[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signer certificate discovery for CRLs
>
> Santosh,
>
> > Denis,
> >
> > Just show us how SIA (wherever you want to put it) is more efficient than
> > AIA for CRL signer.
>
> The question is not whether it is better or not.
>
> Walking on certification paths can be done bottom-up (using AIA extensions)
> or top-down (using SIA extensions).
Not only this way: You can also have a directory. Top-down may create a scaling
problem when you can only retrieve ALL certs (i.e. a pkcs7 cert list)
>
> It should be RECOMMENDED to place an SIA extension in every CA certificate,
> starting from every Trust Anchor (TA) when the TA is expressed using a
> self-signed certificate.
That's starting from the wrong end, as long as you don't have a good
and workable operational protocol (as you seem to indicate below)
>
> As I already said, information is missing in RFC 3280: we need to say more
> about the formats implied by accessMethod.
>
But not necessarily in 3280bis, I tend to think that this could be in an update
of operational protocols, and 3280bis limited strictly to a snapshot and
profile of X509.
> There are four possible cases :
>
> 1 - it allows to retrieve one single file,
> 2 - it allows to query for a single file in a repository,
> 3 - it allows to query for one or more files in a repository,
> 4 - it provides the address of a repository
Do you think that for (L)DAP and together with Peter Gutmann HTTP access
these cases are addressed in an appropriate way, i.e. we have
http and (l)dap specs.
> The current text should be clarified whether accessMethod is used in an AIA
> extension or in an SIA extension. Cases 3 and 4 apply to the SIA extension.
???