Re: Test 4.4.9 is not RFC3280 compliant?

["David A. Cooper" <david.cooper@nist.gov>]

Seth Hitchings wrote:

Should this also apply to test 4.4.8, which relates to unrecognized critical
CRL entry extensions? RFC 3280 carries the same language for both cases.
  

Seth,

Yes, this applies to both unrecognized critical CRL extensions and CRL entry extensions.  DR 310 proposed to modify X.509 to align with RFC 3280 on both the processing of CRLs with unrecognized critical CRL extensions and the processing of CRLs with unrecognized critical CRL entry extensions.  The proposal is to modify note 4 in clause 7.3 (which the descriptions of tests 4.4.8 and 4.4.9 quote from) to read as follows:

NOTE 4 – When an implementation processing a certificate revocation list does not recognize a critical extension in the crlEntryExtensions field, that CRL cannot be used to determine the status of the certificate. When an implementation does not recognize a critical extension in the crlExtensions field, that CRL cannot be used to determine the status of the certificate. In these cases local policy may dictate actions in addition to and/or stronger than those stated in this Specification, such as seeking revocation status information from other sources. Certificates for which revocation status cannot be determined should not be considered valid certificates.

So, in both cases, the paths should be considered invalid as a result of no valid revocation information being available rather than as a result of the certificates being revoked.

Dave

-----Original Message-----
From: pkits@NIST.GOV [mailto:pkits@NIST.GOV] On Behalf Of David A. Cooper
Sent: Monday, July 24, 2006 6:06 PM
To: Multiple recipients of list
Subject: Re: Test 4.4.9 is not RFC3280 compliant?


Sean,

You are correct.  When I wrote the description for this test, I did so based
on X.509.  After PKITS was completed, X.509 was changed to align with RFC
3280, so both now indicate that a CRL with an unrecognized critical CRL
extension cannot be used to determine the status of a certificate.

Dave

Sean Mullan wrote:

  

I have a question about whether this test is following RFC 3280 
correctly. In the test description in the test manual, it says:

"In this test, the end entity's certificate has been revoked. In the 
intermediate CA's CRL, there is a made up critical extension in the 
crlExtensions field. [X.509 7.3] NOTE 4 - When an implementation does 
not recognize a critical extension in the crlExtensions field, it 
shall assume that identified certificates have been revoked and are no 
longer valid."

However, RFC 3280 says (in section 5.2):

"Each extension in a CRL may be designated as critical or 
non-critical.  If a CRL contains a critical extension that the 
application cannot process then the application MUST NOT use that CRL 
to determine the status of certificates."

which is different than X.509. According to RFC 3280, this CRL must be 
rejected and not used to determine revocation status. Thus, (I think) 
the expected result should be : "The path should not validate 
successfully since the status of the end entity's certificate can not 
be determined." and not "The path should not validate successfully 
since the end entity's certificate has been revoked."

Thanks,
Sean