[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Open Issue in Part1: path length constraints

To: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Subject: RE: Open Issue in Part1: path length constraints
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 7 Mar 2001 10:54:55 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <>

Ambarish,

Steve, we use the Indirect CRL/Indirect delta CRL format to
propogate revocation information for particular CAs between
our VAs (Validation Authorities).

Basically, as master VA can receive information that a particular
cert was revoked at a CA (even if the CA has not had time to
issue a new CRL as yet). It can (and does) create a Indirect
CRL with this information that it signs. The VA never acts
as a CA - it never issues certs, but still needs to be
responsible for creating and propogating revocation information
to other VAs.

While we use these indirect CRLs to propogate information just
amongst VAs, it is not a stretch to seeing clients trust these
indirect CRLs for their own purposes.

Hope this helps justify why it does make sense for non-CAs to
still issue CRLs.

I understand the mechanism you are employing, and I see nothing wrong with it. However, I don't think the notion of a "VA" is part of ITU or IETF standards. Therefore, your use of it in a closed system environment is outside the scope of these standards.

Steve

References:
- RE: Open Issue in Part1: path length constraints
  - From: Ambarish Malpani

Prev by Date: Re: X.509, PKIX, and pathLenConstraint
Next by Date: Re: Last Call: Son-of-2459 e-mail addresses in Subject
Previous by thread: RE: Open Issue in Part1: path length constraints
Next by thread: RE: Open Issue in Part1: path length constraints
Index(es):
- Date
- Thread