[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Comment on PKIX-1

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Comment on PKIX-1
From: Warwick Ford <wford@xxxxxxxxxxxx>
Date: Sun, 30 Nov 1997 12:51:20 -0800
Comments: To: boeyen@entrust.com
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Sharon:

I have discussed this issue, from the X.509 perspective, with Hoyt.  He
concurs with me that the fault lies in the X.509 text, in permitting one to
interpret that "in order to conform to X.509, a CA MUST also publish a full
CRL at the CA entry".  This is certainly not the intent.  Whether or not a
CA publishes a CRL is a matter of policy.  Under some policies (e.g., SET
Cardholder) CRLs may never be used.  Furthermore, other revocation schemes
may well replace CRLs in some environments soon.  We shall clarify this in
a defect report at the first opportunity.

Therefore, there is no need, stemming from this argument, to permit the CRL
Distribution Points extension to be critical.  Given the interoperability
problems that would result from making this extension critical, I see good
reason to keep Part I as is.

Regards,
Warwick

At 11:25 AM 11/28/97 -0500, Sharon Boeyen wrote:
>In a final runthrough of the PKIX-1 text I noticed what I believe to be
>an overlooked error.
>
>For crlDistributionPoints PKIX-1 currently mandates that this extension
>be non-critical. Surely it needs to allow that this be optionally made
>critical.
>
>If they are non-critical, then in order to conform to X.509, a CA MUST
>also publish a full CRL at the CA entry, in addition to the individual
>distribution points CRLs.
>
>It is ONLY when all certs issued by a CA have the CRL Distribution
>Points extension CRITICAL, that duplication of the crl info at the CA
>entry as a single monstrous CRL is optional.
>
>This is, I believe, the ONLY scaleable way to issue revocation lists
>today and PKIX-1 should not mandate that it be disallowed.
>
>Sorry for this coming in so late, but I only caught it in my final
>reading.
>
>Tim, I noticed a few minor editorials (typos etc) that I'll forward to
>you separately.
>
>Sharon
>
>
>------------------
>Sharon Boeyen
>Entrust Technologies
>
>mailto:boeyen@entrust.com       Tel: (613) 247-3181
>http://www.entrust.com          Fax: (613) 247-3690
>         Orchestrating Enterprise Security
>
>
>Attachment Converted: "c:\eudora\attach\%-1%Body_Rtf.rtf.ent.ent"
>
>Attachment Converted: "c:\eudora\attach\%-1%Body_Txt.txt.ent.ent"
>
---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------

Prev by Date: Re: [IETF-PKIX] Comment on PKIX-1
Next by Date: Re: [IETF-PKIX] Comment on PKIX-1
Previous by thread: Re: [IETF-PKIX] Comment on PKIX-1
Next by thread: Re: [IETF-PKIX] Comment on PKIX-1
Index(es):
- Date
- Thread