Shim Heewon wrote:Actually, the FreshestCRL extension works the same way as the cRLDistrubutionPoints extension. That is, when the FreshestCRL extension appears in a certificate the CRL must have a matching issuingDistributionPoint, where the matching is done in the same way as if a cRLDistrubutionPoints were being used in the certificate. RFC 3280 states that the FreshestCRL extension should only be used to point to delta-CRLs, but X.509 does not impose this restriction. X.509 allows the FreshestCRL extension to be used in any way that the cRLDistrubutionPoints can be used. The use of a FreshestCRL extension in a CRL is more tricky, since this would seem to involve comparing the FreshestCRL extension in one CRL to the issuingDistributionPoint extension in another CRL (presumably a corresponding delta-CRL). The RFC 3280 simplifies this by stating that when the FreshestCRL extension appears in a CRL, it should only contain the distribution point name, which acts as a pointer to a delta-CRL. RFC 3280 further requires that the delta-CRL contain the same issuingDistributionPoint field as the corresponding complete for scope CRL. This allows for the FreshestCRL extension in the CRL to only act as a pointer since the issuingDistribuionPoint extension in the delta-CRL can be compared to the cRLDistributionPoint extension in the certificate. Dave |