RE: Dedicated CRL signing keys

["Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxx>]

I prefer the statement as is. Changing the may to a should does not get
the CAs off the hook. A CA has to make a decision as to what
expectations it has for the certificate consuming population of clients
it suports. A should is not a must, so this means that conformant
clients are not mandated to support CRLs signed with different keys.
Vendors thinking of implementing X.509 technology in constrained devices
will start looking at alternatives if the bar is set to high for
conformant client.

Trevor
-----Original Message-----
From: David P. Kemp [mailto:dpkemp@xxxxxxxxxxxxxx] 
Sent: Monday, April 30, 2001 8:53 AM
To: ietf-pkix@xxxxxxx
Subject: Re: Dedicated CRL signing keys

If certificate-using applications MAY handle CRLs signed by a different
key
than the certificates, then CAs have no real ability to exercise that
option.

I believe:

Certificate-using applications SHOULD handle CRLs signed by a different
key
than the certificates.

Dave



"Housley, Russ" wrote:
> Yes.  So, I guess we agree.
> 
> At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote:
> > Russ: Will a CA that signs the certificates and CRLs using different
keys,
> > but same Issuer DN be considered compliant?  If yes, then we agree.
> >
> > From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
> > > Certificate-using applications must be able to handle certificates
and CRLs
> > > signed by the same key.  Certificate-using applications may handle
CRLs
> > > signed by a different key than the certificates.
> > >
> > > If you agree with this position, then we agree.
> > >
> > > Russ