Russ
and Sharon,
X.509
Ed. 4 draft v6 says in section 9 "A dCRL may also be an indirect CRL
in
that it may contain updated revocation information related to base CRLs
issued
by one or more than one authorities."
In
this case in order to comply with the current PKIX profile requirement
below,
the CA
that issued the dCRL would also have to issue a full indirect CRL
for
all
the authorities whose CRLs were updated by the dCRL. That much I
understand, I think.
Current PKIX profile requirement: "When a conforming CA
issues
a delta CRL, the CA MUST also issue a CRL that is complete
for
the given scope."
But
I'm puzzled by another point. It looks to me like X.509 permits a
dCRL
to
contain a crlScope extension that limits the scope of the certificates
for
which
the dCRL is authoritative (using onlyContains or
onlySomeReasons,
for
instance). In fact, it seems that different CA's could issue indirect
dCRLs
for
various scopes (e.g. user certificate, attribute certificate,
keyCompromise,
certificateHold, etc.), but reference a base CRL that
covers a larger scope.
In
that case, I suppose each of the dCRL issuers must also
issue a "full CRL".
But
what constitutes a full "CRL that is complete for the given scope."? Is
it
the
given scope of the dCRL, or the given scope of the base CRL? That is,
does
each
"full CRL" cover only the scope of the dCRL, even if the dCRL's base
CRL
covers
additional scope (e.g. additional reason codes, or additional
certificate
types)?
Regards,
Carlin
____________________________
-
Carlin Covey
Cylink Corporation
I
agree with Santosh. Forcing the issuance of a full CRL each time a delta is
issued removes the primary value of issuing the delta in the first
place.