Carlin, you are correct. That 'indirect delta' is a new facility added into the 4th edition X.509. One example that was used in those discussions was where there might be several CAs operating within a given domain (perhaps a large multinational organization) and each issues its own CRLs on a regular basis. Once retrieved, these CRLs may be cached at the validation step and used until their expiry. However, that multinational may want to issue a single delta CRL every minute and that CRL would contain revocation notices for all the CAs within the organization but perhaps only for the keyCompromise reason. I think you raise an interesting point because in this type of environment the CA that issues the delta could not issue any single corresponding base. However, I suspect indirectDeltas are beyond the scope of what 2459 plans to cover?
Sharon
> -----Original Message-----
> From: Carlin Covey [mailto:ccovey@xxxxxxxxxx]
> Sent: Monday, April 23, 2001 1:28 PM
> To: Russ Housley; ietf-pkix@xxxxxxx
> Subject: RE: delta-CRLs (was Re: Last
> Call:draft-ietf-pkix-new-part1-06.txt comments)
>
>
> Russ,
>
> Two obvious candidates for alternative text are (1)
> substituting MAY for MUST and (2) substituting SHOULD
> for MUST in the sentence:
>
> "A dCRL may also be an indirect CRL in that it may
> contain updated revocation information related to
> base CRLs issued by one or more than one authorities."
>
> I think that these alternative wordings have been
> either stated or implied by various persons in the
> course of this discussion.
>
> Were you asking for some alternative text to go
> into the security considerations section?
>
> Regards,
>
> Carlin
>
> ____________________________
>
> - Carlin Covey
> Cylink Corporation
>
>
>
> -----Original Message-----
> From: Russ Housley [mailto:rhousley@xxxxxxxxxxxxxxx]
> Sent: Monday, April 23, 2001 7:27 AM
> To: ietf-pkix@xxxxxxx
> Subject: RE: delta-CRLs (was Re: Last
> Call:draft-ietf-pkix-new-part1-06.txt comments)
>
>
> All:
>
> Trevor, Ambarish, Denis, David, and others have proposed the
> removal of the
> requirement that CAs post a full CRL whenever a delta-CRL is
> posted. Trevor's suggestion that the consequences of a CA posting a
> delta-CRL without posting a full CRL could be discussed in a single
> paragraph in the Security Considerations section.
>
> Paul and Mike have suggested that the current text is fine.
>
> A few people have contributed to the thread but not made
> their own position
> clear. Perhaps they are only academically interested. Or,
> perhaps the
> dialogue is helping them reach their own conclusion. I do not
> know. Regardless, most people have been silent on this issue.
>
> I would like one of the proponents for removing the
> requirement to suggest
> alternative text, and I would like to hear from more people about the
> proposed revision.
>
> We are in Working Group Last Call. I would like to reach
> consensus on this
> issue, make the necessary change (if any), and get the document to the
> IESG. Many other working groups are waiting for our document.
>
> Russ
>