Weekly Report Status

Name : M.Gayathri Santhosh

Designation: Project Associate

Reporting Officer: Dr.T. Reshmi

From the period of 06-02-2023 to 10-02-2023:

06-02-2023 EL

07-02-2023 Reporting Officer asked me to look for

the developed CRL codes. Had a
discussion with mithran about
malware analysis and dataset
generation
08-02-2023 Had a discussion about the modification of CRL
partitioning in the existing model with the
teammates and read the documents for
possible implementation.
09-02-2023 Had a discussion with Santhosh regarding the
project about implementing the research work.
He asks about bloom filters and explains how
possible it would be in Inhouse CA.

10-02-2023 Drafted a document regarding the CRL codes

and how we can incorporate our findings into
the already developed CRL and the findings are
attached below for your reference

A certificate revocation list (CRL) provides a list of certificates that have been revoked. A
client application, such as a web browser, can use a CRL to check a server’s authenticity. A
server application, such as Apache or OpenVPN, can use a CRL to deny access to clients that
are no longer trusted. Publish the CRL at a publicly accessible location
(eg, http://example.com/intermediate.crl.pem). By default, the CRL expires after 30 days.
This is controlled by the default_crl_days option in the [ CA_default ] section.

Perform the following steps to customize distribution point CRLs:

When a CA signs a certificate, it will normally encode the CRL location into the
certificate. Add crlDistributionPoints to the appropriate sections. In our case, add it to
the [ server_cert ] section.

CertPolicy section of the PKI Services configuration file, pkiserv.conf

Set the value of the EnableLargeCRL Posting parameter in the CertPolicy section of the PKI
Services configuration file, pkiserv.conf, to T

CRLDist=F (default) //No distribution point CRL will be created.

CRLDist=T

1) CRLDistSize
Specifies the maximum number of certificates to be managed by a single DP(Our formula can
be placed here). Determine your value for the CRLDistSize parameter based on the following
algorithm. The default value specified in pkiserv.conf is 500. Your value should be based on
your desired average number of CRL entries per distribution point and your estimated
revoked-certificate percentage. When CRLs are posted to LDAP, a single CRL cannot exceed
approximately 32K bytes in length, unless you have enabled support for large CRLs. For
more information, see Enabling support for large CRLs. Hence, we are going for http.
2) CRLDistName
Determine your value for the CRLDistName parameter. The default value is CRL. The
common name portion of the distinguished name of each DP CRL is formed by
appending the DP number to this value. The CA's name is also appended. The length of
the entire DP distinguished name should not exceed 255 bytes. Update the value of
CRLDistName in the CertPolicy section of pkiserv.conf to your customized value

CRLDistName=CRL, then the DP CRL is named CRL0, and the DP CRLs are
named CRL1, CRL2, and so forth.

3) CRLDistURIn
Specifying this value will allow PKI Services to build a URI-formatted name for the DP CRL
in each CRLDistributionPoints extension, if you also specified a CRLDistSize value greater
than 1. You can specify multiple entries for the CRLDistURIn parameter, using the
parameters CRLDistURI1, CRLDistURI2, and so forth. The URI format will not be created if
you specify CRLDistURIn with an n value of 0. CRLDistName=CRL, then the DP CRL is
named CRL0, and the DP CRLs are named CRL1, CRL2, and so forth.( RFC 1738)

CRLDistURI1 = http://www.bankxyz.com/Employees/crls/

This value is ignored if you did not specify CRLDistSize with a value greater than zero.
When using virtual pathnames in an HTTP URI, a Pass statement will be required in the
HTTP configuration file to map the virtual pathname to a real pathname. CRLDistURIn in
the CertPolicy section of pkiserv.conf to your customized value or values.

4) CRLDistDirPath
The CRLDistDirPath parameter specifies the full path of the var directory where PKI
Services will save each DP CRL. The default value is /var/pkiserv/.
 CRLDistDirPath = /var/pkiserv/Employees/
When using virtual pathnames in an HTTP URI, a Pass statement will be required in the
HTTP configuration file to map the virtual pathname to a real pathname. We are generating
the directory as “Employees”. Hence, the pass statement is

Pass /Employees/crls/* /var/pkiserv/Employees/*

Pass statement is added in HTTP configuration file.
The following snippet of code is a sequence of data structures in the Distinguished Encoding
Rules (DER) format, a binary data format commonly used to represent X.509 certificates and
certificate revocation lists (CRLs). The sequence describes a set of certificate revocation
points and is used to specify how clients can access the most current CRL for a given
certificate.

The structure contains a set of attributes, each consisting of an object identifier (OID), which
identifies the attribute type, and an associated value. In this case, the attributes include
countryName, organizationName, organizationalUnitName, and commonName. The values
associated with these attributes provide information about the entity responsible for the CRL,
including the country, organization, organizational unit, and common name of the entity.
OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)" specifies an object identifier
(OID) named "cRLDistributionPoints" with the value "2 5 29 31".

SEQUENCE {
OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
OCTET STRING, encapsulates {
SEQUENCE {
SEQUENCE {
[0] {
[0] {
[4] {
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER
countryName (2 5 4 6)
UTF8String (1997) 'US'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER
organizationName (2 5 4 10)
UTF8String (1997) 'Mycompany'
}
}
 SET {
SEQUENCE {
OBJECT IDENTIFIER
organizationalUnitName (2 5 4 11)
UTF8String (1997) 'Retail'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER
commonName (2 5 4 3)
UTF8String (1997) 'CRL0'
}
}
}
}
}
}
SEQUENCE {
[0] {
[0] {
[6]
'http://crl.MyCompany.de/CRL0.crl'
}
}
}
SEQUENCE {
[0] {
[0] {
[6]

'ldap://ldap.MyCompany.de/CN=CRL0,OU=Retail,O=Mycompany,C=US?
authorityRevocationList'
}
}
}
}
}
}
This is an example of a Certificate Revocation List (CRL) Distribution Point in ASN.1
encoding format.

In this example, there are three distribution points provided:

'http://crl.MyCompany.de/CRL0.crl'

'ldap://ldap.MyCompany.de/CN=CRL0,OU=Retail,O=Mycompany,C=US?
authorityRevocationList'
The CRL issuer is identified by the following information:

countryName: US

organizationName: Mycompany

organizationalUnitName: Retail

commonName: CRL0

The distribution points provide the URLs where a client can obtain the most current version
of the CRL.

The OBJECT IDENTIFIER line indicates that this is an object identifier, which is a unique
identifier used to specify a particular object, in this case, the "cRLDistributionPoints".

The OCTET STRING line indicates that the following data is encoded as an octet string,
which is a sequence of 8-bit values that can be used to encode binary data.

The SEQUENCE structure inside the octet string encapsulates further information, in this
case, a sequence of sequences that describe the distribution point.

The [0] and [4] indicate that this is a context-specific tag, meaning that its interpretation is
dependent on the context in which it is used.

The OBJECT IDENTIFIER line with the value countryName specifies another object
identifier, this time for the country name, and the UTF8String line with the value 'US' is a
string encoded using the UTF-8 character set, indicating the country name is "US".