Peter, Several comments regarding your new draft. 1. Within the section 2.2 examples the difference from the fetch of the CA certificate and the fetch of the CRL is only the URI base. You might want to note this difference in the examples just to clarify. 2. The latest son of 2459 specifies a SubjectInfoAccess SIA which would be another approperiate certificate extension for also encoding the Certificate retrieval URI as discussed in 2.2 . I believe that going forward this should be the primarily used to access the certificats. 3. I don't understand why the CRLDP extension could not be leveraged to support URI based queries you discribe in your draft? To me this seems like the logical location to place the CRL query uri. It would seem that use the AIA Extension to get the Authority certificate, SIA extension to get the subject extension and then use CRLDP to get the CRLS would be the best overall approach. If the certificate doesn't populate the SIA then the Client should utilize the AIA extension to query for the Subjects certificate. I still believe the CRLDP should be used for CRL retrieval. Unless you are also thinking of additionally supporting the concept of allowing queries for a CRL form a particular CA with an added parameter of asofDATE/TIME which could be a useful way of obtaining archived CRLs for use in attempting to valid signed data etc.. cheers RFW
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature