[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRL empty list syntax

To: dpkemp@xxxxxxxxxxxxxx, ietf-pkix@xxxxxxxxxx
Subject: Re: CRL empty list syntax
From: Mike Smith <mfsmith@xxxxxxxxxxxxx>
Date: Sat, 18 Oct 1997 12:42:42 -0600

In a new industry, IMHO, there may be a time that there are no legitimate CRL entries to be made, but that one would need to issue CRL's on a schedule according to the CA's CPS so that all reliant parties know that one CRL did not get "lost" .

Michael
>>> David P. Kemp <dpkemp@missi.ncsc.mil> 10/17/97 02:05PM >>>

Both X.509 and PKIX part1-06 define the list part of a CRL as:


   revokedCertificates  SEQUENCE OF SEQUENCE {
       userCertificate     CertificateSerialNumber,
       revocationDate      Time,
       crlEntryExtensions  Extensions OPTIONAL
   } OPTIONAL,


This admits the possibility of two encodings of a CRL containing
no certificate entries: an empty SEQUENCE, or nothing (since
revokedCertificates is OPTIONAL).

Would it be better to eliminate this ambiguity by constraining
the list size to contain at least one entry?

    revokedCertificates  SEQUENCE SIZE (1..MAX) OF SEQUENCE {


Consider this an "informal defect report" against X.509.

Prev by Date: Certificate Authority or Certification Authority ?
Next by Date: unsubscribe
Previous by thread: CRL empty list syntax
Next by thread: Re: CRL empty list syntax
Index(es):
- Date
- Thread