LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-10-2012, 10:22 AM   #1
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 518

Rep: Reputation: 51
TLS and CRL


anyone know if the latest rev of x509 cert requires a reachable CRL for the cert to be valid when a browser checks the cert chain. isnt "validity" based on verifying the cert chain up to some trusted CA?

is the CRL part of a x509 a requirement?

does any of this change if its TLS vs other types of encryption schemes?


from the x509 rfc 5280

The CRL distribution points extension identifies how CRL information
is obtained. The extension SHOULD be non-critical, but this profile
RECOMMENDS support for this extension by CAs and applications

Last edited by Linux_Kidd; 12-10-2012 at 10:27 AM.
 
Old 12-12-2012, 07:59 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,165
Blog Entries: 54

Rep: Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796Reputation: 2796
As far as I understand PKI (which isn't much) the signing CA is responsible for providing a CRL. Every time a web browser encounters a certificate it must determine if it is not revoked. Since web browsers come with a pack of CA certificates loaded it determines the signing CA from the certificate and then use OCSP as a "shortcut" for checking. I think the easiest counter question would be "how else would you determine the validity of a certificate?" and the last paragraph of RFC 3280 says "If the revocation status remains undetermined, then return the cert_status UNDETERMINED.". So if you don't have a local CRL or can't use 'net-based verification then you can't determine the validity, right? TLS here provides only encapsulation. It doesn't change the method nor content of what gets checked. Evidence of that is clients having to manually approve self-signed certs. I don't run my own PKI so somebody correct me if I'm wrong.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem when importing CRL into Firefox tklima Linux - Software 2 08-02-2010 10:27 AM
Why does TLS port accespt both TLS and plain TCP? kenneho Linux - Server 4 02-08-2009 07:30 AM
errno: TLS definition in /lib64/libc.so.6 section .tbss mismatches non-TLS reference johnpaulodonnell Programming 2 07-25-2008 04:37 AM
crl.pem and Oulook PcHammer Linux - Software 0 01-27-2005 02:39 AM
crl update is overdue --> What for? in IPSEC cmisip Linux - Security 3 12-02-2003 07:58 AM


All times are GMT -5. The time now is 07:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration