Re: questions about CRL check
It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001 8:49 PM Subject: questions about CRL check Hi, 1. Does a X.509 certificate be sure to contain a certification revocation list? 2. If a X.509 certificate contains a CRL, is there an interface defined in it on how to get the latest CRL from CA to replace the current CRL? Any RFC defined it? Thank you and have a nice day. Sincerely, Wooce ¼Óн£¬ÉýÖ°ÃÜóÅ http://www.englishtown.com/master/home/courseoverview.asp?etag=TOCNctr=cn === ÊÖ»úºÅÂëÊǵçÓÊ£¬´Ó´Ë½»·Ñ²»ÓóһºÅÔÚÊÖ¡°ËæÉíÓÊ¡± ¡ª¡ª 163¡°ËæÉíÓÊ¡±ÊÖ»úÓÊÏä ¡ª¡ª ¡ò ÊÖ»úºÅÂë¾ÍÊǵç×ÓÓÊÏäµØÖ·£¬·½±ã¼ÇÒä ¡ò ²»ÓÃÉÏÍø£¬Í¸¹ýÊÖ»ú¶ÌÐÅ£¬ËæʱÕÆÎÕÓʼþµÄ½ÓÊÕÇé¿ö ¡ò ¾ö²»´í¹ýÈκÎÉÌÒµÁ¼»ú ¡ò ·½±ãµÄ°´ÔÂÊÕ·Ñ·½Ê½£¬×îµÍÿÔÂÖ»Ðè5Ôª ÏêÇéÇëä¯ÀÀ http://vip.163.net/mobile/mobile.htm === __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: questions about CRL check
X.509 certificate does NOT contain ANYTHING related to CRL. but X.509 contains a serial number which WILL be included in VeriSign issued CRL list in case the certificate was revoked. http://onsitecrl.verisign.com/ in the site where you can check if you certificate was revoked. put serial number of revoked certificate and you will see it in the list. I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you also can use OSPF (smth like this) protocol to get real-time CRL list. Hope this helps! Leon -Original Message- From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001 8:49 PM Subject: questions about CRL check Hi, 1. Does a X.509 certificate be sure to contain a certification revocation list? 2. If a X.509 certificate contains a CRL, is there an interface defined in it on how to get the latest CRL from CA to replace the current CRL? Any RFC defined it? Thank you and have a nice day. Sincerely, Wooce ¼Óн£¬ÉýÖ°ÃÜóÅ http://www.englishtown.com/master/home/courseoverview.asp?etag=TOCNctr=cn === ÊÖ»úºÅÂëÊǵçÓÊ£¬´Ó´Ë½»·Ñ²»ÓóһºÅÔÚÊÖ¡°ËæÉíÓÊ¡± ¡ª¡ª 163¡°ËæÉíÓÊ¡±ÊÖ»úÓÊÏä ¡ª¡ª ¡ò ÊÖ»úºÅÂë¾ÍÊǵç×ÓÓÊÏäµØÖ·£¬·½±ã¼ÇÒä ¡ò ²»ÓÃÉÏÍø£¬Í¸¹ýÊÖ»ú¶ÌÐÅ£¬ËæʱÕÆÎÕÓʼþµÄ½ÓÊÕÇé¿ö ¡ò ¾ö²»´í¹ýÈκÎÉÌÒµÁ¼»ú ¡ò ·½±ãµÄ°´ÔÂÊÕ·Ñ·½Ê½£¬×îµÍÿÔÂÖ»Ðè5Ôª ÏêÇéÇëä¯ÀÀ http://vip.163.net/mobile/mobile.htm === __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: questions about CRL check
Thanks to Leon and Juan. Maybe it should be OCSP(Online certificate status protocol) instead of OSPF. When choose Tools-Options-Security-Advanced in Outlook Express, There's an option about revocation checking, you can choose between only when online or never. If you choose only when online, then when a signed mail was received by Outlook Express, the certificate in the mail will be check about whether it's already revoked. How Outlook Express can perform this task? Does Outlook express use OCSP protocol to get real-time CRL list for the revocation checking task? And there exists a CRL distribution points extension(CDP) in X.509 v3 certificate, The CDP extension identifies how CRL information is obtained(see RFC2459). See below: cRLDistributionPoints ::= { CRLDistPointsSyntax } CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName[5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID[8] OBJECT IDENTIFIER} uniformResourceIdentifier can contain the LDAP URL infomation of the CRL issuer. So although a certificate don't contain a CRL, I still have question: When an application written by me (act as a secure mail client) receive a signed mail and if it would check the certificate in the mail has already been revoked by CA, does the CDP extension in the certificate give enough information(such as LDAP URL) for my application to retrieve the latest CRL from the LDAP server of CA? Or else how can my secure email client obtain the latest CRL list from CA on a regular periodic basis (e.g., hourly, daily, or weekly) to make the client more secure? have a nice day! Wooce - Original Message - From: ZILBER,LEONID (HP-NewJersey,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 21, 2001 10:58 AM Subject: RE: questions about CRL check X.509 certificate does NOT contain ANYTHING related to CRL. but X.509 contains a serial number which WILL be included in VeriSign