Re: CA Rekey and CRL Validation

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Santosh,

I have been away so I could not respond immediately.

(text deleted)

> 2) what kind of processing should a relying party make of it, when this 
> field is present ?

> [Santosh Says: The relying party should match the DP in CRL DP with the DP
> in DP.  See the X.509 Annex B for further detail on calculating the DP in
> CRL DP]

[Denis] Hum !!! I guess you did not meant "should", but "SHALL", and also 
"IDP" instead of "DP". The correct sentence would then be:

"The relying party SHALL match the DP in CRL DP with the DP in IDP."

In RFC 3280 we currently have:

   If the distributionPoint field is present and contains a URI, the
   following semantics MUST be assumed: the object is a pointer to the
   most current CRL issued by this CRL issuer.  The URI schemes ftp,
   http, mailto [RFC1738] and ldap [RFC1778] are defined for this
   purpose.  The URI MUST be an absolute pathname, not a relative
   pathname, and MUST specify the host.

A note should be added:

   Note: For a given certificate that contains a cRLDistributionPoints
         extension with a distributionPoint field, in order to make
         sure that the right CRL is being accessed, a relying party
         SHALL match the distributionPoint field from the
         issuingDistributionPoint with the distributionPoint
         field from the cRLDistributionPoints extension.

Denis

> Denis