[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
From: erwann.abalea@keynectis.com
Date: Mon, 1 Feb 2010 00:05:07 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Hodie III Kal. Feb. MMX, Howard Chu scripsit:
> erwann.abalea@keynectis.com wrote:

> >When no certificate is revoked, the revokedCertificate element SHOULD be
> >omitted, instead of being included as an empty SEQUENCE OF SEQUENCE. RFC5280 has
> >changed the SHOULD into a MUST, but I don't think this is checked by the
> >function. I think it only skips over the next element (in my case, the
> >crlExtensions).
> 
> Thanks for the report. The code in CVS HEAD has been patched to
> silently accept this case. However, it's worth pointing out that
> even in X.509(2005):

Thank you for having corrected it.

> >>>>
>         If none of the certificates covered by this CRL have been revoked,
> it is strongly recommended that
> revokedCertificates parameter be omitted from the CRL, rather than being
> included with an empty SEQUENCE.
> <<<<

That's what I meant to write when I wrote that the element SHOULD be
omitted. X.509 doesn't prevent such an empty sequence, it only
strongly recommends to avoid it. A strong recommendation in ISO
terminology is as a SHOULD in RFC2119 meaning. You're right, here.

> Also note that, technically, LDAP is defined to conform to the 1993
> edition of the X.500 specs, and X.509(1993) makes no such allowance
> here.

I didn't know that LDAP was designed to conform to a specific edition
of the standard. Isn't that strange? After all, it should also refuse
to handle X.509v2 CRLs, and X.509v3 certificates, which appear for the
first time in the 1997 edition.
Anyway, I hadn't thought about looking at older revisions of the X.509
standard. You're right, my 1997 edition doesn't say anything about
this, and my 2000 edition (a french version) has the same text as the
2005 one.

> We may consider logging a warning for this case. What software
> generated this CRL? It seems to be defective...

At first, I also thought it was defective. But after all, the standard
doesn't say that this revokedCertificates element MUST be eliminated
when no certificate is revoked (I use RFC2119 terminology here, but
you certainly got it).

I certainly will produce a warning to the software vendor, though. In
general, I tend to follow "SHOULD" rules. I don't know what software
produced this CRL (yet), I only know who uses it (one of our
customers). I'll get in touch with them for that. In the same time,
I'll check that we correctly do our job (we're also a PKI software
vendor).

Anyway, thank you again. I'll test the head version and will come back
later.
BTW, what do you mean by "needs some thought" (in the ticket notes)?

-- 
Erwann ABALEA <erwann.abalea@keynectis.com>
-----
"Common sense is the collection of prejudices acquired by age 18."
- Albert Einstein

Next by Date: Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
Index(es):
- Chronological
- Thread