109   Security Warning handling in the absence of revocation information in PK certificates

Created: 11 Apr 2025

Status: Discussion (red)

Part: Part 9 (2023, Edition2)

Links:

Page: 73

Clause: 7.4.4.10.9 + 7.4.4.10.10

Paragraph: all

Issue

Table 1 allows conditional support for CRLs and OCSP for revocation and require the infrastructure to support both (see clause 7.5). An EE could actually choose the way to verify revocation, if both extensions are available in the certificate. Based on that it is not meaningful to provide a warning when the revocation check could be done based on the information in one extension (CRLDP or AIA) but one extension is missing.

Proposal

Proposal to avid an unnecessary warning if revocation information could be retrieved using the indicated method (either CRL or OCSP).

Taking Tissue 108 into account, this would result in a change of security events for missing CRLDP or AIA extensions in the pubic key certificate:

If revocation retrieval information is not contained in the received certificate, neither CRLDP nor AIA, and the noRevAvail extension is also not contained, a security event ("warning: revocation handling information not contained in public-key certificate") shall be provided.

Discussion Created Status
See also comments on tissue 107 and 108.
Maybe we need to change the wording a little. 		22 May 25 Discussion (red)
Proposed changes to the error handling for missing CRLDP or AIA information, also considering the noRevAvail options as outlined in the attachemd for the corresponding clauses. 11 Apr 25 Discussion (red)
Alignment necessary to avoid unecessary warnings 11 Apr 25 Accepted

 

Privacy | Contact | Disclaimer

Tissue DB v. 25.7.7.1