Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8052

Partitioned CRLs should not be allowed without "Issuing Distribution Point" CRL extension

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.1.0
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Sprint:
      EJBCA Team Bob - 2019 w13

      Description

      When CRL Partitioning is enabled, the "Issuing Distribution Point on CRL" is required.

      It is required for two reasons:
      1. Security. Otherwise a man-in-the-middle attacker can swap two CRLs without the client being able to detect it.
      2. Database. The fingerprint column is the primary key, and it is derived from the CRL data, so all CRLs must be unique. Adding the "Issuing Distribution Point" to the CRLs makes CRLs from different partitions unique, even if both are otherwise identical (i.e. empty).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              katja_helmes Jekaterina Bunina
              Reporter:
              samuel Samuel Lidén Borell
              Verified by:
              Samuel Lidén Borell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours Original Estimate - 4 hours
                  4h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 7 hours
                  1d 7h