RE: Signer certificate discovery for CRLs

["Stefan Santesson" <stefans@xxxxxxxxxxxxx>]

Denis,

Yes, SIA could be an option in SOME cases, if properly implemented and
if combined with an appropriate directory infrastructure.

It's just not as generic and cost effective as AIA in CRLs, especially
not when building chains from bottom up, which is a common way to build
paths.

I'm not trying to pick on words here. But for the first time I got the
impression that you accept AIA in CRLs as a valid option.

Do you still claim that AIA in CRLs is an invalid option that should NOT
be allowed?

/Stefan
 

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Denis Pinkas
> Sent: den 27 oktober 2004 09:32
> To: Stefan Santesson
> Cc: pkix
> Subject: Re: Signer certificate discovery for CRLs
> 
> 
> Stefan,
> 
> > Denis,
> 
> > <snip>
> 
> >>Use of AIA in CRLs would be one way to do it, while the use of SIA
> >>in CA certificates is the other way.
> 
> > I'm pleased to read that you acknowledge AIA in CRLs as a valid
option.
> > That is all I ask for.
> 
> I'm pleased to read that you noticed that AIA *would be an option*
since I
> used "would be" in the case of AIA and "is" in the case of SIA:
> 
> Use of AIA in CRLs *would be* one way to do it, while the use of SIA
> in CA certificates *is* the other way.  :-)
> 
> Denis
> 
> > Stefan Santesson
> > Microsoft Security Center of Excellence (SCOE)