RE: RE: CRL sequence issues

["Vittek Robert" <vittek@xxxxxxxx>]

Dear Mr. Pinkas,
I really appreciate that at least you replied to my contribution but,
please, try to pay a little more attention to what I am concerned about.

The Complete Revocation Refs attribute (described in 4.2.2) references
the full set of the CRL or OCSP responses that HAVE BEEN used in the
validation of the signer and CA certificates used in ES with Complete
validation data.

My question relates more to the initial phase of the validation process,
when I am still collecting various validation data (e.g. CRLs) to be
able to perform the full validation. For various reasons, I may not be
able to obtain some CRL at the time it was issued from CA. So, I need to
perform some automatic checks regularly to make sure that my local CRL
cache (on the basis of which I compose and later fully validate ES-C) is
complete and up-to-date. The point is, that I MUST NOT miss any CRL.

Do CRLs themselves (or any other PKIX objects) provide any means to
ensure this?

With hope that my question will be addressed,
Robert Vittek


-----Original Message-----
From: Denis Pinkas [mailto:denis.pinkas@xxxxxxxx] 
Sent: Wednesday, June 08, 2005 1:06 PM
To: Vittek Robert
Cc: ietf-pkix@xxxxxxx
Subject: Re: RE: CRL sequence issues


> I went through the  rfc 3126, but it does not address the problem I
was asking about.

> I will try to make it more simple:
> How can I check (automatically) using only CRL extensions that I have 
> all needed CRLs in my local cache. It may be crucial in some cases not
to miss any single CRL.

RFC 3126 uses revocation status information references.
The crlHash may be used to make sure that the information is in the
cache.
See section. "4.2.2  Complete Revocation Refs Attribute Definition".

Denis