[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CDP in self signed root CA

To: Erwan.Smits@xxxxxxx
Subject: Re: CDP in self signed root CA
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Thu, 05 Dec 2002 13:35:05 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Erwan:

I assume that by "Root CA" you mean the use of a self-signed certificate to establish a trust anchor. Such self-signed certificates need not include a CRL Distribution Point extension.

Russ

At 05:35 PM 12/5/2002 +0100, Erwan Smits wrote:

We are building a certificate hierarchy with 4 (CA) layers. We want to include a CDP extension in every CA and end user certificate. At the moment we have a discussion about the need for a CDP extension in the Root CA. The argument against it is that it doesn't make sense because there is no supperior CA that can sign the CRL. The argument for a CDP is that for performing a correct path validation the CRL for every CA (including the Root CA) and end-user certificate should be validated.

I scanned through RFC 3280, but it doesn't say anything about it. Does anybody have suggestions?

Greetings,

Erwan Smits

References:
- CDP in self signed root CA
  - From: Erwan Smits

Prev by Date: Re: RFC 3280 : key usage extension
Next by Date: RE: CDP in self signed root CA
Previous by thread: CDP in self signed root CA
Next by thread: RE: CDP in self signed root CA
Index(es):
- Date
- Thread