[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: about Intermediate CA CRLs

To: "'Enrique Velasco '" <enrique.velasco@xxxxxxxxxx>, "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>
Subject: RE: about Intermediate CA CRLs
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Sat, 10 Aug 2002 09:49:36 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

For PKIX purposes, intermediate CAs on a certification path
are no different to the CAs to which users are subscribed.

If two leaf CAs are in two disconnected hierarchies, and 
they cross-certify, then each is an intermediate CA in the
users's forward or reverse certification paths. Each CA cert
may bear a CRLDP. Path processing cannot assume that only
the subject's CA cert bears a CRLDP.

For example, a military messaging DUA collects both forward and 
reverse cert paths before releasing a signed directory opertion
requesting a signed response. It should check both forward and 
reverse paths for validity and  release policy compliance, 
following CRLDPs for both subject's CRLDPs, in the case given 
above. Which CA cert is an "intermediate" CA is obviously 
relative, and a matter of perspective. Such perspective should 
not matter to a local (or DPV-hosted) cert validation module.

Peter.

-----Original Message-----
From: Enrique Velasco
To: ietf-pkix@xxxxxxx
Sent: 8/9/02 8:16 AM
Subject: about Intermediate CA CRLs


Should an Intermediate CA Certificate include the CRL Distribution Point
Extension?

Prev by Date: RE: Certificate Path Validation
Next by Date: RE: OCSP concept question
Previous by thread: RFC3161 Timestamping AlgorithmIdentifiers
Next by thread: Certificate Path Validation - criticality indicator
Index(es):
- Date
- Thread