[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Part1 last call comments

To: ietf-pkix@xxxxxxx
Subject: Re: Part1 last call comments
From: Jean-Marc Desperrier <jean-marc.desperrier@xxxxxxxxxxxx>
Date: Tue, 27 Feb 2001 12:43:06 +0100
Organization: Certplus
References: <>

David Kemp wrote:

> I agree that it is useful for a CRL
> to contain two items of information about CRL updates:
>
>   * the date at which the next scheduled CRL will be issued

_at_ which

>   * a CA-suggested date at which applications should consider
>       a CRL "expired" and start warning the user.
>
> However, X.509 defines "nextUpdate" as "the date/time by which
> the next revocation list in this series will be issued",

_by_ which

This is not the date _at_ which the next revocation list will be issued, but
_by_which the CRL is garanteed to have been issued.

This garantee covers the case where there's a problem and the
issuance/propagation of the CRL is slightly delayed.

Only after the nextUpdate delay, if the next CRL is not available, this is an
error.

Now stays to be discussed how much CA abuse this opening in the wording of the
standard by setting nextUpdate to 24 hours, when they issue new crl every 12
hours.

References:
- Re: Part1 last call comments
  - From: David Kemp

Prev by Date: a new version of the 4th edition of x.509
Next by Date: Usage of Attribute Certificates for carrier Mobile Internet solution
Previous by thread: Re: Part1 last call comments
Next by thread: RE: Part1 last call comments
Index(es):
- Date
- Thread