Re: Delta CRL processing

[Paul Koning <pkoning@xxxxxxxxx>]

>>>>> "Bob" == Bob Jueneman <BJUENEMAN@novell.com> writes:

 Bob> I must be dense, Russ. The text you attached seems to agree
 Bob> precisely with what Sharon said, and was exactly what I was
 Bob> requesting as well.

 Bob> Sharon used the term "publish", not "issue", and the last
 Bob> paragraph certainly seems to be quite explicit in allowing that
 Bob> option, by differentiating between issuing and publishing.

 Bob> Why do you disagree?  What am I missing?

 Bob> Bob


 >>>> Russ Housley <housley@spyrus.com> 04/22/99 01:38PM >>>
 >> In a private message, Sharon Boeyen points out:
 >> 
 >> "As of the 1997 edition of X.509 a CA is NOT required to publish a
 >> full CRL."

 > I disagree with Sharon.  X.509-1997 says: " ... It is the
 > decision of a CA as to whether to provide delta-CRLs. However, a
 > delta-CRL shall not be issued without a corresponding complete
 > CRL being issued at the same time."  I have attached the entire
 > section on delta-CRLs from X.509-1997 at the end of this
 > message.

I think it would be a good idea to apply the normal "black box rule of 
protocol specification" to this issue.  In protocol specs, the only
parts that can be normative are those that describe externally visible 
behavior.  If anything is said about internal algorithms, that is only 
for illustrative purposes.

Similarly, the only statements about a CA that can be normative are
those that are externally observable.  If a CA publishes a CRL, that
is observable.  If it generates one that it doesn't publish, that's an
internal algorithm and illustrative only.

With that in mind, if X.509 *requires* a CA to "issue" a CRL under
some conditions, there are two possible conclusions:

1. The term "issue" describes externally visible behavior, i.e., it is 
synonymous with "publish", or

2. The term "issue" describes internal behavior, is not meant as
"publish" and the standard is in error in that it appears to require
something that isn't observable.

	paul