Re: keyCertSign and cRLSign Key Usage Bits

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Russ,

In a reply to Santosh (April 24), you said:

> The IDP syntax is:
> 
>     issuingDistributionPoint ::= SEQUENCE {
>          distributionPoint       [0] DistributionPointName OPTIONAL,
>          onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
>          onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
>          onlySomeReasons         [3] ReasonFlags OPTIONAL,
>          indirectCRL             [4] BOOLEAN DEFAULT FALSE }
> 
> I was simply suggesting that this extension be present if the CRL is signed
> with a key other than the one used to sign the certificate.  

The current text says (in section 5.2.5):

" 5.2.5  Issuing Distribution Point

   The issuing distribution point is a critical CRL extension that
   identifies the CRL distribution point for a particular CRL, and it
   indicates whether the CRL covers revocation for end entity
   certificates only, CA  certificates only, or a limited set of reason
   codes.  Although the extension is critical, conforming
   implementations are not required to support this extension.

   The CRL is signed using the CA's private key."

I would guess that the last sentence would thus need to be changed. So would
you have a text proposal to fix it ?

Regards,

Denis


> I would expect
> the distributionPoint field to be present (probably with a URL
> (ldap://...)).  The boolean flags would be set based on the contents of the
> CRL (probably all FALSE).  The reason codes would also be set based on the
> contents of the CRL (probably absent).
 
> Russ