[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CA Rekey and CRL Validation

To: <ietf-pkix@xxxxxxx>
Subject: RE: CA Rekey and CRL Validation
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Thu, 23 Sep 2004 09:49:29 -0400
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Denis:

When I read this, "If distribution point field is present.." applies to DP
in CRL DP.  My comment is on the DP in IDP.

-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] 
Sent: Thursday, September 23, 2004 9:42 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation


Santosh,

> Denis:
> 
> Your suggestion on the text to be added is incomplete and rather than 
> adding the text to the description of the extension, it is covered by 
> the path validation logic.  The following is an example of 
> incompleteness:
> 
> When a DP is absent in the IDP, there us no need to match the DP from 
> the CRL DP.

If you read more carefully, you will see that this note is to be part of the

paragraph: If the distributionPoint field is present ...

Denis

> -----Original Message-----
> From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
> Sent: Thursday, September 23, 2004 8:29 AM
> To: Santosh Chokhani
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: CA Rekey and CRL Validation
> 
> 
> Santosh,
> 
> I have been away so I could not respond immediately.
> 
> (text deleted)
> 
> 
>>2) what kind of processing should a relying party make of it, when
>>this
>>field is present ?
> 
> 
>>[Santosh Says: The relying party should match the DP in CRL DP with
>>the DP in DP.  See the X.509 Annex B for further detail on calculating 
>>the DP in CRL DP]
> 
> 
> [Denis] Hum !!! I guess you did not meant "should", but "SHALL", and 
> also
> "IDP" instead of "DP". The correct sentence would then be:
> 
> "The relying party SHALL match the DP in CRL DP with the DP in IDP."
> 
> In RFC 3280 we currently have:
> 
>     If the distributionPoint field is present and contains a URI, the
>     following semantics MUST be assumed: the object is a pointer to the
>     most current CRL issued by this CRL issuer.  The URI schemes ftp,
>     http, mailto [RFC1738] and ldap [RFC1778] are defined for this
>     purpose.  The URI MUST be an absolute pathname, not a relative
>     pathname, and MUST specify the host.
> 
> A note should be added:
> 
>     Note: For a given certificate that contains a cRLDistributionPoints
>           extension with a distributionPoint field, in order to make
>           sure that the right CRL is being accessed, a relying party
>           SHALL match the distributionPoint field from the
>           issuingDistributionPoint with the distributionPoint
>           field from the cRLDistributionPoints extension.
> 
> Denis
> 
> 
>>Denis
> 
> 
>

Follow-Ups:
- Re: CA Rekey and CRL Validation
  - From: Denis Pinkas

References:
- Re: CA Rekey and CRL Validation
  - From: Denis Pinkas

Prev by Date: Re: CA Rekey and CRL Validation
Next by Date: Re: CA Rekey and CRL Validation
Previous by thread: Re: CA Rekey and CRL Validation
Next by thread: Re: CA Rekey and CRL Validation
Index(es):
- Date
- Thread