[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
we have build up (and still do) an European certification
infrastructure ( http://www.darmstadt.gmd.de/ice-tel ).
Now we came across a problem concerning the X.509v3 certificate
Our top level CA has issued certificates to national CAs containing
the national CA's CrlDistributionPoint rather than its own
Well, this was not the way they were supposed to do it, at least not
the way the X.509v3 standard defines this extension. But what do we
do now ?
If the top level CA revokes all these certificates nobody will know
that they are revoked because the respective certificates contain
the wrong CrlDistributionPoint.
Maybe it's not such a bad idea after all to change the meaning of
this extension in a way that a CA certificate really contains its OWN
CrlDistributionPoint instead of the issuing CA's CrlDistributionPoint !
Then this extension would be used in CA certificates only.
A certificate user has to obtain the issuing CA's certificate anyhow
to check the signature of the certificate. Now he will additionally
retrieve the CRL specified in the CrlDistributionPoint extension of
the CA certificate.
Any opinions ?
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Attachment converted: Lutefisk:smime.p7s 9 (????/----) (0001C43F)