Initial review #1
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3151,7 +3151,7 @@ A full and complete CRL is a list of all revoked certificates issued by the CA f | |
|
|
||
| A partitioned CRL (sometimes referred to as a "sharded CRL") is a list of revoked certificates issued by the CA for any and all reasons constrained to a specific scope (e.g., temporal sharding). | ||
|
|
||
| Minimally, CAs MUST issue either a "full and complete" CRL - or "partitioned" CRLs. CAs MUST NOT issue indirect CRLs (i.e., the issuer of the CRL is not the issuer of all Certificates that are included in the scope of the CRL). | ||
|
|
||
| If using only partitioned CRLs, the full set of partitioned CRLs MUST cover the complete set of public-key certificates issued by the CA. Thus, the complete set of partitioned CRLs MUST be equivalent to a full CRL for the same set of public-key certificates, if the CA was not using partitioned CRLs. | ||
|
|
||
|
|
@@ -3165,9 +3165,9 @@ Table: CRL Fields | |
| | `version` | MUST be v2(1) | | ||
| | `signature` | See [Section 7.1.3.2](#7132-signature-algorithmidentifier) | | ||
| | `issuer` | MUST be byte-for-byte identical to the `subject` field of the Issuing CA. | | ||
| | `thisUpdate` | UTCTime (YYMMDDHHMMSSZ) MUST be used for dates up to and including 2049. GeneralizedTime (YYYYMMDDHHMMSSZ) MUST be used for dates after 2049.| | ||
| | `nextUpdate` | This field MUST be present. UTCTime (YYMMDDHHMMSSZ) MUST be used for dates up to and including 2049. GeneralizedTime (YYYYMMDDHHMMSSZ) MUST be used for dates after 2049.| | ||
| | `revokedCertificates` | MUST only be present if the CA has issued a certificate that is both revoked and unexpired. See the "revokedCertificates" table for additional requirements. | | ||
|
There was a problem hiding this comment. There are two issues with requiring that only unexpired certificates may appear:
There was a problem hiding this comment. Accepted proposed changes - and added language from 3.3 of 5280 that states "An entry MUST NOT be removed from the CRL until it appears on one regularly scheduled CRL issued beyond the revoked certificate's validity period." |
||
| | `extensions` | See below table. | | ||
| | `signatureAlgorithm` | Encoded value MUST be byte-for-byte identical to the `tbsCertList.signature`. | | ||
| | `signature` | | | ||
|
|
@@ -3177,17 +3177,17 @@ Table: CRL Extensions | |
|
|
||
| | __Extension__ | __Presence__ | __Critical__ | __Description__ | | ||
| | ---- | - | - | ----- | | ||
| | `authorityKeyIdentifier` | MUST | N | The `keyIdentifier` field MUST be included and its value MUST be byte-for-byte identical to the Subject Key Identifier of the Issuing CA's Certificate. The `authorityCertIssuer` and `authorityCertSerialNumber` fields MUST NOT be populated. | | ||
| | `CRLNumber` | MUST | N | MUST contain an INTEGER greater than or equal to 0 and less than 2**159 and convey a monotonically increasing sequence. | | ||
| | `IssuingDistributionPoint` | * | Y | Partitioned CRLs MUST include at least one of the names from the corresponding distributionPoint field of the cRLDistributionPoints extension of every certificate that is within the scope of this CRL. The encoded value MUST be byte-for-byte identical to the encoding used in the distributionPoint field of the certificate. The `indirectCRL` and `onlyContainsAttributeCerts` fields MUST be set to `FALSE` (i.e., not asserted). The CA MAY set either of the `onlyContainsUserCerts` and `onlyContainsCACerts` fields to `TRUE`, depending on the scope of the CRL. The CA MUST NOT assert both of the `onlyContainsUserCerts` and `onlyContainsCACerts` fields. The `onlySomeReasons` field SHOULD NOT be included; if included, then the CA MUST provide another CRL whose scope encompasses all revocations regardless of reason code. This extension is NOT RECOMMENDED for full and complete CRLs. | | ||
|
There was a problem hiding this comment. I'm wondering if we can sunset the use of "onlySomeReasons" entirely, since 5280 requires provisioning a CRL independent of reason code anyway. There was a problem hiding this comment. Accepting proposed changes with minor formatting for consistency with Profiles Ballot (e.g., superscript formatting of 2^159). |
||
| | Any other extension | NOT RECOMMENDED | - | | | ||
|
|
||
| Table: revokedCertificates Component | ||
|
|
||
| | __Component__ | __Presence__ | __Description__ | | ||
| | ---- | - | ----- | | ||
| | `serialNumber` | MUST | MUST be byte-for-byte identical to the serialNumber contained in the revoked certificate.| | ||
| | `revocationDate` | MUST | The date and time which revocation occured. UTCTime (YYMMDDHHMMSSZ) MUST be used for dates up to and including 2049. GeneralizedTime (YYYYMMDDHHMMSSZ) MUST be used for dates after 2049. | | ||
| | `crlEntryExtensions` | * | See crlEntryExtensions table (below) | | ||
|
|
||
| Table: crlEntryExtensions Component | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a natural consequence of requiring
cRLSignto be asserted in the keyUsage extension of both roots and intermediates.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accepting proposed change.
(thank you!)