[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA Rekey and CRL Validation

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: Re: CA Rekey and CRL Validation
From: Ed Gerck <egerck@xxxxxxx>
Date: Fri, 17 Sep 2004 15:05:10 -0700
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113

David,

You are correct, but there are two hats and that's why the text
should be modified to:

   If the distributionPoint field is absent, the CRL MUST contain
   entries for all revoked unexpired certificates *issued* by the
   issuer CA, if any, within the scope of the CRL

Using the CRL issuer hat, there is no issued cert.

Cheers,
Ed Gerck

David P. Kemp wrote:

Not only do other sections suggest that the CA can be a CRL issuer, the text regarding "CRL issuer" on page 6 is *not* a definition of that term, it is an item in the list of components in the PKIX architectural model. That model is shown in the accompanying diagram.
Any reasonable reading of the phrase "CRL issuer" in an English language
sentence would hold that it means the issuer of a CRL.  There are two
components that issue CRLs in the PKIX architecture; one of these
components also issues certificates.
Stefan Santesson wrote:
Denis,
On page 59, we have the following sentence:
   If the distributionPoint field is absent, the CRL MUST contain
   entries for all revoked unexpired certificates *issued* by the CRL
   issuer, if any, within the scope of the CRL
This sentence is either ambiguous or incorrect: a CRL issuer does not *issue* certificates. On page 7, the definition of a CRL issuer is: CRL issuer: an optional system to which a CA delegates the publication
of

certificate revocation lists.
I agree that the definition is not consistent with the standard text in
general. Other sections definitely suggest that the CA can be the CRL
issuer also without delegation.
From 4.2.1.14 CRL Distribution Points:
  If the certificate issuer is not the CRL
  issuer, then the cRLIssuer field MUST be present and contain the Name
  of the CRL issuer.  If the certificate issuer is also the CRL issuer,
  then the cRLIssuer field MUST be omitted and the distributionPoint
  field MUST be present.
Stefan Santesson
Microsoft Security Center of Excellence (SCOE)

Follow-Ups:
- Re: CA Rekey and CRL Validation
  - From: Denis Pinkas

References:
- RE: CA Rekey and CRL Validation
  - From: Stefan Santesson
- Re: CA Rekey and CRL Validation
  - From: David P. Kemp

Prev by Date: Re: CA Rekey and CRL Validation
Next by Date: RE: SCVP CertReply Status
Previous by thread: Re: CA Rekey and CRL Validation
Next by thread: Re: CA Rekey and CRL Validation
Index(es):
- Date
- Thread