[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: CA Rekey and CRL Validation

To: ietf-pkix@xxxxxxx
Subject: AW: CA Rekey and CRL Validation
From: thomas.beckmann@xxxxxxxxxxxxxx
Date: Fri, 17 Sep 2004 09:47:47 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hi all,

there is an other point I am wondering about: For what purpose do I need
indierkt CRLs within the PEM valitity model (i. e. the validity of an
entities certificate lies between the notBefore an notAfter limits of the
issuing CAs certificate)?

Thomas

> -----Ursprüngliche Nachricht-----
> Von: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
> Gesendet: Freitag, 17. September 2004 09:10
> An: Santosh Chokhani
> Cc: ietf-pkix@xxxxxxx
> Betreff: Re: CA Rekey and CRL Validation
> 
> 
> 
> Santosh,
> 
> > Denis:
> 
> > In X.509, a CA when it issues a CRL is called CRL issuer.  
> Please look at
> > the text of all the extensions descriptions related to CRL issuance.
> 
> > Thus, saying a CA is not a CRL Issuer is incorrect in general.
> 
> I did not say this.
> 
> > In addition, if we assumed your interpretation that a CRL 
> Issuer does not
> > issue any certificates, the following sentence which began 
> this debate will
> > be meaning less.
> > 
> > "If this field is absent, the CRL shall contain entries for 
> all revoked
> > unexpired certificates issued by the CRL issuer."
> 
> This sentence is not present in RFC 3280.
> 
> On page 59, we have the following sentence:
> 
>     If the distributionPoint field is absent, the CRL MUST contain
>     entries for all revoked unexpired certificates *issued* by the CRL
>     issuer, if any, within the scope of the CRL
> 
> This sentence is either ambiguous or incorrect: a CRL issuer does not 
> *issue* certificates. On page 7, the definition of a CRL issuer is:
> CRL issuer: an optional system to which a CA delegates the 
> publication of 
> certificate revocation lists.
> 
> Besides this "battle" around words, since I have not followed all the 
> messages of this thread, a summary would be interresting to 
> answer the two 
> following questions:
> 
> 1) under which circumstances would the distributionPoint 
> field within the 
> issuing distribution point structure really useful for ?
> 
> 2) what kind of processing should a relying party make of it, 
> when this 
> field is present ?
> 
> Denis
> 
> > -----Original Message-----
> > From: owner-ietf-pkix@xxxxxxxxxxxx 
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
> > Behalf Of Denis Pinkas
> > Sent: Thursday, September 16, 2004 12:03 PM
> > To: Carl Wallace
> > Cc: ietf-pkix@xxxxxxx
> > Subject: Re: CA Rekey and CRL Validation
> > 
> > 
> > 
> > Carl,
> > 
> > 
> >>>>(including certificates issued by the CRL issuer).
> >>>
> >>>This is incorrect: a CRL issuer cannot issue certificates.
> >>>
> >>
> > 
> >>Why is that?  Given the limited use of the indirectCRL 
> mechanism, most 
> >>CRL issuers issue certificates.
> > 
> > 
> > A CRL issuer only issues CRLs.
> > A CA issues certificates and may also issue CRLs and/or 
> OCSP responses.
> > 
> > Denis
> > 
> > 
> > 
> > 
> 
>

Follow-Ups:
- RE: CA Rekey and CRL Validation
  - From: Santosh Chokhani

Prev by Date: Re: CA Rekey and CRL Validation
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: RE: CA Rekey and CRL Validation
Next by thread: RE: CA Rekey and CRL Validation
Index(es):
- Date
- Thread