The IESG has approved the following document: - 'Clarification to Processing Key Usage Values During Certificate Revocation List (CRL) Validation' (draft-ietf-lamps-keyusage-crl-validation-04.txt) as Proposed Standard
This document is the product of the Limited Additional Mechanisms for PKIX and SMIME Working Group. The IESG contact persons are Paul Wouters and Deb Cooley. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-keyusage-crl-validation/ Technical Summary RFC 5280 defines the profile of X.509 certificates and certificate revocation lists (CRLs) for use in the Internet. This profile requires that certificates which certify keys for signing CRLs contain the key usage extension with the cRLSign bit asserted. Additionally, RFC 5280 defines steps for the validation of CRLs. While there is a requirement for CRL validators to verify that the cRLSign bit is asserted in the keyUsage extension of the CRL issuer's certificate, this document clarifies the requirement for relying parties to also verify the presence of the keyUsage extension in the CRL issuer's certificate. This check remediates a potential security issue that arises when relying parties accept a CRL which is signed by a certificate with no keyUsage extension, and therefore does not explicitly have the cRLSign bit asserted. Working Group Summary During the WG Last Call there was a very active discussion in late June 2025, and the modifications made to the document reflect the consensus that was reached. Document Quality There are several implementations. This specification discusses ASN.1, but adds no definitions. Personnel The Document Shepherd for this document is Russ Housley. The Responsible Area Director is Deb Cooley. _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
