[security-dev 00784]: Re: CRL Distribution Points and Issuing DistributionPoint Extension

Tue, 21 Apr 2009 18:52:41 -0700 

Sean Mullan wrote:

Xuelei Fan wrote:
In line 318, if "idpExt == null" is true, "false" will return. I don't find any spec support such logic, it might be a bug here. I think the codes should looks like: 
     318             if (idpExt != null &&
     319                 ((Boolean) idpExt.get
320 (IssuingDistributionPointExtension.INDIRECT_CRL)).equals 
     321                         (Boolean.FALSE)) {
     322                 return false;

Any comments?


RFC 5280 (Section 6.3.3 (b) (1)) says:

If the DP includes cRLIssuer, then verify that the issuer
field in the complete CRL matches cRLIssuer in the DP and
that the complete CRL contains an issuing distribution
point extension with the indirectCRL boolean asserted.
Otherwise, verify that the CRL issuer matches the
certificate issuer.
I think the original code is correct. In this case, the DP includes cRLIssuer, but the complete CRL doesn't contain an issuing distribution extension, thus it should fail, right?
Yes, the spec do require the complete CRL *contains" an issuing DP, I agree that the original code is correct. That means that if the DP includes cRLIssuer, the conforming implementation must support issuing distribution point and every CRL must contains an issuing distribution point. Which seems conflict with the description of issuing distribution point: 

  The issuing distribution point is a critical CRL extension that
  identifies the CRL distribution point and scope for a particular CRL,
  and it indicates whether the CRL covers revocation for end entity
  certificates only, CA certificates only, attribute certificates only,
  or a limited set of reason codes.  Although the extension is
  critical, conforming implementations are not required to support this
extension. However, implementations that do not support this <<< extension MUST either treat the status of any certificate not listed <<< on this CRL as unknown or locate another CRL that does not contain <<< 
  any unrecognized critical extensions.
So could I understand the section 6.3.3 above as: If the DP includes cRLIssuer, then verify that the issuer field in the complete CRL matches cRLIssuer in the DP and if the complete CRL contains an issuing distribution point extension, it should be with the indirectCRL boolean asserted? Is there any potential security issue? 

Thanks,
Xuelei

--Sean

Reply via email to