Clarification to processing Key Usage values during CRL validation
draft-lamps-bonnell-keyusage-crl-validation-04
| Document | Type |
Replaced Internet-Draft
(lamps WG)
Expired & archived
|
|
|---|---|---|---|
| Authors | Corey Bonnell , Tadahiko Ito , Tomofumi Okubo | ||
| Last updated | 2025-05-19 (Latest revision 2025-04-16) | ||
| Replaced by | draft-ietf-lamps-keyusage-crl-validation | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Adopted by a WG | |
| Document shepherd | (None) | ||
| IESG | IESG state | Replaced by draft-ietf-lamps-keyusage-crl-validation | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
RFC 5280 defines the profile of X.509 certificates and certificate revocation lists (CRLs) for use in the Internet. This profile requires that certificates which certify keys for signing CRLs contain the key usage extension with the cRLSign bit asserted. Additionally, RFC 5280 defines steps for the validation of CRLs. While there is a requirement for CRL validators to verify that the cRLSign bit is asserted in the keyUsage extension of the CRL issuer's certificate, this document clarifies the requirement for relying parties to also verify the presence of the keyUsage extension in the CRL issuer's certificate. This check remediates a potential security issue that arises when relying parties accept a CRL which is signed by a certificate with no keyUsage extension, and therefore does not explicitly have the cRLSign bit asserted.
Authors
Corey Bonnell
Tadahiko Ito
Tomofumi Okubo
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)