[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Open Issue in Part1: path length constraints
Hi Steve,
Is there anything that restricts indirect CRL issuance only
to CAs? I think the concept of an entity other than the CA
issuing CRLs is reasonably old.
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043
-----Original Message-----
From: Stephen Kent [mailto:kent@xxxxxxx]
Sent: Friday, March 02, 2001 1:49 PM
To: David Simonetti
Cc: ietf-pkix@xxxxxxx
Subject: Re: Open Issue in Part1: path length constraints
<STUFF DELETED>
I am too bothered by the emergence of the notion that entities other than
CAs issues CRLs. I reread 2459 and it does not seem to make a case for this,
although I did note that the CRLSign bit in key usage did not limit its use
to CAs, even though the KeyCertSign bit is so restricted. But 5.2.5 (the CRL
distribution point extension) does say: "The CRL is signed using the CA's
private key" and that certainly argues for what I would consider the usual
interpretation, i.e., only CAs sign CRLs.
OCSP clearly introduced the notion of a non CA entity vouching for
certificate status. But we're talking about CRLs here and I still think they
should be issued only by CAs. I view the CRLSign bit to be a means by which
a CA can have different keys and certs for cert signing vs. CRL signing, and
appropriate split that can enhance security in many instances.
Steve