RE: CA Rekey and CRL Validation

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Stefan:

It is the IDP definition you need to look at since IDP in CRL is the one
that limits the CRL scope and not the CRL DP in the certificate.

-----Original Message-----
From: Stefan Santesson [mailto:stefans@xxxxxxxxxxxxx] 
Sent: Friday, September 17, 2004 6:17 AM
To: Denis Pinkas; Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: RE: CA Rekey and CRL Validation


Denis,

> On page 59, we have the following sentence:
> 
>     If the distributionPoint field is absent, the CRL MUST contain
>     entries for all revoked unexpired certificates *issued* by the CRL
>     issuer, if any, within the scope of the CRL
> 
> This sentence is either ambiguous or incorrect: a CRL issuer does not
> *issue* certificates. On page 7, the definition of a CRL issuer is: 
> CRL issuer: an optional system to which a CA delegates the publication
of
> certificate revocation lists.

I agree that the definition is not consistent with the standard text in
general. Other sections definitely suggest that the CA can be the CRL issuer
also without delegation.

>From 4.2.1.14  CRL Distribution Points:

   If the certificate issuer is not the CRL
   issuer, then the cRLIssuer field MUST be present and contain the Name
   of the CRL issuer.  If the certificate issuer is also the CRL issuer,
   then the cRLIssuer field MUST be omitted and the distributionPoint
   field MUST be present.


Stefan Santesson
Microsoft Security Center of Excellence (SCOE)