[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Questions on Issuing Distribution Point CRL extension
I have a couple of questions in reference to section
5.2.5 of draft 11. I think the draft could use a bit
of clarification on these points.
1. Are the indications onlyContainsUserCerts and onlyContainsCACerts
applicable to the CRL in which they appear, or to the CRL obtained at
the distribution point, or both. My current reading is that
they apply to both. One needs some indication within the CRL if
it only contains some classes of certs, and I don't see another mechanism
defined for that.
2. What does the indirectCRL indication mean? A description seems to be
missing from the spec, (and might partly be a source of my confusion).
3. I have seen a test CRL issued with multiple distribution points bearing
distinct indications of classes of certs "covered". Is this allowed?
This might be appropriate for indicating where to get CRLs for other classes
of certs in the case of partitioned CRLs, but then there is then a need to define
some separate mechanism to indicate which indications apply directly to the CRL
in which the extension appears. (Read item 1 above as well). I don't see one;
my current interpretation is that the Issuing Distribution Point extension in a
given CRL indicate only where to get updates for that one CRL, and that the
indications that specify classes of certs "covered" by the CRL apply to that
CRL and any update obtained at that distribution point. Is this correct?
Could someone (maybe one of the draft 11 authors) suggest some revisions
to 5.2.5 that clarify these points?
--a.
--
Anil R. Gangolli
Structured Arts Computing Corporation
mailto:gangolli@structuredarts.com
http://www.structuredarts.com