[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

about Intermediate CA CRLs

To: <ietf-pkix@xxxxxxx>
Subject: about Intermediate CA CRLs
From: "Enrique Velasco" <enrique.velasco@xxxxxxxxxx>
Date: Fri, 9 Aug 2002 11:16:08 -0400
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Should an Intermediate CA Certificate include the CRL Distribution Point
Extension?

One might want to revoke an Intermediate CA Certificate if there's a key
compromise, therefore publishing a CRL, but that would be completely useless
if no one's checking it, so my first answer to my own question would be YES.

Then I wonder how can this be done, as the Root CA key should be off-line,
as recommended.

I've noticed that only a few Intermediate CA Certificates include a CRL
Distribution point, and those CRL are valid for several months. So I Imagine
that issuing such CRL must be a manual (i.e.. not automated) process, done
only when there is the urge to revoke the Intermediate CA Certificate.

Any thoughts?

again,

Should an Intermediate CA Certificate include the CRL Distribution Point
Extension?
and how can this be done?


	Enrique Velasco
	Acepta.com

Follow-Ups:
- Re: about Intermediate CA CRLs
  - From: Denis Pinkas

References:
- Re: Objections Raised by the IESG on the Roadmap document
  - From: Sean P. Turner

Prev by Date: Re: Certificate Path Validation
Next by Date: RE: Certificate Path Validation
Previous by thread: Re: Objections Raised by the IESG on the Roadmap document
Next by thread: Re: about Intermediate CA CRLs
Index(es):
- Date
- Thread