[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CA Rekey and CRL Validation
You don't, those aspects are completely unrelated
Stefan Santesson
Microsoft Security Center of Excellence (SCOE)
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of thomas.beckmann@xxxxxxxxxxxxxx
> Sent: den 17 september 2004 09:48
> To: ietf-pkix@xxxxxxx
> Subject: AW: CA Rekey and CRL Validation
>
>
> Hi all,
>
> there is an other point I am wondering about: For what purpose do I need
> indierkt CRLs within the PEM valitity model (i. e. the validity of an
> entities certificate lies between the notBefore an notAfter limits of the
> issuing CAs certificate)?
>
> Thomas
>
> > -----Ursprüngliche Nachricht-----
> > Von: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
> > Gesendet: Freitag, 17. September 2004 09:10
> > An: Santosh Chokhani
> > Cc: ietf-pkix@xxxxxxx
> > Betreff: Re: CA Rekey and CRL Validation
> >
> >
> >
> > Santosh,
> >
> > > Denis:
> >
> > > In X.509, a CA when it issues a CRL is called CRL issuer.
> > Please look at
> > > the text of all the extensions descriptions related to CRL issuance.
> >
> > > Thus, saying a CA is not a CRL Issuer is incorrect in general.
> >
> > I did not say this.
> >
> > > In addition, if we assumed your interpretation that a CRL
> > Issuer does not
> > > issue any certificates, the following sentence which began
> > this debate will
> > > be meaning less.
> > >
> > > "If this field is absent, the CRL shall contain entries for
> > all revoked
> > > unexpired certificates issued by the CRL issuer."
> >
> > This sentence is not present in RFC 3280.
> >
> > On page 59, we have the following sentence:
> >
> > If the distributionPoint field is absent, the CRL MUST contain
> > entries for all revoked unexpired certificates *issued* by the CRL
> > issuer, if any, within the scope of the CRL
> >
> > This sentence is either ambiguous or incorrect: a CRL issuer does not
> > *issue* certificates. On page 7, the definition of a CRL issuer is:
> > CRL issuer: an optional system to which a CA delegates the
> > publication of
> > certificate revocation lists.
> >
> > Besides this "battle" around words, since I have not followed all the
> > messages of this thread, a summary would be interresting to
> > answer the two
> > following questions:
> >
> > 1) under which circumstances would the distributionPoint
> > field within the
> > issuing distribution point structure really useful for ?
> >
> > 2) what kind of processing should a relying party make of it,
> > when this
> > field is present ?
> >
> > Denis
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@xxxxxxxxxxxx
> > [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
> > > Behalf Of Denis Pinkas
> > > Sent: Thursday, September 16, 2004 12:03 PM
> > > To: Carl Wallace
> > > Cc: ietf-pkix@xxxxxxx
> > > Subject: Re: CA Rekey and CRL Validation
> > >
> > >
> > >
> > > Carl,
> > >
> > >
> > >>>>(including certificates issued by the CRL issuer).
> > >>>
> > >>>This is incorrect: a CRL issuer cannot issue certificates.
> > >>>
> > >>
> > >
> > >>Why is that? Given the limited use of the indirectCRL
> > mechanism, most
> > >>CRL issuers issue certificates.
> > >
> > >
> > > A CRL issuer only issues CRLs.
> > > A CA issues certificates and may also issue CRLs and/or
> > OCSP responses.
> > >
> > > Denis
> > >
> > >
> > >
> > >
> >
> >