RFC 2459 does not require that CRLs contain an Issuing Distribution Point extension. Does this mean that a CA may issue *partial* CRLs without including an Issuing Distribution Point Extension? If the answer is yes, it is not possible for a relying party to safely determine if a certificate has not been revoked by inspecting a CRL without an Issuing Distribution Point extension. It cannot assume that a single CRL is an exhaustive list and it also cannot assume a sequence of CRLs when taken as one is an exhaustive list. Therefore a relying party cannot safely determine that the certificate in question has not been revoked. RFC 2587 (LDAP v2 schema) states that CAs may choose to store partial CRLs containing revoked CA certs only in the authorityRevocationList attribute, but makes no mention as to whether or not those CRLs should contain an Issuing Distribution Point extension. We claim they must in order for a relying party to be sure that the CRL is a partial CRL containing an exhaustive list of revoked CA certs only. Have there been any partial CRLs deployed w/o Issuing Distribution Point extensions? We think that RFC 2459 should be changed (or made more clear) to make the Issuing Distribution Point extension mandatory for CAs which split CRLs according to reason codes or user/CA type, and that relying parties should treat CRLs without an Issuing Distribution Point extension as complete (exhaustive) CRLs. -- Sean Mullan Email: sean.mullan@sun.com Sun Microsystems Laboratories Tel: (781) 442-0926 One Network Drive Fax: (781) 442-1692 Burlington, MA 01803-0902