[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Signer certificate discovery for CRLs

To: <ietf-pkix@xxxxxxx>
Subject: Signer certificate discovery for CRLs
From: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Date: Wed, 6 Oct 2004 23:07:07 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcSlLfouKdNgeEA9TjSnjcEQLQf/dAGwRMUA
Thread-topic: Signer certificate discovery for CRLs

All,

I'm interested in the opinion from members on this list about discovery
of CRL signer's certificate in non directory centric environments.

The problem is the following.

The relying party (RP) needs to check validity of a certificate and
finds a CDP extension with a URL to the CRL.
The RP retrieves this CRL which in this particular case is either signed
by another key of the CA (re-keyed CA) or another entity (indirect CRL).

In this case the relying party needs to obtain the certificate of the
CRL signer which may NOT be part of the original chain. In a directory
centric solution this is retrieved from the directory, but what if such
directory is not available or accessible.

The RP have thus no hint where to find the CRL issuers certificate
unless the RP already have possession of it by some other means.

Is seems that CRLs would need an AIA extension with the option to point
to the location of the signers certificate in the same manner as is
possible for certificates.

Maybe AIA should be defined as both cert and CRL extension and not only
certificate extension as today.

Thoughts and comments?

Stefan Santesson
Microsoft Security Center of Excellence (SCOE)

Follow-Ups:
- Re: Signer certificate discovery for CRLs
  - From: Denis Pinkas

Prev by Date: RE: New Lightweight OCSP I-D
Next by Date: ADV: Staff Annoucement
Previous by thread: New Lightweight OCSP I-D
Next by thread: Re: Signer certificate discovery for CRLs
Index(es):
- Date
- Thread