Click here to get back home

Base CRL OverIssuing and Delta CRL Conflicts
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Base CRL OverIssuing and Delta CRL Conflicts Chipeater 08-07-2006
Get Chitika Premium
Posted by Chipeater on August 7, 2006, 4:12 am
Please log in for more thread options
 I'm trying to understand a potential conflict between the use of Delta
CRLs and "Base CRL over-issuing" which the PKI I am responsible for is
using to increase avilablilty. The environment is a Win2K3 enterprise
CA issuing SC logon certs, Base CRL is seven days (over-issued daily)
with a one hour delta CRL.

Scenario
The base CRL is published on Friday at 9am, I subsequently revoke
certificate 13 at 9:30am. I attempt to logon at 10am (DC1 has a base
CRL valid from Friday at 9am), at which time the Delta CRL is retrieved
and I am prevented from logging in. Great.

However, I then go and watch Jack Bauer save the world again and try to
logon again tomorrow. Now, a new base CRL has been issued on Saturday
at 9am and "purged the delta CRL". My logon at 9:30 get's directed to
DC38 (which never retrieved a delta yesterday) and is successful, also
DC38 will never learn about the revoked status of my certificate until
it's base CRL expires next Friday at 9:00 and attempts to retrieve a
new one.

Questions
1. Can anyone confirm whether my thinking is correct and that this is a
potential "gap" in using deltas combined with over-issuing (oil and
water?).

2. Related... can anyone confirm whether delta CRL publication parses
the entire CA database. I'm involved in another, very big PKI, which
is considering using deltas. However, the issuance of the base CRL
takes a total of ten minutes to complete due to a certificate database
approaching one million certs (during which time the CA is not able to
issue certificates). It is hoped to issue deltas on a fifteen minute
frequency, however, if deltas compute using the same method as a base
this will clearly not be feasible for me.

Thanks, Dave


Posted by Paul Adare on August 7, 2006, 5:10 am
Please log in for more thread options
 the microsoft.public.windows.server.security news group, Chipeater

> I'm trying to understand a potential conflict between the use of Delta
> CRLs and "Base CRL over-issuing" which the PKI I am responsible for is
> using to increase avilablilty. The environment is a Win2K3 enterprise
> CA issuing SC logon certs, Base CRL is seven days (over-issued daily)
> with a one hour delta CRL.

What does "over-issued" mean? I've been doing PKI deployments for a
number of years and I've never heard of this term. If you're referring
to publishing new base CRLs before the current base CRL has expired
then you're wasting your time. If a system has the current base CRL
loaded and cached, you can publish a new one as often as you like and
the system that has the original base CRL won't fetch the new one as
long as the one it has cached is time valid.

>
> Scenario
> The base CRL is published on Friday at 9am, I subsequently revoke
> certificate 13 at 9:30am. I attempt to logon at 10am (DC1 has a base
> CRL valid from Friday at 9am), at which time the Delta CRL is retrieved
> and I am prevented from logging in. Great.
>
> However, I then go and watch Jack Bauer save the world again and try to
> logon again tomorrow. Now, a new base CRL has been issued on Saturday
> at 9am and "purged the delta CRL". My logon at 9:30 get's directed to
> DC38 (which never retrieved a delta yesterday) and is successful, also
> DC38 will never learn about the revoked status of my certificate until
> it's base CRL expires next Friday at 9:00 and attempts to retrieve a
> new one.

The question you should be asking and the problem you should be
attempting to engineer a solution for is why DC38 never received the
delta CRL in the first place. Where are you publishing the CRLs to in
the first place? Unless you're publishing to AD, then a computer never
"receives" a CRL they always retrieve a CRL and even if you're
publishing to AD only DCs "receive" CRLs and even then, in order to
actually use them, even a DC needs to retrieve the CRL from the
directory.

>
> Questions
> 1. Can anyone confirm whether my thinking is correct and that this is a
> potential "gap" in using deltas combined with over-issuing (oil and
> water?).

No, this is not correct and publishing base CRLs more frequently than
they are valid for is a waste of time and effort.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

Posted by Chipeater on August 7, 2006, 3:29 pm
Please log in for more thread options
Paul,
First let me say thankyou for taking the time to respond to my
question.

I think it would help if I added a little clarification. The term
over-issued is something that I saw mentioned in some Entrust
documentation a while back and I thought it was a "pretty neat way" of
summing up issuing base CRLs before existing CRLs expire.

