[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CA Rekey and CRL Validation

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: Re: CA Rekey and CRL Validation
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Thu, 23 Sep 2004 17:09:49 +0200
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Santosh,

Denis:

When I read this, "If distribution point field is present.." applies to DP
in CRL DP.  My comment is on the DP in IDP.

If you read even more carefully, you will see that this note is to be part of the paragraph: "If the distributionPoint field is present ..." that is part of section 5.2.5 (on page 59) which only relates to the IDP. If you still have problems, please be more specific.

Denis

-----Original Message----- From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] Sent: Thursday, September 23, 2004 9:42 AM To: Santosh Chokhani Cc: ietf-pkix@xxxxxxx Subject: Re: CA Rekey and CRL Validation

Santosh,

Denis:

Your suggestion on the text to be added is incomplete and rather than adding the text to the description of the extension, it is covered by the path validation logic. The following is an example of incompleteness:

When a DP is absent in the IDP, there us no need to match the DP from the CRL DP.

If you read more carefully, you will see that this note is to be part of the

paragraph: If the distributionPoint field is present ...

Denis
-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
Sent: Thursday, September 23, 2004 8:29 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation
Santosh,

I have been away so I could not respond immediately.

(text deleted)
2) what kind of processing should a relying party make of it, when
this
field is present ?
[Santosh Says: The relying party should match the DP in CRL DP with the DP in DP. See the X.509 Annex B for further detail on calculating the DP in CRL DP]

[Denis] Hum !!! I guess you did not meant "should", but "SHALL", and also "IDP" instead of "DP". The correct sentence would then be:

"The relying party SHALL match the DP in CRL DP with the DP in IDP."

In RFC 3280 we currently have:
   If the distributionPoint field is present and contains a URI, the
   following semantics MUST be assumed: the object is a pointer to the
   most current CRL issued by this CRL issuer.  The URI schemes ftp,
   http, mailto [RFC1738] and ldap [RFC1778] are defined for this
   purpose.  The URI MUST be an absolute pathname, not a relative
   pathname, and MUST specify the host.
A note should be added:
   Note: For a given certificate that contains a cRLDistributionPoints
         extension with a distributionPoint field, in order to make
         sure that the right CRL is being accessed, a relying party
         SHALL match the distributionPoint field from the
         issuingDistributionPoint with the distributionPoint
         field from the cRLDistributionPoints extension.
Denis

Denis

Follow-Ups:
- RE: CA Rekey and CRL Validation
  - From: Santosh Chokhani

References:
- RE: CA Rekey and CRL Validation
  - From: Santosh Chokhani

Prev by Date: RE: CA Rekey and CRL Validation
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: RE: CA Rekey and CRL Validation
Next by thread: RE: CA Rekey and CRL Validation
Index(es):
- Date
- Thread