RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)

["Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxx>]

Russ,
This level of concern for simple vs. complex was never raised when OCSP
was discussed. An OCSP aware client may have a different answer to CRL
aware clients to the revocation status of a certificate. Having
established a precedent like that, it's too late to put the cat back in
the bag now. What you have expressed is a policy, which is better left
to the security consideration section rather than a must clause in the
standard.
It also ignores the reason why delta CRLS are viewed as attractive. A CA
can today publish a full CRL whenever it likes. The reality is that
publication of CRLs comes at a cost to the infrastructure, and many
organisations are not prepared to pay that cost for full CRL
publication, but would be prepared to publish smaller delta CRLs more
frequently.
Trevor

-----Original Message-----
From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx] 
Sent: Friday, April 20, 2001 1:26 PM
To: ietf-pkix@xxxxxxx
Subject: Re: delta-CRLs (was Re: Last
Call:draft-ietf-pkix-new-part1-06.txt comments)


> >In the third paragraph the first sentence (still) says:
> >
> > >    When a conforming CA issues a delta CRL, the CA MUST also issue
a CRL


Originally, this sentence was placed in RFC 2459 to ensure that simple 
clients are able to get the best possible revocation information.  We
did 
not want to require CAs or clients to support delta-CRLs, but if a CA
chose 
to support delta-CRLs, we did not want to penalize clients.

I do not see that either of these desires has changed.

Russ