View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004081 | 10000-012: Discovery | Spec | public | 2017-12-02 11:05 | 2021-01-13 12:20 |
| Reporter | mregen | Assigned To | randyarmstrong | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | duplicate | ||
| Summary | 0004081: How to handle CA certificates with CRLs with AddCertificate/RemoveCertificate. | ||||
| Description | These methods are currently designed for self signed certs only. However it would be useful also to be able to add CRLs with AddCertificate. This would just be a spec extension, the existing Method could remain unchanged, but the server needs to detect if a CRL is passed instead of a certificate and add it to the CRL list instead of the cert store. ALso outdated CRLs of the same CA should be replaced in such a case. For RemoveCertificate, removing a CA cert should also remove all associated CRLs in the same store. | ||||
| Steps To Reproduce | Currently the spec allows to add and remove a CA certificate with the methods, but CRLs remain untouched and can only be managed by using the File Replace Existing method on Trustlist. | ||||
| Additional Information | Since a few SDKs are going to support server configuration soon it would be good to spec the behaviour in the 1.04 release. | ||||
| Tags | No tags attached. | ||||
| Commit Version | |||||
| Fix Due Date | |||||
| related to | 0004172 | closed | randyarmstrong | Breaking 1.04 change in TrustListType::AddCertificate |
| related to | 0006342 | closed | randyarmstrong | .NET reference implementation of AddCertificate accepts CRL |
|
|
Added text to method to allow CA signed certs in 1.04.19. |
|
|
The issue describes the problem that currently there is no way of adding/removing CRLs to/from a certificate store. Allowing CA signed certs for the method does not resolve the issue. |
|
|
The CRL is signed by the CA private key and can only be changed by the CA. CRLs must be provided via this API as a signed blob. The specification allows CRLs to be updated by updating the TrustList (using bitmasks to limit the changes to CRLs). This should be adequate. |
|
|
Need to provide guidance on ensuring consistent revocation list. |
|
|
The change in 1.04 for this issue does not solve the requested feature but introduces a major breaking change and potential security issue. See 0004172 |
|
|
Resolved as described in 0004172. |
|
|
Accepted in 1.05.03 during June 19th WG call. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-12-02 11:05 | mregen | New Issue | |
| 2017-12-12 19:32 | randyarmstrong | Note Added: 0008789 | |
| 2017-12-12 19:32 | randyarmstrong | Status | new => resolved |
| 2017-12-12 19:32 | randyarmstrong | Resolution | open => fixed |
| 2017-12-12 19:32 | randyarmstrong | Assigned To | => randyarmstrong |
| 2017-12-13 16:30 | Hannes Mezger | Note Added: 0008792 | |
| 2017-12-13 16:30 | Hannes Mezger | Status | resolved => feedback |
| 2017-12-13 16:30 | Hannes Mezger | Resolution | fixed => reopened |
| 2017-12-19 17:58 | randyarmstrong | Note Added: 0008805 | |
| 2017-12-19 18:05 | randyarmstrong | Note Added: 0008806 | |
| 2017-12-19 18:05 | randyarmstrong | Status | feedback => resolved |
| 2017-12-19 20:12 | Jim Luth | Status | resolved => assigned |
| 2018-02-27 13:46 | Matthias Damm | Relationship added | related to 0004172 |
| 2018-02-27 13:47 | Matthias Damm | Note Added: 0008891 | |
| 2018-03-13 01:34 | randyarmstrong | Note Added: 0008912 | |
| 2018-03-13 01:34 | randyarmstrong | Status | assigned => resolved |
| 2018-03-13 01:34 | randyarmstrong | Resolution | reopened => duplicate |
| 2018-06-19 15:48 | randyarmstrong | Note Added: 0009189 | |
| 2018-06-19 15:48 | randyarmstrong | Status | resolved => closed |
| 2021-01-13 12:20 | Matthias Damm | Relationship added | related to 0006342 |
