|
Thanks everyone. That clarified things. It appears
that I may need to make a special case :-( for processing the paritcular
case I encountered....
Jayant
----- Original Message -----
Sent: Tuesday, December 12, 2000 12:17
PM
Subject: RE: Question about CRL DP
Sharon:
Thanks for the more complete answer than the one
that I posted. And, we gave consistent answers.
Russ
At
08:20 AM 12/12/2000 -0500, Sharon Boeyen wrote:
The CRL distribution points extension can appear in either a
CA-certificate or an end-entity certificate. Regardless of the certificate
type, the revocation list pointed to is one that would list the certificate
(if it had been revoked) that contains the extension. So, if you find the
extension in a CA-certificate it is pointing to an ARL (or a CRL that
contains revocation notices for CA-certificates). While it is possible that
the revocation list being pointed to also contains revocation notices for
end-entity certs, you can't assume that from this instance of the extension.
That would be indicated separately in the end-entity certs
themselves.
Hope
this helps
Sharon
-----Original
Message-----
From: Jayant Sane (Exchange) [mailto:jayant@eLock.com]
Sent: Monday,
December 11, 2000 3:52 PM
To: Pkix List
Subject:
Question about CRL DP
This might be
a naive question.
Is it
allowed/std practice to put the CRLDP extension in the issuer(CA) cert
such that the crl pointed to contains/lists revoked end-entity certs
(issued by it).
I came across following
certificate.
End-entity cert has an AIA
extension pointing to its issuer cert and the issuer cert has both AIA, to
its issuer, and CRLDP persumably pointing to a CRL containing end-entity
certs. The specs have'nt been very clear on the placement of this
extension (unless I am overlooking something) -- whether it is more
appropriate to put the CRLDP in the end-entity cert itself as compared to
the CA cert.
The one in the CA could be
interpreted as one pointing to the CRL issued its issuer.
Some clarification would be
greatly appreciated.
thanks,
Jayant
|