[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Authority Revocation List
The two attributes certificateRevocationList and authorityRevocationList
apply now the same way they did back in the 1988 standard. The thing
that has changed in 1997 is the entries which might hold these
attributes - nothing else. ARLs are most useful when validation
certification paths.
These attributes may be held in the CA entry or in entries of object
class crlDistributionPoint - that doesn't affect what the attributes are
for. We use both ARLs and CRLs and use distribution points, so no it's
not obsolete. Additional notes below.
If I'm missing your point, let me know.
------------------
NOTE: WE'VE MOVED
Sharon Boeyen
Entrust Technologies
750 Heron Road, Suite E08
Ottawa, Ontario Canada K1V 1A7
mailto:boeyen@entrust.com Tel: (613) 247-3181
http://www.entrust.com Fax: (613) 247-3690
Orchestrating Enterprise Security
>----------
>From: Nick Pope[SMTP:pope@secstan.demon.co.uk]
>Sent: June 24, 1997 9:41 AM
>To: ietf-pkix@tandem.com; OSIdirectory@az05.bull.com
>Subject: Authority Revocation List
>
>Looking through the X.509 v3 text the situation on handling revocation
>information on CAs seems to be unclear.
>
>X.509 had two attributes to hold revocation lists:
>a) Certificate Revocation List
>b) Authority Revocation List
>
>the v3 extension Issuing Distribution Point has two flags:
> onlyContainsUserCerts and onlyContainsCACerts
>
>This is followed by a statement "If this field is absent the CRL shall
>contain entries for all revoked unexpired certificates issued by the
>CRL issuer." (By the way this sentence seems out of place where it is
>after the description of distributionPoint in the X.509 text).
In the version I have this phrase follows the distributionPoint element
of the syntax only and has nothing to do with whether crl or arl are
included. Hoyt, I tried to access the bull server to make sure I have
the right text and I can't - keep getting errors saying check the
address - I used: ftp://ftp.bull.com?
Re the "out of place" I'm not sure I agree - this is the description of
the extension field to be contained in a revocation list - that is not
the same as the description of the crlDistributionPoint object class
which describes directory entries holding such lists.
>
>How is it normally expected to handle CA revocations?
>
>Is it expected that CRLs normally hold both end user and CA
>revocations?
We use crl for end-user cert revocation and arl for CA cert revocation -
both can be placed in distribution points.
>
>If it is required to handle CA revocations separately should the CRL be
>placed in the Authority Revocation List attribute or should a
>distribution point be used?
>
>Is the Authority Revocation List attribute still relevant ?
Yes
>
>Any views would be welcomed.
I'm not sure where the confusion is, but to see the whole picture with
respect to distribution points and their use by certificate using
systems or relying parties, you need to look at the certificate
extension (crlDistributionPoints) and the revocation list extension
(issuingDistributionPoint) - both defined in 509. If you are using a
directory as a repository for certificates and crls you also need to
look at the attribute and object class definitions. For revocation lists
this includes both the arl and cxrl defined in X.509 and the
certificationAuthority, certificationAuthority-V2, and
cRLDistributionPoint object classes defined in X.521.
>
>Nick Pope
>
>-------------------------------------
>
>
>Security & Standards
>Suite A
>191 Moulsham St.
>Chelmsford
>Essex
>CM2 0LG
>U.K.
>
>Tel: +44 1245 495018
>Fax: +44 1245 494517
>