- From: Harada <harada@prs.cs.fujitsu.co.jp>
- Date: Tue, 18 Sep 2001 11:17:38 +0900
- To: <w3c-ietf-xmldsig@w3.org>
- Cc: <toriumi@sysrap.cs.fujitsu.co.jp>
Hi, I have a comment on the X509CRLs structure. In verifying, do you use X509CRLs which is created before verifying? If X509CRLs are all valid, then there is no problem. But if there is an invalid X509CRL of an invalid certificate, should I get the new CRL for it? We would retrieve CRLs of invalid ceritifcates if it would be mixed X509CRLs structure, and this would occurs invalid process. And if we would not retrieve CRLs, it would be uncertain to check certificate well by CRLs. I think X509CRLs are for speed up of a right system security check. So I propose the following structure where we can check valid certificate by valid X509CRLs, and check it by the system instead of invalid X509CRLs. <!ELEMENT X509Data (((X509IssuerSerial | X509SKI | X509SubjectName | X509Certificate), X509CRL*)+ %X509.ANY;)> ----- Original Message ----- From: "Joseph Reagle" <reagle@w3.org> To: "Harada" <harada@prs.cs.fujitsu.co.jp>; <xml-dsig-review@w3.org>; <toriumi@sysrap.cs.fujitsu.co.jp> Cc: "SMEE" <smee@brapi.fjh.se.fujitsu.co.jp>; <litao@prs.cs.fujitsu.co.jp>; <yoshiya@sysrap.cs.fujitsu.co.jp>; <kibakura@sysrap.cs.fujitsu.co.jp>; <seki@sysrap.cs.fujitsu.co.jp> Sent: Saturday, September 15, 2001 1:41 AM Subject: Re: Re:Call for Review: XML Digital Signature is a W3C Proposed Recommendation > On Wednesday 12 September 2001 20:22, Harada wrote: > > Joseph Reagle, > > Hello! > > Could you please send your comments to the dsig list > w3c-ietf-xmldsig@w3.org ? I'm one of the least knowledgable people in the > Working Group (WG) about X509 and CRLs, so the authors of this section of > the spec and the rest of the WG will need to discuss it. > > > But the mixed X509CRLs causes checking by all X509CRLs. > > I think it would causes to regain CRLs of invalid certificates. > > I think it causes speed down. But if I would only use valid X509CRLs, > > this makes it uncertain to accomplish the CRLs check. > > I'm not sure I understand this. > > > I proposed the structure for speed up. I think this enables to skip > > CRL regains and checks correspond to invalid ceritifiates, and > > valid CRLs of a valid certificate is speeded up. > > In one proposal you eliminate it all together, but don't you want to be > able to process CRLs? In the other you chage it to ... , X509CRL*)+ but I'm > not sure how that is different? > > (I apologize for not understanding well, but again I think other people in > the WG would do a better job!) >
Received on Monday, 17 September 2001 22:16:11 UTC