[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiply CRLs for one CA and the CRLDisributionPoint extension

To: ietf-pkix@xxxxxxxxxx
Subject: Multiply CRLs for one CA and the CRLDisributionPoint extension
From: moshe@xxxxxxxxxxxxxx
Date: Sun, 29 Jun 1997 16:37:41 +0200

Hi

The CRLDisributionPoint enable the division of the CRL into several 
shorter CRLs. It has standard attributes to divide the CRL according
to the revocation reason and weather the revoked entitiy is a CA or
not. 
My question is if I can use this extension to divide the CRL along
other lines?

The situation that I have in mind is comunication between users and
machines. Where the users comunicate directly only with the machines.

I would like to enable the users to download a CRL containing only the
revocations of machines which is expected to be a small fraction of the
total CRL.

I was thinking about creating to CRL, one for the users and one for the
machine, and to put in each certificate's CRLDisributionPoint atribute
the distribution point of the appropriate CRL.

I didn't see in standards anything against that solution for arbitrary
division of a CRL, but it seems to implicitaly assume that the divison
is done by revocation reason  or CA/not CA.

So does it complies with the standards?

Regards
Moshe

it is expected to have a lot of users and very few
machines. It is also expected that user's certificate will be revoked
more often.

I don't want to have force the user to download the whole CRL 

The problem is that it seems that

Prev by Date: Re: Certificate Policies field - looking for CertPolicyID values
Next by Date: Monthly reminder (IETF-PKIX list)
Previous by thread: Certificate Policies field - looking for CertPolicyID values
Next by thread: registering a new object identifier
Index(es):
- Date
- Thread