RE: Authority Revocation List

["Miklos, Sue A." <samiklo@xxxxxxxxxxxxxx>]

Hi Nick...

We've briefly looked at this, since arl is a mandatory element in the object 
class.  I think it would be very useful to use it for revoked CA 
certificates instead of requiring validation software to parse through a 
list composed of both end-user and CA certificates.  It's my understanding 
that TC68 is working up standards for Certificate management, but I haven't 
seen output/recommendations about this particular issue.

Sandi
 ----------
From: Nick Pope
To: ietf-pkix@tandem.com; OSIdirectory@az05.bull.com
Subject: Authority Revocation List
Date: Tuesday, June 24, 1997 9:41AM


Looking through the X.509 v3 text the situation on handling revocation
information on CAs seems to be unclear.

X.509 had two attributes to hold revocation lists:
a) Certificate Revocation List
b) Authority Revocation List

the v3 extension Issuing Distribution Point has two flags:
  onlyContainsUserCerts and onlyContainsCACerts

This is followed by a statement "If this field is absent the CRL shall
contain entries for all revoked unexpired certificates issued by the
CRL issuer."  (By the way this sentence seems out of place where it is
after the description of distributionPoint in the X.509 text).

How is it normally expected to handle CA revocations?

Is it expected that CRLs normally hold both end user and CA
revocations?

If it is required to handle CA revocations separately should the CRL be
placed in the Authority Revocation List attribute or should a
distribution point be used?

Is the Authority Revocation List attribute still relevant ?

Any views would be welcomed.

Nick Pope

 -------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517