107 CRL DP handling

Created: 24 Mar 2025

Status: Discussion (red)

Part: Part 9 (2023, Edition2)

Links:

Page: 64

Clause: 7.4.4.10.9

Paragraph: 2nd

Issue

Table 1 describes the CRL DP in public key certificates as conditional and in the responsibility of the issuing CA. The argument provided was that this also allows the use of short-term certificate.
Clause 7.4.4.10.9 in contrast requires mandatory inclusion of the CRL DP in issued certificates. The clause also defines the relying party side handling, which depends on the (configured) CRL check at the clients. The latter is fine, but the requirement for the issuin CA not.

Proposal

Proposal to adopt the text in clause 7.4.4.10.9 to be configurable and dependend on the security policy of the operator.

Discussion	Created	Status
This new proposed text is OK for me. It is brief and comprehensive.	20 Jun 25	Discussion (red)
Simplified the proposal to not argue about short term certificates. This is actually done in the new clause 7.4.4.10.11 (see also TISSUE #108). So we can skip it. Updated proposal taking the suggestion into account: Issuing CAs conforming to this document provide CRL distribution point information in this extension according to the organization's security policy. If CRLDP responder information is not included in the issued certificate, the noRevAvil extension is used to signal explicitly that revocation information will not be provided as outlined in 7.4.4.10.11. updated attachement	20 Jun 25	Discussion (red)
Personally I find the proposal a little confusing. I would change it to: "Issuing CAs conforming to this document provide CRL distribution point information in this extension according to the organization's security policy." I would delete the sentence "This allows an issuing CA to also issue short-term certificates, for which revocation information will not be provided by the CA. The validity period of short-term certificate should be carefully evaluated and chosen by the operator. If CRLDP or OCSP responder information is not included in the issued certificate, the noRevAvil extension is used to signal explicitly that revocation information will not be provided as outlined in 7.4.4.10.11." and provide an explanation about short-lived certificates somewhere at the end of clause 7.4.4.10.9. (See also the text proposed for tissue #109)	19 Jun 25	Discussion (red)
Understood. Proposal for clause 7.4.4.10.9 updated to: Issuing CAs conforming to this document provide CRL distribution point information in this extension according to the organization's security policy. This allows an issuing CA to also issue short-term certificates, for which revocation information will not be provided by the CA. The validity period of short-term certificate should be carefully evaluated and chosen by the operator. If CRLDP or OCSP responder information is not included in the issued certificate, the noRevAvil extension is used to signal explicitly that revocation information will not be provided as outlined in 7.4.4.10.11. Note that this is related to Tissue #109, which introduces the noRevAvail extension usage. I will add a further TISSUE for a smilar handling related for the OCSP case.	18 Jun 25	Discussion (red)
I understand the intention. I am not sure if the proposed text is the best way of solving it. I believe it would be better that we explain somewhere that in the case of short-term certificates information on retrieving certificate revocation information will not be provided (or can be avoided) in the certificate to simplify the processing of the certificates. We could add this as a note in both the CRL Distribution Point and the AIA section.	22 May 25	Discussion (red)
Proposal prepared for clause 7.4.4.10.9. As this is relevant for interoperability it should be further processed as draft implementation.	24 Mar 25	Discussion (red)
The deviation between Table 1 and the text in clause 7.4.4.10.9 needs to e addressed to ensure interoperability.	24 Mar 25	Accepted

Privacy | Contact | Disclaimer

Tissue DB v. 25.7.7.1