Re: What if the CRL distribution points for a CA change?

http://www.imc.org/ietf-pkix/old-archive-00/msg00323.html

 

Some clarification seems to be in order....

The idea of having multiple distribution points in a certificate seems very reasonable in our context at Novell.  For our PKI, it is quite convenient to name at least two distribution points:  one which is an X.500 name and one which is an LDAP address.  Since our PKI is integrated with our directory (NDS), it is natural for us to prefer retrieving the CRLs directly from NDS rather than using LDAP.  But, because there are applications out there that are not NDS-aware, we'd like to include other distribution points which can be accessed from outside of the company via HTTP or LDAP. 

As for changing the distribution points, there are a couple of scenarios that I can envision where they would be changed.  How true-to-life these scenarios are is something that I'm hoping to discover.

1.  The one externally-available distribution point (say it is LDAP) currently listed in the certificates just doesn't have enough bandwidth to accommodate all the queries.  Or, the software package that the CEO of the company is using can't use LDAP to get CRLs — it must use HTTP.  The CA Administrator is forced to add additional distribution points to accommodate other protocols and/or unexpected traffic.

2.  One of the distribution points is being phased out (for whatever reason).  Maybe the company no longer wants to support LDAP access to its directory.  Or maybe the company has made an agreement with another organization to post its CRLs on their high-volume servers.

3.  The CA in question issues a million certificates a year and expects that half of all of those certificates will be revoked.  The CRLs for that CA would become quite large, and, after some calculations, the CA Administrator decides that CRLs of that size are unacceptable.  He therefore decides to change the CRL distribution points every year.  So, basically, for those certificates issued in the first year, their CRLs would be found on distribution points A and B.  For those certificates issued in the second year, their CRLs would be found on distribution points C and D.  If my option (b) were used here, then the CRLs found on A, B, C, and D would contain a maximum of 1 million certificates certificates each in the worst case where all the certificates were revoked (CRL on A = CRL on B; CRL on C = CRL on D; CRL on A != CRL on C).  [If option (a) were used here, the CA Administrator would have a nasty surprise in that the CRLs on A, B, C, and D would be exactly the same and contain 2 million certificates in the worst case scenario.]


Are these scenarios something that you would find in the real world?  If so, then is it acceptable to make the CRLs on all distribution points ever specified the same?  Or, should they contain only the minimum number of certificates?


Tammy Green
tgreen@novell.com
Software Engineer
Novell, Inc.

>>> "Bob Jueneman" <BJUENEMAN@novell.com> 02/24/00 09:55PM >>>
Don't do that?

I.e., :

1.  Don't issue certificates containing multiple distribution points.

2.  If issuing certificates with multiple distribution points is absolutely necessary (for some reason I can't quite fathom), don't change the distribution points unless you are prepared to implement option b.

If we restrict the type of distribution points to LDAP queries, wouldn't it be possible to remap the DNS name of the server as might be required for load balancing, leaving the LDAP query itself unmodified?  Doesn't this eliminate the entire problem?

Bob



>>> Tammy Green 02/24/00 08:58PM >>>
Say a CA begins minting certificates with distribution points A, B, and C in the certificates.  It issues 10 certificates.  Then, at time t1, it changes the distribution points to A, D, and E and issues 10 more certificates.

Now say that at time t2 certificate 1 was revoked as well as certificate 11.  What should the CA do when it comes time to issue the CRL?  [Assume here that the CA is only issuing a basic CRL that is not subdivided by reason codes, etc.]  It appears that there are two options.

(a)  Issue one CRL containing entries for certificate 1 and 11.  Post that CRL to distribution points A, B, C, D, and E.

(b)  Issue one CRL containing entries for certificate 1 and 11 and post that CRL to distribution point A.  Then issue another CRL containing an entry for only certificate 1 and post that CRL to distribution points B and C.  Finally issue yet another CRL containing an entry for only certificate 10 and post that CRL to distribution points D and E.

Option a has the disadvantage of causing needless bloat to the CRLs posted on distribution points B, C, D, and E:  no one will look for revocation information about certificate 1 on distribution point D or E, and, likewise, no one will look for revocation information about certificate 11 on distribution point B or C.  Option a does have the advantage of being far easier to implement, however.

Option b has the disadvantage of being much more complex.  And, each time the set of distribution points is modified, the complexity increases as does the time required to generate all of the CRLs which are required.  However, the advantage is that the CRLs that are posted to the distribution points contain only useful information.

Are there other solutions?  Preferences?  Implementations?  Guidelines?


Tammy Green
tgreen@novell.com
Software Engineer
Novell, Inc.