Denis:
Your suggestion on the text to be added is incomplete and rather than adding the text to the description of the extension, it is covered by the path validation logic. The following is an example of incompleteness:
When a DP is absent in the IDP, there us no need to match the DP from the CRL DP.
-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] Sent: Thursday, September 23, 2004 8:29 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation
Santosh,
I have been away so I could not respond immediately.
(text deleted)
2) what kind of processing should a relying party make of it, when this
field is present ?
[Santosh Says: The relying party should match the DP in CRL DP with the DP in DP. See the X.509 Annex B for further detail on calculating the DP in CRL DP]
[Denis] Hum !!! I guess you did not meant "should", but "SHALL", and also "IDP" instead of "DP". The correct sentence would then be:
"The relying party SHALL match the DP in CRL DP with the DP in IDP."
In RFC 3280 we currently have:
If the distributionPoint field is present and contains a URI, the following semantics MUST be assumed: the object is a pointer to the most current CRL issued by this CRL issuer. The URI schemes ftp, http, mailto [RFC1738] and ldap [RFC1778] are defined for this purpose. The URI MUST be an absolute pathname, not a relative pathname, and MUST specify the host.
A note should be added:
Note: For a given certificate that contains a cRLDistributionPoints extension with a distributionPoint field, in order to make sure that the right CRL is being accessed, a relying party SHALL match the distributionPoint field from the issuingDistributionPoint with the distributionPoint field from the cRLDistributionPoints extension.
Denis
Denis