[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Authority Revocation List
It is there for performance reasons. In a chain of certificates, typically,
all but the last certificate are CA certificates. The number of CAs and
their revocation rates are expected to be orders and orders of magnitude
lower than those for end entities. Thus, getting the relevant authority
CRLs (which will be empty or very sparse) will reduce communication overhead
and processing load.
At 01:41 PM 6/24/97 +0000, Nick Pope wrote:
>Looking through the X.509 v3 text the situation on handling revocation
>information on CAs seems to be unclear.
>
>X.509 had two attributes to hold revocation lists:
>a) Certificate Revocation List
>b) Authority Revocation List
>
>the v3 extension Issuing Distribution Point has two flags:
> onlyContainsUserCerts and onlyContainsCACerts
>
>This is followed by a statement "If this field is absent the CRL shall
>contain entries for all revoked unexpired certificates issued by the
>CRL issuer." (By the way this sentence seems out of place where it is
>after the description of distributionPoint in the X.509 text).
>
>How is it normally expected to handle CA revocations?
>
>Is it expected that CRLs normally hold both end user and CA
>revocations?
>
>If it is required to handle CA revocations separately should the CRL be
>placed in the Authority Revocation List attribute or should a
>distribution point be used?
>
>Is the Authority Revocation List attribute still relevant ?
>
>Any views would be welcomed.
>
>Nick Pope
>
>-------------------------------------
>
>
>Security & Standards
>Suite A
>191 Moulsham St.
>Chelmsford
>Essex
>CM2 0LG
>U.K.
>
>Tel: +44 1245 495018
>Fax: +44 1245 494517
>
>
-------------------------------------------------
Santosh Chokhani
CygnaCom Solutions, Inc.
Suite 100 West
7927 Jones Branch Drive
McLean, Virginia 22102-3305
(703) 848 - 0883
chokhani@cygnacom.com