The most important thing I omitted was to explain why we over-issue in
our environment... I fully understand that over-issuing won't affect
the freshness of the CRL which is cached by a DC. However,
over-issuing is favourable in our environment as, for example, with a
7-day CRL which is over-issued daily we always have a scenario whereby
if the CA "went bang" we'd have a total of six days to recover the CA
before SC logon fell apart (we monitor the presence of a CRL with six
days outstanding balance in AD (in this environment we don't publish to
HTTP) and raise alert if that condition is not met). If we didn't
over-issue and the CA went bang just before it's scheduled publication
of a base CRL I guess we'd have problems. If there is a better way of
avoiding big problems caused by a CA crash just prior to "scheduled"
publication of a base CRL I'd be extremely interested to learn.


The D-CRL issue I raised is more difficult to explain... though it
would have been more helpful if I'd described the DC as retrieving a
CRL (even if from itself) rather than receiving it, agreed.
The problem I wanted to describe is the fact that over-issuing of the
base CRL would "purge the D-CRL", and we could easily end up with a
situation whereby a "SC cert" was revoked on day 1, purged from the
D-CRL on day 2, then the user turns up on day 3 with his laptop at
another location and logs on against a DC which never retrieved and
cached the D-CRL upon which the bad cert was listed (perhaps the DC was
down on day 1, or some other exists why it didn't cache the D-CRL).

What I'm hoping for is for clarification about whether the D-CRL
(published hourly) scenario as described is indeed a possibility or
whether I have a complete misunderstanding of the workings of base
CRLs, D-CRLs, cacheing, etc. I don't want to set the expectation that
revocation status has "one hour freshness" whereas in actual fact there
are situations which would fall outside of this.

Regards, Dave


Posted by Brian Komar on August 7, 2006, 11:17 pm
Please log in for more thread options
says...
> Paul,
> First let me say thankyou for taking the time to respond to my
> question.
>
> I think it would help if I added a little clarification. The term
> over-issued is something that I saw mentioned in some Entrust
> documentation a while back and I thought it was a "pretty neat way" of
> summing up issuing base CRLs before existing CRLs expire.
>
> The most important thing I omitted was to explain why we over-issue in
> our environment... I fully understand that over-issuing won't affect
> the freshness of the CRL which is cached by a DC. However,
> over-issuing is favourable in our environment as, for example, with a
> 7-day CRL which is over-issued daily we always have a scenario whereby
> if the CA "went bang" we'd have a total of six days to recover the CA
> before SC logon fell apart (we monitor the presence of a CRL with six
> days outstanding balance in AD (in this environment we don't publish to
> HTTP) and raise alert if that condition is not met). If we didn't
> over-issue and the CA went bang just before it's scheduled publication
> of a base CRL I guess we'd have problems. If there is a better way of
> avoiding big problems caused by a CA crash just prior to "scheduled"
> publication of a base CRL I'd be extremely interested to learn.
>
>
> The D-CRL issue I raised is more difficult to explain... though it
> would have been more helpful if I'd described the DC as retrieving a
> CRL (even if from itself) rather than receiving it, agreed.
> The problem I wanted to describe is the fact that over-issuing of the
> base CRL would "purge the D-CRL", and we could easily end up with a
> situation whereby a "SC cert" was revoked on day 1, purged from the
> D-CRL on day 2, then the user turns up on day 3 with his laptop at
> another location and logs on against a DC which never retrieved and
> cached the D-CRL upon which the bad cert was listed (perhaps the DC was
> down on day 1, or some other exists why it didn't cache the D-CRL).
>
> What I'm hoping for is for clarification about whether the D-CRL
> (published hourly) scenario as described is indeed a possibility or
> whether I have a complete misunderstanding of the workings of base
> CRLs, D-CRLs, cacheing, etc. I don't want to set the expectation that
> revocation status has "one hour freshness" whereas in actual fact there
> are situations which would fall outside of this.
>
> Regards, Dave
>
>
The big problem with your scenario is a misunderstanding on how a delta CRL is built. A delta
CRL contains all certificate revoked since the last publication of a *base* CRL. Your
continued publishing of base CRLs causes your problem, as each base CRL publication will wipe
out the contents of the delta CRL.

As Paul stated, this method just does not make sense when you combine base and delta CRLs. It
only makes sense in a case where you are not implementing delta CRLs.

I would look at methods of resigning an expired CRL if a CA fails and setting up a standard
base and delta CRL publication schedule. "Certutil -sign" is your friend.

Brian

Posted by Chipeater on August 8, 2006, 7:52 am
Please log in for more thread options
Brian,
Many thanks... but I want to explain that I don't have a
misunderstanding, I merely wanted assurance that the scenario as I
described was flawed... which you have confirmed.

Regards, Dave


Similar ThreadsPosted
Base Smart Card CSP Update December 7, 2005, 3:12 pm
PDC - BDC Conflicts August 17, 2007, 10:02 am
Windows Defender conflicts with spooler April 25, 2006, 3:49 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap