[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
- To: "David A. Cooper" <david.cooper@xxxxxxxx>
- Subject: Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments
- From: Stephen Kent <kent@xxxxxxx>
- Date: Wed, 18 Apr 2001 19:17:35 -0400
- Cc: ietf-pkix@xxxxxxx
- In-reply-to: <>
- References: <><><><> <3ADDC6B4.13B96602@missi.ncsc.mil><>
Dave Cooper,
Dave,
I agree with you. I see no basis in X.509 for setting the cA flag in
basicConstraints for certificate subjects that can issue CRLs but
not certificates. The current discussion about how to deal with CRLs
for attribute certificates vs. public key certificates just further
goes to show that it was a mistake to suddenly change the rules at
the last IETF meeting.
We disagree on this point. Nowhere in X.509 or in previous PKIX
documents has there ever been text to suggest that other than a CA
can sign a CRL for a public key certificate. So, the rules were not
changed at the last meeting, they were reasserted and clarified.
Also, in responde to other messages I've just been reading, I want to
pont out that OCSP responses are not CRLs, so the value of the
cRLSign bit should not be an issue for an OCSP responder. This
suggests that the Lation abbreviation "e.g.," is inappropriately used
when referring to revocation status info verified using a cert with
the cRLSign bit enabled. CRLs are the only data structures the
validation of which is relevant to this bit. They are not an example.
Steve