[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CDP in self signed root CA

To: "'Erwan Smits'" <Erwan.Smits@xxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: CDP in self signed root CA
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Thu, 5 Dec 2002 14:17:37 -0500
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: Message

Hi Erwan:

I assume that the root CA certificate is the self-signed trust anchor. In that case, it should NOT be part of the certificates in the chain for path validation anyway. Thus, you do not need CDP in it and you should not verify it and run it through the 3280 path validation state machine.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Erwan Smits
Sent: Thursday, December 05, 2002 11:36 AM
To: ietf-pkix@xxxxxxx
Subject: CDP in self signed root CA

We are building a certificate hierarchy with 4 (CA) layers. We want to include a CDP extension in every CA and end user certificate. At the moment we have a discussion about the need for a CDP extension in the Root CA. The argument against it is that it doesn't make sense because there is no supperior CA that can sign the CRL. The argument for a CDP is that for performing a correct path validation the CRL for every CA (including the Root CA) and end-user certificate should be validated.

I scanned through RFC 3280, but it doesn't say anything about it. Does anybody have suggestions?

Greetings,

Erwan Smits

References:
- CDP in self signed root CA
  - From: Erwan Smits

Prev by Date: Re: CDP in self signed root CA
Next by Date: Re: Last Call: Wireless LAN Certificate Extensions and Attributes to Proposed Standard
Previous by thread: Re: CDP in self signed root CA
Next by thread: RE: CDP in self signed root CA
Index(es):
- Date
- Thread