RE: Usage of CRL Issuing Distribution Point

[Trevor Freeman <trevorf@xxxxxxxxxxxxx>]

As with a lot of threads on the list, there have been some
miss-interpretations based on some terms having different meaning to
different people. Let me return to the original point.
It is important for the client to understand whether it is dealing with a
monolithic CRL or multiple CRL's. In the former case once it finds a current
CRL signed by the CA, it knows it is sufficient. Here the AKI extension is a
useful hint, but the signature check is conclusive proof the client has
found the right CRL. In the latter case there will be multiple CRL's all of
which current, and signed by the same CA. In these instances it is dangerous
for the CA to assume the reliability of the CRL distribution mechanism, and
therefore there is a need to include unambiguous information in the
Certificate AND CRL to inform the client if the CRL is partitioned, or not
where are these CRL(s) and it needs to know  from the CRL when it has found
them. Our in other words finding a object signed by the right authority at
the end of a URL or in a directory is not enough. 

-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Tuesday, February 16, 1999 7:46 AM
To: Trevor Freeman
Cc: 'ietf-pkix@imc.org'
Subject: RE: Usage of CRL Issuing Distribution Point


Trevor,

I am puzzled by your statements. It is true that CRLs have some facilities
to explicitly mark which classes of certs may be contrained in them, e.g.,
only CA certs or only some revocation reason codes.  However, there is no
prohibition
against round robin assignment of certs to different CRLs through the use
of the CRL distribution point extension.  In fact, that would seem to be a
major feature of this extension.  Perhaps you are raising the question of
how one ought to note, in the CRL itself, that only a subset of certs
(e.g., partiitioned by serial number) are contained in a given CRL.

Steve