SCEP GetCRL

96 views
Skip to first unread message

David Pomeroy

unread,
Jun 10, 2011, 9:29:08 PM6/10/11
to jscep-...@googlegroups.com
Hello All,

I'm trying to understand how and why the GetCRL message is used in
SCEP.  The spec (section 2.7) is a bit ambiguous on this (probably by
design).  I can think of 3 different scenarios on how CRLs could be
used:

1) A SCEP client wants to check to see if his own certificate that has
already been issued has not been revoked.  Perhaps to know if/when to
re-enroll, or just to become aware of his own state.
2) A SCEP client wants to check that the SCEP server's certificate has
not been revoked. Perhaps this is done before enrollment as part of a
verification that the client is talking to a valid SCEP server.
Perhaps this is done some time after enrollment to check if the client
certificate is still valid.
3) A server wishing to validate a client with a SCEP-issued
certificate wants to check with the SCEP server that the client's
certificate has not been revoked, i. e. obtain the SCEP server's CRL.
This could be done using a CRL distribution point baked into the
client certificate, which would be the SCEP server's GetCRL URL.

The jSCEP client (Client.java) getRevocationList() method retrieves
the SCEP server's certificate and provides the issuer name and serial
number of that certificate with it's request for the CRL.  That seems
to line up most with scenario #2 above.  But It seems to me that the
client should really be contacting the issuer of the SCEP server's
certificate, not the SCEP server itself.

This may be a more general PKI question, but I would appreciate if
someone could shed some light on the the intent of the GetCRL message
in SCEP.  Namely, who in the PKI should be calling it and why.

Thanks, Dave

David Grant

unread,
Jun 13, 2011, 7:20:25 AM6/13/11
to jscep-...@googlegroups.com
Hi Dave,

It looks to me like the GetCRL functionality is scope-creep in the SCEP specification, and should be widely ignored.  However, all of the use cases you describe should be supported by the client, irrespective of how likely it is that the SCEP server would respond with a CRL.

Can you add an issue for adding name and serial number parameters to the client method?

Dave

Dave

unread,
Jun 13, 2011, 1:48:50 PM6/13/11
to jscep Support
http://code.google.com/p/jscep/issues/detail?id=47

On Jun 13, 4:20 am, David Grant <da...@grant.org.uk> wrote:
> Hi Dave,
>
> It looks to me like the GetCRL functionality is scope-creep in the SCEP
> specification, and should be widely ignored.  However, all of the use cases
> you describe should be supported by the client, irrespective of how likely
> it is that the SCEP server would respond with a CRL.
>
> Can you add an issue for adding name and serial number parameters to the
> client method?
>
> Dave
>

David Grant

unread,
Jun 13, 2011, 2:15:55 PM6/13/11
to jscep-...@googlegroups.com
Thanks Dave
Reply all
Reply to author
Forward
0 new messages