[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Usage of CRL Issuing Distribution Point

To: <ietf-pkix@xxxxxxx>
Subject: RE: Usage of CRL Issuing Distribution Point
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Fri, 12 Feb 1999 17:17:29 -0800
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx


I agree with Alex's interpretation of the spec. There is
nothing to prevent a CA from creating a new DP for every n
certificates it issues. All it needs to do, is give the new
DP a name and put that name in the certificate. 

Any application that is trying to verify the status of that
certificate, can go retrieve the appropriate DP and ensure
that the cert isn't in it.

By the way, are there any CAs that support CRLDP as a way to
break up a CRL into smaller chunks, or is everybody just
using CRLDP to point to the one monolithic CRL they publish?

Also, is anybody using CRLDP to create multiple CRLs (potentially
published at different frequencies), where the CRLs are
used for different revocation reasons - keyCompromise etc.

Anybody planning to support CRLDP in those ways?

Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect					         650.567.5457
ValiCert, Inc.				        ambarish@valicert.com
1215 Terra Bella Ave.		              http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: owner-ietf-pkix@imc.org 
> [mailto:owner-ietf-pkix@imc.org]On Behalf
> Of Alex Deacon
> Sent: Friday, February 12, 1999 2:24 PM
> To: 'Trevor Freeman'
> Cc: 'ietf-pkix@imc.org'
> Subject: RE: Usage of CRL Issuing Distribution Point
> 
> 
> 
> >From reading the docs, I don't get the impression that CDP and IDP
> explicitly exclude the use other attributes.  I take this to 
> (implicitly)
> imply that other attributes CAN be used to partition CRL's. 
> Is this to big
> of a leap of faith to make? 
> 
> Partitioning a CRL by serialNumber sounds very reasonable to 
> me.  So does
> partitioning a CRL by some extension value which may be 
> present in all certs
> issued by a particular CA.  Why not partition a CRL by using 
> the notBefore
> validity date on the cert?  Or, perhaps the CA keeps an 
> internal counter and
> creates a new partition for every 20 certs it issues.  In an 
> extreme case,
> you may want each cert to have it own CRL partition.
> 
> If CDP's and IDP's are being used properly, (i.e. they are 
> present in all
> certs and CRL's issued by a CA) then what difference does it 
> make as to how
> the partitions were created?  
> 
> Alex
> 
> > -----Original Message-----
> > From: Trevor Freeman [mailto:trevorf@microsoft.com]
> > Sent: Friday, February 12, 1999 12:47 PM
> > To: 'Alex Deacon'
> > Cc: 'ietf-pkix@imc.org'
> > Subject: RE: Usage of CRL Issuing Distribution Point
> > 
> > 
> > What extensions in these documents provide for other 
> > attributes to be used
> > to partition CRLs? 
> > -----Original Message-----
> > From: Alex Deacon [mailto:alex@verisign.com]
> > Sent: Friday, February 12, 1999 12:40 PM
> > To: Trevor Freeman
> > Cc: 'ietf-pkix@imc.org'
> > Subject: RE: Usage of CRL Issuing Distribution Point
> > 
> > 
> > Trevor, 
> > 
> > Could you specify what document states that it is not 
> > permitted for CRL's to
> > be partitioned on the basis of other attributes such as 
> > serial number?  I
> > cant recall ever seeing such a statement in either PKIX Part 
> > 1 or X.509.
> > 
> > Thanks
> > Alex
> > 
>

Follow-Ups:
- CRL Distribution Points
  - From: Ambarish Malpani

References:
- RE: Usage of CRL Issuing Distribution Point
  - From: Alex Deacon

Prev by Date: RE: Yes, and remove more of the alphabet from the PKIX soup
Next by Date: CRL Distribution Points
Previous by thread: RE: Usage of CRL Issuing Distribution Point
Next by thread: CRL Distribution Points
Index(es):
- Date
- Thread