CrlDistributionPoint extension

[Petra Gloeckner <gloeckne@xxxxxxxxxxxxxxxx>]

Hello,

we have build up (and still do) an European certification 
infrastructure ( http://www.darmstadt.gmd.de/ice-tel ). 
Now we came across a problem concerning the X.509v3 certificate 
extension CrlDistributionPoint.

Our top level CA has issued certificates to national CAs containing
the national CA's CrlDistributionPoint rather than its own 
CrlDistributionPoint. 
Well, this was not the way they were supposed to do it, at least not
the way the X.509v3 standard defines this extension. But what do we
do now ? 

If the top level CA revokes all these certificates nobody will know
that they are revoked because the respective certificates contain
the wrong CrlDistributionPoint.

Maybe it's not such a bad idea after all to change the meaning of 
this extension in a way that a CA certificate really contains its OWN
CrlDistributionPoint instead of the issuing CA's CrlDistributionPoint !
Then this extension would be used in CA certificates only.
A certificate user has to obtain the issuing CA's certificate anyhow 
to check the signature of the certificate. Now he will additionally 
retrieve the CRL specified in the CrlDistributionPoint extension of 
the CA certificate.

Any opinions ? 


Petra Gloeckner
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

Attachment converted: Lutefisk:smime.p7s 9 (????/----) (0001C43F)