RE: WG Last Call: Son-of-2459: More about delta-CRLs

["David A. Cooper" <david.cooper@xxxxxxxx>]

Trevor,

According to X.509, the freshestCRL extension may only be used in certificates:

                 The freshest CRL extension shall be used only as a certificate extension
                 and may be used in certificates issued to authorities as well as certificates
                 issued to users. This field identifies the CRL to which a certificate user should
                 refer to obtain the freshest revocation information (e.g.: latest dCRL).

X.509 defines a CRL extension, deltaInfo, that could be included in base CRLs, but this extension has not been included in the PKIX profile. The deltaInfo extension is described as follows:

                 This CRL extension is for use in CRLs that are not dCRLs and is used to
                 indicate to relying parties that dCRLs are also available for the CRL containing
                 this extension. The extension provides the location at which the related dCRLs
                 can be found and optionally the time at which the next dCRL is to be issued. 

Dave

At 01:06 PM 3/5/01 -0800, Trevor Freeman wrote:
>TF> given the range of possibilities introduced by having freshest CRL
>in either the certificate or CRL, I would prefer some recommendations on
>what should be done. Having no guidance opens up a large number of
>permutations, and we want to progress this to draft standard, we need to
>refine our scope to what is reasonable, not what is possible.
>
>TF> Having a freshest CRL extension in a CRL provides such an indicator.