[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CRL format revision

To: spki@c2.org
Subject: CRL format revision
From: Carl Ellison <cme@cybercash.com>
Date: Wed, 07 Aug 1996 12:42:26 -0400
Sender: owner-spki@c2.org

In off-list conversation it became clear that the validity field of a CRL
should be an expiration datime rather than a CRL lifetime.  This is the
datime after which you need to go fetch a new CRL but prior to which you can
use the one you have cached.

We also need to provide for delta-CRLs (the only way CRLs make performance
sense, IMHO) -- and that means we need to be able to refer back to one CRL
in a sequence of CRLs.

The reason field makes sense, but I would suggest that it be optional.

We probably also want to make room for ECR validity, as an optional field.

This gives us a more mature CRL:

begin: <comment>
issuer: <key ID>
CRL-sequence: <int>
revoke: <cert ID>,<reason>
[... more revocation lines...]
expires: <date>
CRL-ECR-params: <F>,<V>
end: <comment>
signature: <....>

or, for a delta-CRL,

begin: <comment>
issuer: <key ID>
CRL-sequence: <int>
Delta-from-CRL: <int>
revoke: <cert ID>,<reason>
[... more revocation lines...]
expires: <date>
CRL-ECR-params: <F>,<V>
end: <comment>
signature: <....>

where <reason> could be encoded, for any readily agreed-upon list of
possible reasons, with a text escape; or could be just raw text.  I'm
inclined to favor raw (possibly empty) text because I don't imagine a
verifying program second-guessing the CRL about the cert's validity based on
the <reason>.  OTOH, an encoding of common reasons saves space.

<cert ID>, based on Brian's reasoning, would be the hash of a full cert --
in SET terms, a 'thumb'.

CRL-sequence: gives the sequence number (sequential for that issuer) of the
current CRL.

delta-from-CRL: <int> gives the sequence number of a prior CRL to be
considered incorporated by reference.

If ECR is in use, then we can have a one-line empty delta-CRL of the form:

ECR-empty-delta: <S>,<D>,<V'>

where <S> is the current CRL-sequence, <D> is the Delta-from-CRL, and <V'>
is the (S-D)'th pre-image of the <V> given in the CRL numbered D.  This one
line form is valid only when the delta-CRL is empty.  {<F> is the name of
the hash algorithm.}


 - Carl


+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |
+--------------------------------------------------------------------------+

Prev by Date: Re: NIST involvement in PKI
Next by Date: Re: NIST involvement in PKI
Prev by thread: Re: cert IDs for CRLs and references within certs
Next by thread: CRL format revision -Reply
Index(es):
- Main
- Thread