Re: CA Rekey and CRL Validation

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

Not only do other sections suggest that the CA can be a CRL issuer, the
text regarding "CRL issuer" on page 6 is *not* a definition of that 
term, it is
an item in the list of components in the PKIX architectural model.  That
model is shown in the accompanying diagram.

Any reasonable reading of the phrase "CRL issuer" in an English language
sentence would hold that it means the issuer of a CRL.  There are two
components that issue CRLs in the PKIX architecture; one of these
components also issues certificates.




Stefan Santesson wrote:

> Denis,
>
>  
>
> > On page 59, we have the following sentence:
> >
> >    If the distributionPoint field is absent, the CRL MUST contain
> >    entries for all revoked unexpired certificates *issued* by the CRL
> >    issuer, if any, within the scope of the CRL
> >
> > This sentence is either ambiguous or incorrect: a CRL issuer does not
> > *issue* certificates. On page 7, the definition of a CRL issuer is:
> > CRL issuer: an optional system to which a CA delegates the publication
> >    
> of
>  
>
> > certificate revocation lists.
> >    
>
> I agree that the definition is not consistent with the standard text in
> general. Other sections definitely suggest that the CA can be the CRL
> issuer also without delegation.
>
> > From 4.2.1.14  CRL Distribution Points:
>
>   If the certificate issuer is not the CRL
>   issuer, then the cRLIssuer field MUST be present and contain the Name
>   of the CRL issuer.  If the certificate issuer is also the CRL issuer,
>   then the cRLIssuer field MUST be omitted and the distributionPoint
>   field MUST be present.
>
>
> Stefan Santesson
> Microsoft Security Center of Excellence (SCOE)
>
>
>
>
>