Session renegotiation intervals shall be configurable so long as they are within the specified maximum time period and shall be aligned with the CRL update period. If OCSP is used for certificate revocation checks, session renegotiation shall be aligned with the OCSP response
cache time. In any case, for long lasting connections, renegotiation shall be performed at least every 24 hours to enforce a certificate validity check. Shorter intervals may be defined by a referencing standard.
But the only described method for updating the CRL is not mandatory. Per 6.4.4.4.1:
"For fetching a new CRL the CRL distribution point of the issuing CA should be contacted"
There is no other described way of updating a CRL. 7.4.5 could be referring to the mandatory Revocation Check Interval (described in 6.4.4.4.1 thus: "An implementation claiming conformance to this standard shall be capable of checking the revocation state of received certificates at a configurable time interval." In which case 7.4.5 can be interpreted as merely describing checking a local CRL.
Proposal
Possible solutions:
1) Update 6.4.4.4.1 to mandate the ability for implementing devices to be able to retrieve CRLs from CRL DPs. This is the case in IEC 62351-9:2023 but currently not for IEC 62351-3:2023.
2) Update the language of 7.4.5 to simply state "Session renegotiation intervals shall be configurable so long as they are within the specified maximum time period and shall be aligned with the revocation check interval." and strip mentioning CRL or OCSP from 7.4.5.
Discussion
Created
Status
OK for me.
27 Aug 24
Discussion (red)
Proposal to partially accept as (Approval (Future improvement))
Proposal 1 response:
- clause 6.4.4.4.2 currently has no statement regarding the ability to process CRLs. While it is stated in PICS table 8 as mandatory to support, a statement should be provided in clause 6.4.4.4.2 too:
"An implementation claiming conformance to this document shall be capable of processing
CRLs. CRLs may be either fetched from a CRL distribution point or pushed to the relying party."
Proposal 2 response: Configuration of session renegotiation is already considered in 7.5.4 by stating the relation to either CRL or OCSP explicitly. (see also the cited text in the issue description.
27 Aug 24
Discussion (red)
I believe we did not want to mandate any method to validate certificates; CRLs or OCSP. Also for CRLs there can be different approaches, via the CRL DPs or maybe the CRLs are pushed to all the stations ...
In my opinion, the text in section 7.4.5 is OK. I don't see the need to change anything.
16 Jul 24
Accepted
In general it was intended that IEC 62351-3 and IEC 62351-9 are treated as related specifications, as the certificate handling is mostly contained in IEC 62351. Therefore, I would tend to proposal 2 as it addresses the problem from IEC 62351-3 point of view.