RE: Current status of CRL validation ?

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Julien:

See responses in-line in [].

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Julien Stern
Sent: Tuesday, March 23, 2004 9:25 AM
To: ietf-pkix@xxxxxxx
Subject: Re: Current status of CRL validation ?



Santosh,

thank again for your quick reply.

Two more little questions, and I'll (probably) stop bothering :)

1) According to what you said, a certificate could at the same time be
revoked or not revoked depending on your local policy (more specifically
depending on the path you choose) ? That seems pretty weird... or did I
misunderstood something ?

[Yes, I meant that.  Also, due to the distributed nature of trust topology,
this is logical.  All it says that some trust links are broken, but others
are not.  It is like network of roads.  Just because some links are broken
and some paths are invalid that does not mean there not a path from point A
to point B.  Practically, there may be danger that the reason some paths are
valid is because of operational or communication problems, some
certificate(s) were not revoked.]

2) When I download a CRL, can I check it's signature by verifying the path
only ONCE ? Or do I have to do it each time I want to check a certificate ?
If say, two S/MIME clients, send me two certificates whose revocation
information are found in the same CRL, but with different paths going to
different trusted anchors, it seems to me that I have to rebuild and recheck
the path for the CRL each time ?

[Given that names are not Globally unique, you need to build the two paths
if the two trust anchor DNs are different]
--
Julien