RE: WG Last Call: Son-of-2459: More about delta-CRLs

["Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxxx>]

David,
You are pointing out a "delta" between X.509 and pkix. 
son of 2459 allows Freshest CRL extension in CRLs. (draft 4, para
5.2.6).
Trevor

-----Original Message-----
From: David A. Cooper [mailto:david.cooper@xxxxxxxx]
Sent: Monday, March 05, 2001 1:43 PM
To: IETF-PXIX
Subject: RE: WG Last Call: Son-of-2459: More about delta-CRLs


Trevor,

According to X.509, the freshestCRL extension may only be used in
certificates:

                 The freshest CRL extension shall be used only as a
certificate extension
                 and may be used in certificates issued to authorities
as well as certificates
                 issued to users. This field identifies the CRL to which
a certificate user should
                 refer to obtain the freshest revocation information
(e.g.: latest dCRL).

X.509 defines a CRL extension, deltaInfo, that could be included in base
CRLs, but this extension has not been included in the PKIX profile. The
deltaInfo extension is described as follows:

                 This CRL extension is for use in CRLs that are not
dCRLs and is used to
                 indicate to relying parties that dCRLs are also
available for the CRL containing
                 this extension. The extension provides the location at
which the related dCRLs
                 can be found and optionally the time at which the next
dCRL is to be issued. 

Dave

At 01:06 PM 3/5/01 -0800, Trevor Freeman wrote:
>TF> given the range of possibilities introduced by having freshest CRL
>in either the certificate or CRL, I would prefer some recommendations
on
>what should be done. Having no guidance opens up a large number of
>permutations, and we want to progress this to draft standard, we need
to
>refine our scope to what is reasonable, not what is possible.
>
>TF> Having a freshest CRL extension in a CRL provides such an
indicator.