil>

Prev by Date: RE: nextUpdate
Next by Date: RE: nextUpdate
Prev by thread: nextUpdate
Next by thread: RE: nextUpdate

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov