[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two questions on delta-CRL

To: Michael Ströder <michael@xxxxxxxxxxxx>, IETF-PXIX <ietf-pkix@xxxxxxx>
Subject: Re: Two questions on delta-CRL
From: "David A. Cooper" <david.cooper@xxxxxxxx>
Date: Thu, 11 Jan 2001 13:10:49 -0500
In-reply-to: <>
References: <><>

Michael,

This is not correct. A delta CRL must (at least) provide information about every certificate whose status has changed since the previous full CRL was issued. Thus, one can always get up to date by obtaining the most recently issued full CRL and the most recently issued delta CRL (max. 2 accesses).

To put it another way, each delta CRL must specify a baseCRLNumber and must list every certificate whose status has changed since the CRL whose cRLNumber is baseCRLNumber was issued. Since the CRL whose cRLNumber is baseCRLNumber must have been issued as a full CRL, it is always sufficient to apply this one delta CRL to its corresponding base CRL to obtain up to date information.

Dave

At 06:54 PM 1/11/01 +0100, Michael Ströder wrote:
>E.g. if you issue a full CRL each day (24h) and delta-CRLs every
>hour the application will have to obtain the last full CRL and every
>delta CRL issued since then to get up to date (max. 24 accesses
>instead of one).
>
>If you want to relax the requirement of issuing full and delta CRLs
>at the same time you have to mandate
>1. that the CRL issuer stores all delta URLs from the last full CRL
>and
>2. you have to provide appropriate service access points to obtain
>all necessary delta CRLs.

References:
- Two questions on delta-CRL
  - From: Denis Pinkas
- Re: Two questions on delta-CRL
  - From: Sam Schaen
- Re: Two questions on delta-CRL
  - From: Michael Ströder

Prev by Date: RE: DPD & DPV requirements
Next by Date: RE: Basic Cert-2-Directory mapping question
Previous by thread: Re: Two questions on delta-CRL
Next by thread: RE: Two questions on delta-CRL
Index(es):
- Date
- Thread