-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use CRL without "issuing distribution point" #228
Comments
Thanks for filing an issue. Have you spoken to Amazon about why their CRLs do not include an IDP extension? Is this something a user can configure, or a baked-in constraint of the product? For broader context this was discussed fairly thoroughly in #121 |
I haven't yet reached out to AWS to ask about it. However I know it is not user-configurable, the CRL is fully managed. |
I reached out to AWS about this and they provided the following response:
|
Thanks for passing on their reply. I'll have to find time to page back in more context here. I agree the IDP extension is not required per 5280, but when the end entity certificates have a CRL distribution point, wouldn't you want the CRL to have an IDP that identifies it as the same CRL mentioned in the cert CRL DP? What is the proposed change in behaviour you want to see in webpki (keeping in mind the constraints discussed in #121)? |
I'm not sure I fully understand the constraints from #121 but I suppose the proposal here would be treating the CRL authoritative based solely on the issuer, if the CRL is non-partitioned. |
Relaxing the check so that a CRL without an IDP ext. is considered authoritative for a cert with a CRL DP ext. iff the CRL issuer matches the cert issuer might be reasonable, but I think we avoided that out of wariness of substitution attacks. Admitedly the specifics are out of my mental cache. @jsha Tagging you here as well since you raised the initial concerns in #121 that resulted in the stricter matching logic. Any thoughts on this case? I'm having a hard time justifying our approach based on 5280 alone, but it also seems like relaxing our logic could be dangerous. |
I'm running into a problem getting my CRL to be recognized as authoritative for a certificate.
The certificate itself has a "distribution point" listed on it, however the given CRL does not use the "issuing distribution point" extension, which appears to be optional in RFC 5280. I couldn't find anything in the spec which specifically relates these two fields as a requirement to be present when the other is. As another data point, I do not run into this issue with PKIjs.
In practice, this affects people using AWS Private CA, a managed PKI offering which includes the issuance of X.509 certificates, and hosting of CRLs. The certificates issued by Private CA contain a "distribution point" while the CRLs do not implement the "issuing distribution point" extension.
To be clear, I'm hitting the
return cert_dps.is_none()
check in this code, returning false:The text was updated successfully, but these errors were encountered: