RE: CA Rekey and CRL Validation

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Please read "DP in DP" as DP in CRL DP".  My apologies for the typo.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Santosh Chokhani
Sent: Friday, September 17, 2004 8:56 AM
To: ietf-pkix@xxxxxxx
Subject: RE: CA Rekey and CRL Validation



Denis:

See responses in-line in [].

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Denis Pinkas
Sent: Friday, September 17, 2004 3:10 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation



Santosh,

> Denis:

> In X.509, a CA when it issues a CRL is called CRL issuer.  Please look
> at the text of all the extensions descriptions related to CRL 
> issuance.

> Thus, saying a CA is not a CRL Issuer is incorrect in general.

I did not say this.

> In addition, if we assumed your interpretation that a CRL Issuer does
> not issue any certificates, the following sentence which began this 
> debate will be meaning less.
> 
> "If this field is absent, the CRL shall contain entries for all
> revoked unexpired certificates issued by the CRL issuer."

This sentence is not present in RFC 3280.

On page 59, we have the following sentence:

    If the distributionPoint field is absent, the CRL MUST contain
    entries for all revoked unexpired certificates *issued* by the CRL
    issuer, if any, within the scope of the CRL

This sentence is either ambiguous or incorrect: a CRL issuer does not 
*issue* certificates. On page 7, the definition of a CRL issuer is: CRL
issuer: an optional system to which a CA delegates the publication of 
certificate revocation lists.

[Santosh Says: This sentence says that when the DP field is absent the CRL
must cover all reason codes, all certificates type asserted or implied by
the absence of those fields in the IDP.  Thus, when the IDP is entirely
absent, it means that all reason codes and all certificates (EE and CA) are
covered.]

Besides this "battle" around words, since I have not followed all the 
messages of this thread, a summary would be interresting to answer the two 
following questions:

[Santosh Says: For details, please see X.509 Annex B.  An abridged version
of these is also in 3280 CRL processing section.  I have provided a very
brief overview of this to give the high-level approach]

1) under which circumstances would the distributionPoint field within the 
issuing distribution point structure really useful for ?

[Santosh Says: The DP in IDP is useful when the CRL is split more or other
than reason code and certificate type.  This does not mean that the
compliant implementations can not assert it even when the CRL is complete
for the scope as specified by the presence and absence of onlySomeReasons
and entity type assertion fields in the IDP.] 

2) what kind of processing should a relying party make of it, when this 
field is present ?

[Santosh Says: The relying party should match the DP in CRL DP with the DP
in DP.  See the X.509 Annex B for further detail on calculating the DP in
CRL DP]

Denis

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Denis Pinkas
> Sent: Thursday, September 16, 2004 12:03 PM
> To: Carl Wallace
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: CA Rekey and CRL Validation
> 
> 
> 
> Carl,
> 
> 
>>>>(including certificates issued by the CRL issuer).
>>>
>>>This is incorrect: a CRL issuer cannot issue certificates.
>>>
>>
> 
>>Why is that?  Given the limited use of the indirectCRL mechanism, most 
>>CRL issuers issue certificates.
> 
> 
> A CRL issuer only issues CRLs.
> A CA issues certificates and may also issue CRLs and/or OCSP
> responses.
> 
> Denis
> 
> 
> 
>