issued CRL list in case the certificate was revoked. http://onsitecrl.verisign.com/ in the site where you can check if you certificate was revoked. put serial number of revoked certificate and you will see it in the list. I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you also can use OSPF (smth like this) protocol to get real-time CRL list. Hope this helps! Leon -Original Message- From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001 8:49 PM Subject: questions about CRL check Hi, 1. Does a X.509 certificate be sure to contain a certification revocation list? 2. If a X.509 certificate contains a CRL, is there an interface defined in it on how to get the latest CRL from CA to replace the current CRL? Any RFC defined it? Thank you and have a nice day. Sincerely, Wooce __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: questions about CRL check
Wooce -- Outlooks support of revocation checking is done through CrptoAPI, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/WinXPPro/support/tshtcrl.asp to better understand how chaining and status determination is done. As for its OCSP support, the answer is no it only supports CRL checking and only when the cert has a CRLdp extension in it. ValiCert has developed a revocation provider that can either replace or augment the existing revocation handling for CryptoAPI. It adds support for OCSP, SCVP, CRL, and CRL deltas. Additionally it provisions for creating a validation profile for a CA so even if a certificate does not contain a pointer to revocation information you as an administrator/user can set one. The product is called the ValiCert Desktop Validator. Ryan -Original Message- From: wooce [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 6:58 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check Thanks to Leon and Juan. Maybe it should be OCSP(Online certificate status protocol) instead of OSPF. When choose Tools-Options-Security-Advanced in Outlook Express, There's an option about revocation checking, you can choose between only when online or never. If you choose only when online, then when a signed mail was received by Outlook Express, the certificate in the mail will be check about whether it's already revoked. How Outlook Express can perform this task? Does Outlook express use OCSP protocol to get real-time CRL list for the revocation checking task? And there exists a CRL distribution points extension(CDP) in X.509 v3 certificate, The CDP extension identifies how CRL information is obtained(see RFC2459). See below: cRLDistributionPoints ::= { CRLDistPointsSyntax } CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName[5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID[8] OBJECT IDENTIFIER} uniformResourceIdentifier can contain the LDAP URL infomation of the CRL issuer. So although a certificate don't contain a CRL, I still have question: When an application written by me (act as a secure mail client) receive a signed mail and if it would check the certificate in the mail has already been revoked by CA, does the CDP extension in the certificate give enough information(such as LDAP URL) for my application to retrieve the latest CRL from the LDAP server of CA? Or else how can my secure email client obtain the latest CRL list from CA on a regular periodic basis (e.g., hourly, daily, or weekly) to make the client more secure? have a nice day! Wooce - Original Message - From: ZILBER,LEONID (HP-NewJersey,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 21, 2001 10:58 AM Subject: RE: questions about CRL check X.509 certificate does NOT contain ANYTHING related to CRL. but X.509 contains a serial number which WILL be included in VeriSign issued CRL list in case the certificate was revoked. http://onsitecrl.verisign.com/ in the site where you can check if you certificate was revoked. put serial number of revoked certificate and you will see it in the list. I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you also can use OSPF (smth like this) protocol to get real-time CRL list. Hope this helps! Leon -Original Message- From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001