[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Usage of CRL Issuing Distribution Point

To: Trevor Freeman <trevorf@xxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: Re: Usage of CRL Issuing Distribution Point
From: Moshe Litvin <moshe@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Feb 1999 09:28:59 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Trevor,

A CA can divide the certificate to CRL without telling anyone about the reason
for the division. All it should do it put in the CDB the name (location) of the
CRL, and issue an appropriate CRL with the corresponding IDP.

It can even divide the certificate to CRLs according to the third letter of the
CN. The relying party doesn't have to know or care why it divided it that way.
All that important is that it has a way to retrieve the CRL  (the
DistributionPointName attribute), and when it got it to verify that it
correspond to the certificate (by comparing the IDP).

Moshe

Trevor Freeman wrote:

> Alex,
> While I agree it is not the intent of the standard to exclude future
> development and future work may well do as you suggest. As of today with
> RFC2459, bottom line is still that the documented extensions cannot do as
> you suggest.
>
> -----Original Message-----
> From: Alex Deacon [mailto:alex@verisign.com]
> Sent: Friday, February 12, 1999 2:24 PM
> To: Trevor Freeman
> Cc: 'ietf-pkix@imc.org'
> Subject: RE: Usage of CRL Issuing Distribution Point
>
> >From reading the docs, I don't get the impression that CDP and IDP
> explicitly exclude the use other attributes.  I take this to (implicitly)
> imply that other attributes CAN be used to partition CRL's. Is this to big
> of a leap of faith to make?
>
> Partitioning a CRL by serialNumber sounds very reasonable to me.  So does
> partitioning a CRL by some extension value which may be present in all certs
> issued by a particular CA.  Why not partition a CRL by using the notBefore
> validity date on the cert?  Or, perhaps the CA keeps an internal counter and
> creates a new partition for every 20 certs it issues.  In an extreme case,
> you may want each cert to have it own CRL partition.
>
> If CDP's and IDP's are being used properly, (i.e. they are present in all
> certs and CRL's issued by a CA) then what difference does it make as to how
> the partitions were created?
>
> Alex
>
> > -----Original Message-----
> > From: Trevor Freeman [mailto:trevorf@microsoft.com]
> > Sent: Friday, February 12, 1999 12:47 PM
> > To: 'Alex Deacon'
> > Cc: 'ietf-pkix@imc.org'
> > Subject: RE: Usage of CRL Issuing Distribution Point
> >
> >
> > What extensions in these documents provide for other
> > attributes to be used
> > to partition CRLs?
> > -----Original Message-----
> > From: Alex Deacon [mailto:alex@verisign.com]
> > Sent: Friday, February 12, 1999 12:40 PM
> > To: Trevor Freeman
> > Cc: 'ietf-pkix@imc.org'
> > Subject: RE: Usage of CRL Issuing Distribution Point
> >
> >
> > Trevor,
> >
> > Could you specify what document states that it is not
> > permitted for CRL's to
> > be partitioned on the basis of other attributes such as
> > serial number?  I
> > cant recall ever seeing such a statement in either PKIX Part
> > 1 or X.509.
> >
> > Thanks
> > Alex
> >

--
-----------------------------------------------------------------------
Moshe Litvin                    Check Point Software Technologies Ltd.

moshe@checkpoint.com            Tel:   +972-3-753-4601 (972-3-753-4555)
                                Fax:   +972-3-575-9256
-----------------------------------------------------------------------

References:
- RE: Usage of CRL Issuing Distribution Point
  - From: Trevor Freeman

Prev by Date: Appropo finding X.509 Names
Next by Date: Questions regarding RAs
Previous by thread: RE: Usage of CRL Issuing Distribution Point
Next by thread: RE: Usage of CRL Issuing Distribution Point
Index(es):
- Date
- Thread