On Wed, 2011-02-23 at 08:05 +0100, Stefan Santesson wrote:
> Yes, that all sound logical. However on a practical ground that is
> quite hard to code into a crypto API. There you need more distinct
> rules and predictable outcome.

I second that. Theoretically, each RP would decide, according to its own
arbitrary policy, whether a given CRL is fresh enough. But the rules for
appropriate freshness depend upon the context and are likely to be
CA-specific. Revocation is mostly a kind of damage containment: a way to
"cancel" an existing certificate, even though the signature on the
certificate is cryptographically verifiable, in order to cope with an
unfortunate occurrence, e.g. a key compromise. The revocation
information freshness is a measure of the time-wise extent of the issue:
by accepting a week-old CRL, the RP effectively accepts the risk that it
could be fooled into using a public key which has been compromised
during the last week.

How much freshness is needed ? It really depends on the procedures
deployed by the CA to detect the revocation-implying occurrences, and
how fast it can publish revocation information. Those procedures are
normally described in the Certification Policy Statement of the CA, and
supposedly are compatible with the CPS of the CA's CA, and so on.
Ultimately, this leads to the trust anchor's CPS; however, the TA CPS is
not necessarily precise about applicable freshness for all CA which it
has directly or indirectly issued.

One point of PKI (maybe _the_ point of PKI) is to be able to validate
links between public keys and identities, for an arbitrary large set of
identities and public keys, using a small, fixed set of a priori known
information (the trust anchors). We want to be able to validate
certificates issued by intermediate CA about which we had no prior
knowledge. We cannot have CA-specific knowledge for all possible CA.
Hence, the policy which a RP will use to decide CRL freshness must feed
on whatever CA-specific information it can get hold of, and the only
validated sources it can get, in all generality, are the CA certificate
and the CRL itself (and the CRL issuer certificate, if distinct from the
CA). Whatever CPS say in human language, the validation process is,
ultimately, executed by a computer, which needs Turing-compatible rules.

Using the nextUpdate field as an end-of-validity date is not incorrect.
This is certainly allowed by RFC 5280; if the freshness-decision is a
matter of local policy, that local policy can certainly be: "use
nextUpdate as an end-of-validity date". RFC 5280 even hints at that
usage, in the 6.3.3 section ("CRL Processing"): it is said that the
"local CRL cache" should be updated with a "current CRL" if the
nextUpdate field of the most recent CRL is in the past (RFC 5280 does
not tell what should be done if such an update fails). Moreover, using
the nextUpdate as end-of-validity is not a bad policy, as policies go:
basically, it is the policy known as: "issuing CA knows best". Since
appropriate freshness is CA-specific, it makes sense to follow the rules
used by the CA. Ideally, the CA would publish the CRL end-of-validity
date, which should be at some date after the nextUpdate (there should be
no date without a valid CRL at all): the nextUpdate is a lower bound for
the CRL end-of-validity. If more extensive information is not available,
then the best that can be done is to use the nextUpdate as an
approximation of the end-of-validity.

The point, here, is that whatever entity implements the certificate
validation process needs information, which must be:
1. processable by a computer;
2. CA-specific, for CA which the RP might not have been aware of
beforehand.
As I see it, given the current state of standard certificate and CRL
extensions, the nextUpdate field is the only information source that can
be used for that. This does not prevent other freshness policies from
being also correct in the RFC 5280 sense, and possibly appropriate
(although the widespread policy known as "meh, no need to check, it is
probably not revoked anyway" kind of stretches my notion of "appropriate
freshness check"). But the "nextUpdate as end-of-validity" policy is a
good policy, or, at least, as good as a generic policy can get in that
matter.


> To standardize on such extension may however be the least evil thing
> to do.

As I explain above, such an extension is a way for the CA to make a
statement about what freshness measure is appropriate for the procedures
that it applies to decide about the revocation status. It is a good
thing (as long as the CA does not botch it by publishing an
end-of-validity date which is _before_ the nextUpdate).

"Standardize" is an important word. In many usages of validation, we not
only want to have a validation process which yields a trustworthy
answer; we also want it to yield the same trustworthy answer than for
other people. For instance, in the context of a signed contract, I want
my system to accept the contract as signed only if a judge, applying
validation on the same signature, would also declare it as valid and
binding. Right now, this entails using nextUpdate as an end-of-validity
date because, whether you like it or not, that's what everybody does.


--Thomas Pornin

I think this thread is mixing two different point:

* How should a RP interpret Next Update field in a CRL? Is it an
expiration date?

