[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X.509, PKIX, and pathLenConstraint

To: David Chadwick <d.w.chadwick@xxxxxxxxxxxxx>
Subject: Re: X.509, PKIX, and pathLenConstraint
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 6 Mar 2001 18:16:33 -0500
Cc: "X.500 Directory Exploder List" <OSIDirectory@xxxxxxxxxxxxx>, PKIX <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <4.2.2.20010306085509.00a1fef0@email.nist.gov><>

David,

To me, the text you cite (7.3) lends further credence to the notion that a CA is the entity that signs CRLs. Only the CA that issued a cert could sign a CRL revoking that cert, until v3 of X.509, where the introduction of indirect CRLs and CRL DPs opened up new possibilities. The fundamental question is whether these features create a new class of entity that can sign CRLs but not be marked (in its certificate) as a CA, or whether these facilities merely allow one CA to delegate CRL signing to another CA, perhaps operated under the same administrative jurisdiction.

Steve

References:
- Re: X.509, PKIX, and pathLenConstraint
  - From: David Chadwick

Prev by Date: RE: Open Issue in Part1: path length constraints
Next by Date: RE: I-D ACTION:draft-ietf-pkix-rfc2510bis-03.txt (and rfc2511bis- 01.txt)
Previous by thread: Re: X.509, PKIX, and pathLenConstraint
Next by thread: RE: X.509, PKIX, and pathLenConstraint
Index(es):
- Date
- Thread