[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authority Revocation List

To: Sharon Boeyen <sharon.boeyen@xxxxxxxxxxx>
Subject: RE: Authority Revocation List
From: Nick Pope <pope@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jun 1997 16:20:04 +0000
Cc: "'OSIdirectory@xxxxxxxxxxxxx'" <OSIdirectory@xxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxxxxx'" <ietf-pkix@xxxxxxxxxx>
Comments: Authenticated sender is <pope+secstan@sdps.demon.co.uk>
In-reply-to: <>
Priority: normal

Sharon

In reply to your message of 24 Jun 97, 10:09:

Thanks for your input.

Possibly my confusion lies with this sentence which I say is "out of 
place" 

> >
> >This is followed by a statement "If this field is absent the CRL shall 
> >contain entries for all revoked unexpired certificates issued by the 
> >CRL issuer."  (By the way this sentence seems out of place where it is 
> >after the description of distributionPoint in the X.509 text).
> 
> In the version I have this phrase follows the distributionPoint
> element of the syntax only and has nothing to do with whether crl or
> arl are included.

This is the same with my copy.  However, because the sentence refers to 
"this field" I presumed it applied to the whole 
"issuingDistributionPoint" field.  Not to the distributionPoint 
component of that field.  Hence I thought it was more appropriate above 
the ASN.1 description.  If it applies just to the distributionPoint 
then it imples that onlyContainsCACerts can't be used without 
using distributionPoints.

My understanding from what you are saying and reading the standard is 
as follows:

a) To issue two separate CRLs for users and CAs without using 
distribution points I must place these in CA entry attributes 
CertificateRevocationList and AttributeRevocationList with the 
issuingDistributionPoint containing just the elements 
onlyContainsUserCerts or onlyContainsCACerts.

b) To do the same using distributionPoints then I also add the 
distributionPoint name in the issuingDistributionPoint as well as use 
the certificate extension field cRLDistributionPoint.  The 
CRL and ARL attributes should be used as above but held in the 
distributionPoint entry.

c) With a '97 CRL if the Issuing Distribution Point CRL extension is 
not present then both User and CA certificate revocations need to be 
present in the CRL and this is held in the CRL attribute.

d) With a '93 CRL it is undefined whether CA revocations will be 
listed in the same CRL as user certificate revocations and hence in the 
general case both CRL and ARL attributes should be read.

Am I correct ?



Nick


> Hoyt, I tried to access the bull server to make sure
> I have the right text and I can't - keep getting errors saying check
> the address - I used:  ftp://ftp.bull.com?
> 
> Re the "out of place" I'm not sure I agree - this is the description
> of the extension field to be contained in a revocation list - that is
> not the same as the description of the crlDistributionPoint object
> class which describes directory entries holding such lists.  
> >
> >How is it normally expected to handle CA revocations?
> >
> >Is it expected that CRLs normally hold both end user and CA 
> >revocations?
> 
> We use crl for end-user cert revocation and arl for CA cert revocation
> - both can be placed in distribution points.
> >
> >If it is required to handle CA revocations separately should the CRL be 
> >placed in the Authority Revocation List attribute or should a 
> >distribution point be used?
> >
> >Is the Authority Revocation List attribute still relevant ?
> 
> Yes
> >
> >Any views would be welcomed.
> 
> I'm not sure where the confusion is, but to see the whole picture with
> respect to distribution points and their use by certificate using
> systems or relying parties, you need to look at the certificate
> extension (crlDistributionPoints) and the revocation list extension
> (issuingDistributionPoint) - both defined in 509. If you are using a
> directory as a repository for certificates and crls you also need to
> look at the attribute and object class definitions. For revocation
> lists this includes both the arl and cxrl defined in X.509 and the
> certificationAuthority, certificationAuthority-V2, and
> cRLDistributionPoint object classes defined in X.521.
> 
> 
> >
> >Nick Pope
> >
> >-------------------------------------
> >
> >
> >Security & Standards
> >Suite A
> >191 Moulsham St.
> >Chelmsford
> >Essex
> >CM2 0LG
> >U.K.
> >
> >Tel: +44 1245 495018
> >Fax: +44 1245 494517
> >

-------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517

References:
- RE: Authority Revocation List
  - From: Sharon Boeyen

Prev by Date: PKIX Part 1 Certificate Policies extension
Next by Date: Re: Authority Revocation List
Previous by thread: RE: Authority Revocation List
Next by thread: RE: Authority Revocation List
Index(es):
- Date
- Thread