* What should be en Next Update field in the last CRL? This scenario
is different than the previous one because there is not going to be
any next CRL in any time. There are many choices here and I really
think that's a problem. If there would not be so many applications
already in the market I would recommend a NULL value. But
unfortunately, I think making a choice is hurter than that. No choice
is going to be perfect, but there should be only one way to fill Next
Update field of the last CRL.

Best regards,

Roberto Opazo


2011/2/23 Russ Housley <***@vigilsec.com>:
>
>>> There are clearly real situations where the RP need to have both an expiry
>>> date (Don't use this CRL after..) and a date when the next update is
>>> available.
>>
>> yes, that would be nice, but I do not recall anyone proposing an extension
>> to carry the first data (with a nicer name :-)).
>>
>>>
>>> Since most applications treat nextUpdate as the expiry date, and in order
>>> to stay compliant with these implementations, Microsoft defined the
>>> private extension "nextIssue", expressing the expected date when a new CRL
>>> should be available.
>>
>> This is an unfortunate name, as the next update value is the next issue date :-). I appreciate the motivation, but ...
>>
>> The next update value is like a "best is used before" date, analogous to what one sees on perishable products. You don't HAVE to consume the product before that date, but you may get a stomach ache if you consume it too long afterwards :-).
>
> I am aware of applications that expect the new CRL to be posted by the nextUpdate, but allow a grace time for it to published and distributed.  This seems like a reasonable approach since there are not separate next publication and expiration times.
>
> Russ
>
> _______________________________________________
> pkix mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>



--
Saludos,

Roberto Opazo

At 05:18 PM 2/22/2011, David A. Cooper wrote:
>Mike,
>
>I don't understand your point. These tests don't involve CRLs with nextUpdate times are a few hours or days in the past, they involve CRLs with nextUpdate times that are several years in the past.


This (how old is too old) isn't going to be all that visible from a testing POV - all the tester knows is that the last known CRL is stale - later than the nextUpdate time. There's no discussion in 4.4.11 of how late is too late (even though 4.4 notes the CRLs are at least 2 years out of date). So for 4.4.11 and 4.4.12 it doesn't matter whether the CRL is 1 day out of currency or 10 years. Indeed, the text of 4.4.11 simply says "CRL has a nextUpdateTime that is in the past". Also, as I read it, 4.4.12 was a "pre 2000" test - or more simply a Y2K completeness test.


> If "should not validate successfully" is an acceptable outcome for tests such as 4.4.1and 4.4.4, where no valid CRL is available, then why isn't is also an acceptable outcome for tests 4.4.11 and 4.4.12, where the only CRLs that are available are so out-of-date?

In neither case is this acceptable always. In both it should be a matter of configuration. E.g. a CA may choose not to issue a CRL *ever* making 4.4.1s assumption that a missing CRL means the cert is invalid overreaching.


>Conforming CAs are not required to issue CRLs if other revocation or
> certificate status mechanisms are provided.


> If an application is configured to reject a certification path when some revocation information is missing, should it accept a certification path if some of the revocation information is out-of-date by several years? What's wrong with implementing "should not validate successfully" for these tests?

Because that's not what 3280 or 5280 says (and they are both silent on that as near as I can tell). It's also not PKITS.pdf seems to test.

See above. Each of these test cases should have noted that the testing was against a specific assumption - that CRLs are mandatory and that if the CRL is stale then all certificates are invalid - and should have noted that the acceptor could configure an alternate acceptance model. The fact these cases were stated as an absolute probably led to various implementations making similar absolute choices.

