Russ,
In a reply to Santosh (April 24), you said:
> The IDP syntax is: > > issuingDistributionPoint ::= SEQUENCE { > distributionPoint [0] DistributionPointName OPTIONAL, > onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, > onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, > onlySomeReasons [3] ReasonFlags OPTIONAL, > indirectCRL [4] BOOLEAN DEFAULT FALSE } > > I was simply suggesting that this extension be present if the CRL is signed > with a key other than the one used to sign the certificate.
The current text says (in section 5.2.5):
" 5.2.5 Issuing Distribution Point
The issuing distribution point is a critical CRL extension that identifies the CRL distribution point for a particular CRL, and it indicates whether the CRL covers revocation for end entity certificates only, CA certificates only, or a limited set of reason codes. Although the extension is critical, conforming implementations are not required to support this extension.
The CRL is signed using the CA's private key."
I would guess that the last sentence would thus need to be changed. So would you have a text proposal to fix it ?
Regards,
Denis
> I would expect > the distributionPoint field to be present (probably with a URL > (ldap://...)). The boolean flags would be set based on the contents of the > CRL (probably all FALSE). The reason codes would also be set based on the > contents of the CRL (probably absent).
> Russ