RE: Signer certificate discovery for CRLs

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Denis,

See responses in-line.

-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx] 
Sent: Thursday, November 04, 2004 12:41 PM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: Signer certificate discovery for CRLs


Santosh,

See responses in-line in [DP: ]

-----Original Message-----
From: Denis Pinkas [mailto:Denis.Pinkas@xxxxxxxx]
Sent: Wednesday, November 03, 2004 9:46 AM
To: Santosh Chokhani
Cc: 'pkix'
Subject: Re: Signer certificate discovery for CRLs

Santosh,

 > X.509 Annex B and 3280 do describe how to deal with various CRLs.

No. I disagree.

[SC: When you look at Annex B of X.509 and 3280 and what we have proposed
here, what is missing in your analysis?]

X.509 Annex B only states:

"The relying party shall be able to obtain the public key of the issuer
identified in the CRL using authenticated means;"

but does not say how this is done !

[SC: US comment along the lines of what has been the consensus on this
thread has been made/included]

[DP: What do you mean by "US comment". There is no such a thing in the IETF 
procedures. Then, "included" in what ?!? ]

[SC: You asked a question of X.509 Annex B and so I responded how we are
fixing X.509.  Everyone knows that IETF does not deal with these things]

RFC 3280 is also lacking to provide any detail about this.

[SC: We are recommending the Editor include the consensus in the next round]

[DP: Fine, but there is no text at the present time, so no consensus yet at 
the present time].

[SC: As I said, we have done some thinking and have proposed ideas for 3280
considerations.]

This is a major deficiency of both X.509 and RFC 3280.

Denis