Re: Usage of CRL Issuing Distribution Point

[Denis Pinkas <Denis.Pinkas@xxxxxxxx>]

Steve,

You said " Hopefully we now agree that inclusion of a CDP extension in a cert
..". Not quite.

This technique only allows one case of partitioning where it can be said: for
this certificate, go there. Other schemes are not supported..

However there is a much more important concern. If we go this way we are going
to overload the content of *every* certificate. The same would apply to get
information about OCSP responders. If we are going to store certificates in
smart cards this is going to be a problem.

We should look for another solution able to solve this concern. Placing all
this administrative information in a *single* and new data structure signed by
the CA would need to be explored.

Opinions ?

Denis


> Trevor,
>
> Yes, this message thread certainly does seem to have become confused.
> Hopefully we now agree that inclusion of a CDP extension in a cert allows a
> relying party to determine whether it has the right CRL for the cert in
> question, subject to the usual CRL validation processes.  Note that, in
> this case, the relying party does not care whether there are multiple CRLs
> or not, since the the CDP extension provided the necessary pointer.
>
> Steve