RE: CA Rekey and CRL Validation

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Denis:

Your suggestion on the text to be added is incomplete and rather than adding
the text to the description of the extension, it is covered by the path
validation logic.  The following is an example of incompleteness:

When a DP is absent in the IDP, there us no need to match the DP from the
CRL DP.

-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] 
Sent: Thursday, September 23, 2004 8:29 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation


Santosh,

I have been away so I could not respond immediately.

(text deleted)

> 2) what kind of processing should a relying party make of it, when 
> this
> field is present ?

> [Santosh Says: The relying party should match the DP in CRL DP with 
> the DP in DP.  See the X.509 Annex B for further detail on calculating 
> the DP in CRL DP]

[Denis] Hum !!! I guess you did not meant "should", but "SHALL", and also 
"IDP" instead of "DP". The correct sentence would then be:

"The relying party SHALL match the DP in CRL DP with the DP in IDP."

In RFC 3280 we currently have:

    If the distributionPoint field is present and contains a URI, the
    following semantics MUST be assumed: the object is a pointer to the
    most current CRL issued by this CRL issuer.  The URI schemes ftp,
    http, mailto [RFC1738] and ldap [RFC1778] are defined for this
    purpose.  The URI MUST be an absolute pathname, not a relative
    pathname, and MUST specify the host.

A note should be added:

    Note: For a given certificate that contains a cRLDistributionPoints
          extension with a distributionPoint field, in order to make
          sure that the right CRL is being accessed, a relying party
          SHALL match the distributionPoint field from the
          issuingDistributionPoint with the distributionPoint
          field from the cRLDistributionPoints extension.

Denis

> Denis