[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Authority Revocation List

To: ietf-pkix@xxxxxxxxxx, OSIdirectory@xxxxxxxxxxxxx
Subject: Authority Revocation List
From: Nick Pope <pope@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jun 1997 13:41:42 +0000
Comments: Authenticated sender is <pope+secstan@sdps.demon.co.uk>
Priority: normal

Looking through the X.509 v3 text the situation on handling revocation 
information on CAs seems to be unclear.

X.509 had two attributes to hold revocation lists:
a) Certificate Revocation List
b) Authority Revocation List

the v3 extension Issuing Distribution Point has two flags:
  onlyContainsUserCerts and onlyContainsCACerts

This is followed by a statement "If this field is absent the CRL shall 
contain entries for all revoked unexpired certificates issued by the 
CRL issuer."  (By the way this sentence seems out of place where it is 
after the description of distributionPoint in the X.509 text).

How is it normally expected to handle CA revocations?

Is it expected that CRLs normally hold both end user and CA 
revocations?

If it is required to handle CA revocations separately should the CRL be 
placed in the Authority Revocation List attribute or should a 
distribution point be used?

Is the Authority Revocation List attribute still relevant ?

Any views would be welcomed.

Nick Pope

-------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517

Follow-Ups:
- Re: Authority Revocation List
  - From: Robert W. Shirey

Prev by Date: PKIX-3...
Next by Date: RE: Authority Revocation List
Previous by thread: PKIX-3...
Next by thread: Re: Authority Revocation List
Index(es):
- Date
- Thread