RE: Open Issue in Part1: path length constraints

[Stephen Kent <kent@xxxxxxx>]

Title: RE: Open Issue in Part1: path length constraints

Ambarish,

> Hi Steve,
>     Is there anything that restricts indirect CRL
> issuance only
> to CAs? I think the concept of an entity other than the
> CA
> issuing CRLs is reasonably old.

Well, 5.3.4 (the indirect CRL section) of 2459 says:

   This CRL entry extension identifies the certificate issuer associated with an entry in an indirect CRL, i.e. a CRL that has the indirectCRL indicator set in its issuing distribution point extension. If this extension is not present on the first entry in an indirect CRL, the certificate issuer defaults to the CRL issuer. On subsequent entries in an indirect CRL, if this extension is not present, the certificate issuer for the entry is the same as that for the preceding entry.

   This field is defined as follows:

   id-ce-certificateIssuer   OBJECT IDENTIFIER ::= { id-ce 29 }

   certificateIssuer ::=     GeneralNames

   If used by conforming CAs that issue CRLs, this extension is always critical.  If an implementation ignored this extension it could not correctly attribute CRL entries to certificates.  This specification RECOMMENDS that implementations recognize this extension.

The text avoids referring to a CA as the indirect CRL issuer at first, but then refers to conforming CAs in the last paragraph. If something other than a CA issues an indirect CRL, or any kind of CRL, then the wording used throughout 2459 seems to not apply to such an entity, because we almost always seem to come back to phrases like "if used by a fonforming CA ..." The best rationale I've usually heard for indirect CRLs has been for one CA to issue a CRL for another, e.g., if the latter CA looses the ability to issue CRLs to to destruction of its private key.

Steve