RE: Structuring Denis issues RE: Comments on <draft-ietf-pkix-crlaia-00.txt>

["Stefan Santesson" <stefans@xxxxxxxxxxxxx>]

Denis,

Thanks for the clarification.
Yes, we agree on issue number 1 (remove SHOULD and MUST)

So the remaining issue is:

Problem: The security considerations talk about "mitigation" of the name
collision problem but gives inadequate advice.

Your proposed resolution

 a) warn the user that the CRL where this extension was found may not be
    the right one.
 
 b) warn the user that the CRL issuer certificate he might obtain using
    this extension may not be the right one.
 
 c) provide guidance on how to GUARANTEE that the CRL Issuer is indeed
    the one nominated by the CA that has issued the target certificate
    (i.e. when the CRL Issuer certification path and the target
    certificate certification path are identical).
 
 d) say that other possibilities exists, but need additional trust
    conditions (there are zillions of such possible trust conditions).


To complete the picture it would now be very helpful if you, for each of
these statements, could confirm or explain how these issues are a result
of using the AIA extension in CRLs. Or in other words, which of these
security considerations could you ignore (would go away) if you were NOT
using the AIA extension in a CRL to locate the CRL Issuer certificate.



Stefan Santesson
Program Manager, Standards Liaison
Windows Security