Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-8052

Partitioned CRLs should not be allowed without "Issuing Distribution Point" CRL extension

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.1.0
    • Component/s: None
    • Labels:
      None
    • Provenance:
      Internal Delivery
    • Sprint:
      EJBCA Team Bob - 2019 w13

      Description

      When CRL Partitioning is enabled, the "Issuing Distribution Point on CRL" is required.

      It is required for two reasons:
      1. Security. Otherwise a man-in-the-middle attacker can swap two CRLs without the client being able to detect it.
      2. Database. The fingerprint column is the primary key, and it is derived from the CRL data, so all CRLs must be unique. Adding the "Issuing Distribution Point" to the CRLs makes CRLs from different partitions unique, even if both are otherwise identical (i.e. empty).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                katja_helmes Jekaterina Bunina
                Reporter:
                samuel Samuel Lidén Borell
                Verified by:
                Samuel Lidén Borell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours Original Estimate - 4 hours
                  4h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 7 hours
                  1d 7h