RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments)

["Carlin Covey" <ccovey@xxxxxxxxxx>]

Title: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)

Russ and Sharon,

 

X.509 Ed. 4 draft v6 says in section 9  "A dCRL may also be an indirect CRL

in that it may contain updated revocation information related to base CRLs

issued by one or more than one authorities."

 

In this case in order to comply with the current PKIX profile requirement below,

the CA that issued the dCRL would also have to issue a full indirect CRL for

all the authorities whose CRLs were updated by the dCRL.  That much I

understand, I think. 

 

            Current PKIX profile requirement:  "When a conforming CA issues 
            a delta CRL, the CA MUST also issue a CRL that is complete for 
            the given scope."

 

But I'm puzzled by another point.   It looks to me like X.509 permits a dCRL

to contain a crlScope extension that limits the scope of the certificates for

which the dCRL is authoritative (using onlyContains or onlySomeReasons,

for instance).  In fact, it seems that different CA's could issue indirect dCRLs

for various scopes (e.g. user certificate, attribute certificate, keyCompromise,

certificateHold, etc.), but reference a base CRL that covers a larger scope. 

In that case, I suppose each of the dCRL issuers must also issue a "full CRL". 

But what constitutes a full "CRL that is complete for the given scope."?  Is it

the given scope of the dCRL, or the given scope of the base CRL?  That is, does

each "full CRL" cover only the scope of the dCRL, even if the dCRL's base CRL

covers additional scope (e.g. additional reason codes, or additional certificate

types)?

 

Regards,

Carlin

____________________________

-  Carlin Covey
   Cylink Corporation

 

-----Original Message-----
From: Sharon Boeyen [mailto:sharon.boeyen@xxxxxxxxxxx]
Sent: Monday, April 23, 2001 9:40 AM
To: Santosh Chokhani; Russ Housley; ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments)

I agree with Santosh. Forcing the issuance of a full CRL each time a delta is issued removes the primary value of issuing the delta in the first place.

-----Original Message-----
From: Santosh Chokhani [mailto:chokhani@xxxxxxxxxxxx]
Sent: Monday, April 23, 2001 11:45 AM
To: Russ Housley; ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments)

I have been quite on this.  I am firmly in favor of NOT having the requirement (i.e., delete the requirement): "CA post a full CRL whenever a delta CRL is issued".

-----Original Message-----
From: Russ Housley [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Monday, April 23, 2001 10:27 AM
To: ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: Last
Call:draft-ietf-pkix-new-part1-06.txt comments)

All:

Trevor, Ambarish, Denis, David, and others have proposed the removal of the
requirement that CAs post a full CRL whenever a delta-CRL is
posted.  Trevor's suggestion that the consequences of a CA posting a
delta-CRL without posting a full CRL could be discussed in a single
paragraph in the Security Considerations section.

Paul and Mike have suggested that the current text is fine.

A few people have contributed to the thread but not made their own position
clear.  Perhaps they are only academically interested.  Or, perhaps the
dialogue is helping them reach their own conclusion.  I do not
know.  Regardless, most people have been silent on this issue.

I would like one of the proponents  for removing the requirement to suggest
alternative text, and I would like to hear from more people about the
proposed revision.

We are in Working Group Last Call.  I would like to reach consensus on this
issue, make the necessary change (if any), and get the document to the
IESG.  Many other working groups are waiting for our document.

Russ