[caops-wg] OCSP & delta CRLs

Mike Helm helm at fionn.es.net
Mon Feb 6 00:17:41 CST 2006 

Rqmts doc readers will note some discussion about delta 
CRLs, provided by Oscar or Jesus at some point, and some
remarks in the end notes about combining some of the 
delta CRLs.

I have no practical experience using delta CRLs - Oscar & Jesus
perhaps, or maybe others outside of Grids, should speak up
with real experience.  Our (DOEGrids) customers
haven't been able to use delta CRLs, altho our CA product can
produce them.

I don't believe openssl can currently support delta CRLs
directly, at least current documentation disclaims this,
altho don't know what problems result. (Perhaps openssl just
treats them as another CRL in the same CA's series without
understanding how to integrate them, or perhaps some attribute 
will trigger evaluation failure - don't know.)

Reviewing the discussion in RFC 3280 5.2.4, it appears
that delta crls contain their own thisupdate/nextupdate
attributes.   True?  Applications are supposed to be able to 
combine the base CRL & deltas to produce a new effective
CRL (that's how I read the RFC).  Could we use this to
reduce the size of the "cautionary period"?  eg

base   delta   delta   delta  delta delta  base
crl      1       2      3      4      5     crl
t0  ... t1  ... t2 ... t3 ... t4 ... t5 ... t6

This would be useless to most or all current Grid customers,
but it could be used by a conforming OCSP responder,
which could also report the shorter update expectations
to the relying party.

I think we may have the components to test this in the 
ESnet-DOEGrids test OCSP responder.  I believe one of the
other co-authors runs a CA service that could produce
delta CRLs, too.  I don't know if there are many CAs with
that capability - I think I know of another European one,
and perhaps one in Asia.

If I am reading the RFC right and current products seem
to support this, we should recommend this "system configuration"
to improve the quality of revocation info in Grids.  This is 
a real improvement over the current state of affairs and
will meet the needs of security officers much better,
in my opinion.  Of course, we'll have to get their reading on it.
It also seems relatively forgiving, in that a variety of 
delta production schedules including "none" can be supported.

Thanks, ==mwh

More information about the caops-wg mailing list