RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx tcomments)

[Ambarish Malpani <ambarish@xxxxxxxxxxxx>]

Russ, the problem with this is that CAs might be unwilling to issue
delta-CRLs because issuing a full CRL every time is too
burdensome.

The net result is that *nobody* has access to the latest
revocation information - not even the smart clients who can
understand delta CRLs.

I would prefer that we drop that requirement that a full CRL
be published whenever a new delta CRL is published.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
> Sent: Friday, April 20, 2001 1:26 PM
> To: ietf-pkix@xxxxxxx
> Subject: Re: delta-CRLs (was Re: Last
> Call:draft-ietf-pkix-new-part1-06.txt comments)
> 
> 
> 
> > >In the third paragraph the first sentence (still) says:
> > >
> > > >    When a conforming CA issues a delta CRL, the CA MUST 
> also issue a CRL
> 
> 
> Originally, this sentence was placed in RFC 2459 to ensure 
> that simple 
> clients are able to get the best possible revocation 
> information.  We did 
> not want to require CAs or clients to support delta-CRLs, but 
> if a CA chose 
> to support delta-CRLs, we did not want to penalize clients.
> 
> I do not see that either of these desires has changed.
> 
> Russ
> 
>