[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRLs doubts...

To: aslam@xxxxxxxx
Subject: Re: CRLs doubts...
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Mon, 04 Jun 2001 15:47:01 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Aslam:

I have some doubts:

1. Like we have a "cert serial no and issuer name" to uniquely identify a
certificate, do we have such thing for CRL also.

2. If the CRL Distribution Point extension has two URIs in it, do they refer
to same CRLs or they point to different CRLs with different scope.

3. In order to make a CRL cache thing work, what can be the primary key to
get a CRL blob from the cache just by having the certificate, for which the
revocation info has to be obtained.

Tim Polk and I took a few minutes to discuss this message, and we both believe that the answers could be much more clear in the document, but with a bit of thought, they are there. Tim is going to try and add some clarity before the next version is released.

I believe that the CRLDistributionPoints syntax holds the answers. As a reminder, here is the relevant fragment:

CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

   DistributionPoint ::= SEQUENCE {
        distributionPoint       [0]     DistributionPointName OPTIONAL,
        reasons                 [1]     ReasonFlags OPTIONAL,
        cRLIssuer               [2]     GeneralNames OPTIONAL }

   DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
           otherName                       [0]     OtherName,
           rfc822Name                      [1]     IA5String,
           dNSName                         [2]     IA5String,
           x400Address                     [3]     ORAddress,
           directoryName                   [4]     Name,
           ediPartyName                    [5]     EDIPartyName,
           uniformResourceIdentifier       [6]     IA5String,
           iPAddress                       [7]     OCTET STRING,
           registeredID                    [8]     OBJECT IDENTIFIER}

The extension contains a SEQUENCE of distribution points, one for each CRL scope. If a CA wants a particular CRL to be available by more than one means, then each location is provided in the DistributionPointName.fullName. Note that this is a SEQUENCE of GeneralName, so more than one entry is easily accomodated.

This leads me to the conclusion the Distribution Point Name identifies the CRL scope.

Russ

References:
- CRLs doubts...
  - From: Aslam

Prev by Date: Chaining of Key Identifiers
Next by Date: re: Need verification of Issuing DP against CRL DP in son-of-2459
Previous by thread: CRLs doubts...
Next by thread: CMP and CRMF (again)...
Index(es):
- Date
- Thread