[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Usage of CRL Issuing Distribution Point

To: "'Trevor Freeman'" <trevorf@xxxxxxxxxxxxx>, "'Stephen Kent'" <kent@xxxxxxx>
Subject: RE: Usage of CRL Issuing Distribution Point
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Tue, 16 Feb 1999 19:05:57 -0500
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Please see the text for CRL processing in Annex M of the September 1998
PDAM to X.509.  It clarifies lots of issues in terms of how to determine
whether a CRL is appropriate, which has been the theme of this thread
for a while now.

I have also suggested that the Annex should be part of the pkix document
series or tied to pkix part 1 somehow.

> -----Original Message-----
> From:	Trevor Freeman [SMTP:trevorf@microsoft.com]
> Sent:	Tuesday, February 16, 1999 6:53 PM
> To:	'Stephen Kent'
> Cc:	'ietf-pkix@imc.org'
> Subject:	RE: Usage of CRL Issuing Distribution Point
> 
> As with a lot of threads on the list, there have been some
> miss-interpretations based on some terms having different meaning to
> different people. Let me return to the original point.
> It is important for the client to understand whether it is dealing
> with a
> monolithic CRL or multiple CRL's. In the former case once it finds a
> current
> CRL signed by the CA, it knows it is sufficient. Here the AKI
> extension is a
> useful hint, but the signature check is conclusive proof the client
> has
> found the right CRL. In the latter case there will be multiple CRL's
> all of
> which current, and signed by the same CA. In these instances it is
> dangerous
> for the CA to assume the reliability of the CRL distribution
> mechanism, and
> therefore there is a need to include unambiguous information in the
> Certificate AND CRL to inform the client if the CRL is partitioned, or
> not
> where are these CRL(s) and it needs to know  from the CRL when it has
> found
> them. Our in other words finding a object signed by the right
> authority at
> the end of a URL or in a directory is not enough. 
> 
> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Tuesday, February 16, 1999 7:46 AM
> To: Trevor Freeman
> Cc: 'ietf-pkix@imc.org'
> Subject: RE: Usage of CRL Issuing Distribution Point
> 
> 
> Trevor,
> 
> I am puzzled by your statements. It is true that CRLs have some
> facilities
> to explicitly mark which classes of certs may be contrained in them,
> e.g.,
> only CA certs or only some revocation reason codes.  However, there is
> no
> prohibition
> against round robin assignment of certs to different CRLs through the
> use
> of the CRL distribution point extension.  In fact, that would seem to
> be a
> major feature of this extension.  Perhaps you are raising the question
> of
> how one ought to note, in the CRL itself, that only a subset of certs
> (e.g., partiitioned by serial number) are contained in a given CRL.
> 
> Steve

Prev by Date: RE: Usage of CRL Issuing Distribution Point
Next by Date: RE: Usage of CRL Issuing Distribution Point
Previous by thread: Re: Usage of CRL Issuing Distribution Point
Next by thread: RE: Usage of CRL Issuing Distribution Point
Index(es):
- Date
- Thread