[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about CRL DP
RFC 2459, section 4.2.1.14 says:
The CRL distribution points extension identifies how CRL information
is obtained. The extension SHOULD be non-critical, but this profile
recommends support for this extension by CAs and applications.
Further discussion of CRL management is contained in section 5.
If the cRLDistributionPoints extension contains a
DistributionPointName of type URI, the following semantics MUST be
assumed: the URI is a pointer to the current CRL for the associated
reasons and will be issued by the associated cRLIssuer. The expected
values for the URI are those defined in 4.2.1.7. Processing rules for
other values are not defined by this specification. If the
distributionPoint omits reasons, the CRL MUST include revocations for
all reasons. If the distributionPoint omits cRLIssuer, the CRL MUST
be issued by the CA that issued the certificate.
We should probably be more explicit in the first sentence. The CRL DP
extension tells how to obtain CRL information for the certificate that
contains the extension. I will try to improve the sentence before
son-of-RFC 2459 goes to last call.
Russ
At 03:52 PM 12/11/2000 -0500, Jayant Sane wrote:
This might be a naive question.
Is it allowed/std practice to put the CRLDP extension in the issuer(CA)
cert such that the crl pointed to contains/lists revoked end-entity certs
(issued by it).
I came across following certificate.
End-entity cert has an AIA extension pointing to its issuer cert and the
issuer cert has both AIA, to its issuer, and CRLDP persumably pointing to
a CRL containing end-entity certs. The specs have'nt been very clear on
the placement of this extension (unless I am overlooking something) --
whether it is more appropriate to put the CRLDP in the end-entity cert
itself as compared to the CA cert.
The one in the CA could be interpreted as one pointing to the CRL issued
its issuer.
Some clarification would be greatly appreciated.
thanks,
Jayant