[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current status of CRL validation ?

To: "Julien Stern" <julien.stern@xxxxxxxxxxxxx>
Subject: Re: Current status of CRL validation ?
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 23 Mar 2004 11:56:01 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Julien,

The confusion stems from somewhat sloppy use of terminology in these discussions.

Only the issuer of a cert can revoke it and in X.509 (unlike PGP) there is only one issuer for a given cert. So, the revocation question as you stated it was not well formed. A cert is either revoked or not. However, the ability of an RP to establish the validity of a cert is a function of the cert path that the RP uses to validate the cert, and of the access to revocation status info available to the RP. Since there may be more than one path used to validate the same cert, it is possible to get to different answers re the question of whether the cert is valid, depending on which path you use. Also, two RPs may have access to different revocation status data for the EE cert or for a CA cert along a oath, so that each RP may arrive at different view of the validity of the EE cert.

Steve

Follow-Ups:
- Re: Current status of CRL validation ?
  - From: Julien Stern
- Re: Current status of CRL validation ?
  - From: Ed Gerck

References:
- Re: Current status of CRL validation ?
  - From: Julien Stern
- RE: Current status of CRL validation ?
  - From: Santosh Chokhani
- Re: Current status of CRL validation ?
  - From: Julien Stern

Prev by Date: RE: Current status of CRL validation ?
Next by Date: Successor to RFC 3280?
Previous by thread: RE: Current status of CRL validation ?
Next by thread: Re: Current status of CRL validation ?
Index(es):
- Date
- Thread