Mike



>Dave
>
>On 02/22/2011 02:03 PM, Michael StJohns wrote:
>>Hi David -
>>
>>Issue isn't 4.4, but 4.4.11 and 4.4.12 text which says:
>>
>>>Expected Result: The path should not validate successfully since the status of the end
>>>entity's certificate can not be determined.
>>
>>without reference back to the text you cite.
>>
>>It's true that 4.4 has the "local decision to treat the CRL as being sufficiently up-to-date", but the "should not validate successfully" in the test text is going to be or was what gets/got implemented. Testable criteria always wins...
>>
>>Mike
>>
>>
>>At 12:39 PM 2/22/2011, David A. Cooper wrote:
>>>As the author of <http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PKITS.pdf>http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PKITS.pdf, I would like to note that it was not the intention of this test suite to imply that nextUpdate must be treated as an expiration date for a CRL. Version 1.0 of PKITS came out in September 2004, and the CRLs for tests 4.4.11 and 4.4.12 had nextUpdate times of January 2002 and January 1999, respectively. An application could be configured to allow for a CRL to be used after its nextUpdate time had passed, as long as it verified that the nextUpdate time was not too far in the past, and still get the correct results for the tests, and that was intentional.
>>>
>>>Section 4.4 of that document contains the introduction to the basic certificate revocation tests and it says:
>>>
>>>The application must be able to retrieve valid revocation data for each certificate in the path. For a CRL to be considered to contain valid revocation data for a certificate, the CRL must at a minimum: (1) be signed by the issuer of the certificate or by an entity that has been authorized by the certificate issuer to provide status information for the certificate; (2) have a scope that includes the certificate of interest; and (3) be sufficiently up-to-date.
>>>In general, if the current time is before the time specified in the nextUpdate field of a CRL, then that CRL should be considered sufficiently up-to-date since the CRL issuer has indicated that this CRL may contain the most up-to-date information available. Similarly, if the current time is after the time specified in the nextUpdate field of a CRL, then the CRL should not be considered to be sufficiently up-to-date since the CRL issuer has indicated that more up-to-date information should be available.
>>>
>>>Even if the current time is after the time specified in the nextUpdate field of a CRL, an application may still make a local decision to treat the CRL as being sufficiently up-to-date. The
>>>application may, for example, be configurable to allow CRLs to be treated as sufficiently up-to-date, even if the current time is after the nextUpdate time, if the CRL was issued recently (e.g., the user or administrator configuring the system could indicate that a CRL may be used as long as the current time is within 72 hours of the thisUpdate time in the CRL, no matter how frequently the CRL issuer chooses to issue CRLs).
>>>In this section, there are only two tests in which the nextUpdate time in a CRL is before the current time. In each case, the nextUpdate time (and thisUpdate time) is more than two years before the current time. So, it is expected that applications will be configured so that these CRLs are not considered to be sufficiently up-to-date.
>>>Even if an application is unable to find valid revocation data (that is considered to be sufficiently up-to-date) for every certificate in the path, the application may still make a local decision to use the certification path. The application may, for example, allow the user or an administrator to configure the application to ignore the unavailability of revocation data. In the case of an interactive application, the application may display a warning to the user and then allow the user to decide whether to proceed to use the certification path despite the lack of revocation data. However, the application may not be designed in such a way that the unavailability of revocation data is always ignored, whether the user (or administrator) wants the application to behave that way or not. When running the tests in this section, the application should be configured in such a way that the certification path is not accepted unless valid, up-to-date revocation data is available for every certificate in the path. Thus, when run in this configuration, when the application is unable to find valid, up-to-date revocation data for every certificate in the path, the application must either reject the certification path or at least display a warning to the user indicating that the status of the certificate can not be determined.
>>>
>>>
>>>
>>>Dave
>>>
>>>On 02/19/2011 09:42 PM, Michael StJohns wrote:
>>>>
>>>>
>>>>*sigh*
>>>>
>>>>
>>>>http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PKITS.pdf
>>>>
>>>>Items 4.4.11 and 4.4.12.
>>>>
>>>>Somewhere the idea that "undetermined" equaled "not
>>>>validated" crept into the process rather than being treated as a per
>>>>acceptor policy decision.
>>>>
>>>>Mike
>>>>
>>>>At 03:56 PM 2/18/2011, Mike Helm wrote:
>>>>
>>>>
>>>>>
>>>>>
>>>>>"Sill, Alan" writes:
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> This is exactly what I tried to point out earlier. It is
>>>>>>surely up
>>>>>>to each relying party, but all production infrastructure
>>>>>>implementationd of which I am aware treat things this way: if a CRL
>>>>>>is not available after the time of the "next update" value of
>>>>>>the
>>>>>>most current one expires, then no certificates from that CA are
>>>>>>considered valid.
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>(One of ) the guilty party/ies here is openssl, so the problem
>>>>>is both more widespread than the infrastructure we support,
>>>>>and not completely that infrastructure's fault. openssl has some
>>>>>other crl quirks, at least some versions do.
>>>>>
>>>>>
>>>>>The idea is very widespread, tho. I think I remember it was
>>>>>part of a security PKI checklist that NIST provided - I don't have
>>>>>a copy of it any more & I don't know that it reached final
>>>>>publication
>>>>>in NIST. However many PKI specialists also seem to believe this
>>>>>is the correct behavior. I suppose it could be considered
>>>>>correct behavior in the right framing, I wish it wasn't,
>>>>>but it seems we have to treat it so.
>>>>>
>>>>>Thanks, ==mwh
>>>>>Michael Helm
>>>>>ESnet/LBNL
>>>>>