Denis:
I fail to see the contradiction between the two sentences.
Please note that critical deltaCRLIndicator extension is different from what the two sentences refer to.
-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
Sent: Friday, June 01, 2001 12:33 PM
To: Tim Polk
Cc: ietf-pkix@xxxxxxx
Subject: Re: draft delta crl text
Tim,
> Folks,
> Russ Housley, David Cooper, and I have tried to draft what we hope *will
> become* consensus text for the delta CRL and CRL number text. We believe
> that the attached text clarifies (1) the requirements for "conforming
> applications that support CRLs", (2) the CRL issuer's responsibilities when
> including the delta CRL indicator and CRL number extensions, (3) the
> algorithm followed by a CRL issuer when determining what certificates
> should be listed on a delta CRL, and (4) the algorithm followed by an
> application when determining whether a complete CRL and a delta CRL may be
> combined.
> To do this we have introduced a number of changes, beginning in section
> 3. In section 3, we introduce the "CRL issuer" in an enhanced version of
> the ASCII art model of a pKI (figure 1.) In section 5, we define several
> more terms including CRL scope, base CRL, delta CRL and complete CRL. All
> this was necessary to set the stage for the CRL number extension and delta
> CRL indicator extension text.
> Please read these excerpts carefully. We believe that the text is flexible
> enough to support reasonable implementations of delta CRLs, does not unduly
> burden clients that wish to support deltas, and is consistent with
> X.509. When you read this please ask yourself if you can *live* with it.
I browse through it and I still have a MAJOR problem with the CRL numbering.
The two following sentences are contradictory:
The CRL number is a non-critical CRL extension which conveys a
monotonically increasing sequence number for a given CRL scope and
CRL issuer.
I agree with the above sentence.
If a delta CRL and a complete CRL that cover the
same scope are issued at the same time, they MUST have the same CRL
number.
This contradicts the first sentence.
======================================================================
I do have problems with MANY other sentences, like:
If a CRL issuer generates delta CRLs in addition to complete CRLs for
a given scope, the complete CRLs and delta CRLs MUST share one
numbering sequence.
What does "the same numbering sequence" mean ? This sentence is useless and
should be deleted.
This extension allows users to easily determine when a
particular CRL supersedes another CRL.
This is not true. Since complete CRLs and delta CRLs share the same
numbering space, they cannot be compared. This sentence should be deleted.
======================================================================
The combination of a CRL containing the delta CRL indicator
extension plus the CRL referenced in the BaseCRLNumber component
of this extension is equivalent to a complete CRL, for the
applicable scope, at the time of publication of the delta CRL.
The right wording should be:
The combination of a delat CRL (containing the delta CRL indicator
extension) plus the CRL referenced in the BaseCRLNumber component
of this extension is equivalent to a complete CRL, for the
applicable scope, that is valid between this Update and nextUpdate
from the delta CRL.
======================================================================
An application that supports delta CRLs can construct a CRL that is
complete for a given scope, at the current time, in either of the
following ways:
(a) by retrieving the current delta CRL for that scope, and
combining it with an issued CRL that is complete for that scope
and that has a cRLNumber greater than or equal to the base CRL
number referenced in the current delta CRL; or
(b) by retrieving the current delta CRL for that scope and
combining it with a locally constructed CRL whose cRLNumber is
greater than or equal to the base CRL number referenced in the
current delta CRL.
The right wording should be:
An application that supports delta CRLs can construct a CRL that is
complete for a given scope, at a given time T, in either of the
following ways:
(a) by retrieving a delta CRL for that scope where the time T
is between thisUpdate and nextUpdate, and combining it with a CRL
that is complete for that scope and that has a cRLNumber equal or
greater than to the base CRL number referenced in the current
delta CRL; or
(b) by retrieving a delta CRL for that scope where the time T
is between thisUpdate and nextUpdate and combining it with a
locally constructed CRL that has a content equivalent to a
full CRL that would have a cRLNumber equal or greater than
to the base CRL number referenced in the current delta CRL.
======================================================================
When a delta CRL is combined with a complete CRL or a locally
constructed CRL, the resulting locally constructed CRL has the CRL
number specified in the CRL number extension found in the delta CRL
used in its construction.
The right wording should be:
When a delta CRL is combined with a complete CRL or a locally
constructed CRL, "The resulting locally constructed CRL is equivalent
to a complete CRL that would have thisUpdate and nextupdate respectively
equal to thisUpdate and nextUpdate from the delta CRL."
======================================================================
In this way, all the issues about CRL numbering vanish.
Since a conference call is now scheduled on Tuesday, with Tim, David and
myself, I hope that we will be able to agree on the text changes
proposed above.
Note 1: I am lacking time to check the text about the onHold issue, but this
is far less critical.
Note 2: Next Monday is holiday in my country. :-)
Regards,
Denis
> The attachment contains the following excerpts: Figure 1 from section 3,
> section 5 (the intro to CRLs), section 5.2.3 (CRL number extension) and
> 5.2.4 (delta CRL indicator extension). Please ignore the blank spaces; I
> was trying to remove anything irrelevant to this discussion.
>
> Thanks,
>
> Tim Polk