[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Separate CRL Issuance Entity Was: RE: Open Issue in Part1:path l ength constraints

To: Dave Oshman <Dave.Oshman@xxxxxxxxxxxx>
Subject: Re: Separate CRL Issuance Entity Was: RE: Open Issue in Part1:path l ength constraints
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 9 Mar 2001 13:02:35 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <>

Dave,

I would like to consider including the option to have an entity other than a "cert issuing authority" to sign CRLs. In cases where a Root CA needs to issue certificates infrequently (such as we have at Identrus), but needs to issue CRLs much more frequently, there seems to be a case to have different certificates for these purposes. I don't want to rule out having this option. If we define that having the CA bit set means the capability to issue certificates, this CRL signing entity should not have that bit set. Is it specifically stated somewhere that the assertion of the CA bit is defined as certificate issuance capability? My old X.509 (97) defines a CA as: An authority trusted by one or more users to create and assign certificates. 2459 doesn't provide any more help.

If one uses the KeyUsage extension and marks it critical, then there is a separate flag re cert signing (KeyCertSign). But, the current spec, has other constraints that don't allow for the CRLSign bit to be set and the CA flag in BasicConstraints to not be set, so we have a mixed bag of options now.

Steve

References:
- Separate CRL Issuance Entity Was: RE: Open Issue in Part1: path length constraints
  - From: Dave Oshman

Prev by Date: Re: UIDs popping up in new-part1
Next by Date: RE: I-D ACTION:draft-ietf-pkix-rfc2510bis-03.txt (and rfc2511bis-01.txt)
Previous by thread: Separate CRL Issuance Entity Was: RE: Open Issue in Part1: path length constraints
Next by thread: I-D ACTION:draft-ietf-pkix-ipki-pkalgs-02.txt
Index(es):
- Date
- Thread