Re: Two questions on delta-CRL

[Sam Schaen <schaen@xxxxxxxxx>]

I believe the requirement for issuing a complete CRL when a delta CRL is
released makes sense.  It permits applications that don't understand delta
CRLs to obtain the most recent information.  Overall network bandwidth usage
is still reduced to the extent that other delta-CRL-capable applications do
make use of the delta CRL rather than retrieving a full CRL.  The
availability of a current full CRL also allows an application to
resynchronize at any point.

Denis Pinkas wrote:

> In section 5.2.4 (Delta CRL Indicator), RFC 2459 states:
>
>   The delta CRL indicator is a critical CRL extension that identifies a
>   delta-CRL.  The use of delta-CRLs can significantly improve
>   processing time for applications which store revocation information
>   in a format other than the CRL structure.  This allows changes to be
>   added to the local database while ignoring unchanged information that
>   is already in the local database.
>
>   When a delta-CRL is issued, the CAs MUST also issue a complete CRL.
>
>   (...) Again, a delta-CRL MUST NOT be issued without a corresponding
>   complete CRL.
>
> The two questions are the following:
>
> 1) What is the rational for mandating the issuance of a complete CRL each
> time a delta-CRL is issued ?
> 2) Under which conditions could this requirement be relaxed ?
>
> Denis