[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cached OCSP responses vs. single entry CRLs

To: ietf-pkix@xxxxxxx
Subject: Re: Cached OCSP responses vs. single entry CRLs
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Tue, 09 Dec 2003 21:19:49 +0100
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031125

Ryan M. Hurst wrote:

[...] there is not way to tell from a CDP if the data on the other end represents a partitioned CRL or a full one.

But then clean client should check the content of the IDP extension after getting the CRL and check it's distribution point matches the distribution field of the CDP, and if not refuse the CRL, and supposedly try the next crldp inside the cert. RFC3280 6.3.3 (b)(2)(i)

I'm a bit sceptic it really works, but if the CRL's IDP is marked critical as it should, maybe a good number of client will duly reject the CRL when they can not support that case.

Follow-Ups:
- Re: Cached OCSP responses vs. single entry CRLs
  - From: Michael Ströder
- RE: Cached OCSP responses vs. single entry CRLs
  - From: Ryan M. Hurst

References:
- RE: Cached OCSP responses vs. single entry CRLs
  - From: Ryan M. Hurst

Prev by Date: Re: Cached OCSP responses vs. single entry CRLs
Next by Date: RE: Cached OCSP responses vs. single entry CRLs
Previous by thread: RE: Cached OCSP responses vs. single entry CRLs
Next by thread: RE: Cached OCSP responses vs. single entry CRLs
Index(es):
- Date
- Thread