[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem with RFC 2459?
Ambarish:
The IDP has the following syntax:
issuingDistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
onlySomeReasons [3] ReasonFlags OPTIONAL,
indirectCRL [4] BOOLEAN DEFAULT FALSE }
If indirectCRL is false (the default case), then X.509-1993 says the
following three things that taken together answer your question:
1. If onlyContainsUserCerts is true, the CRL only contains revocations for
end-entity certificates.
2. If onlyContainsCACerts is true, the CRL only contains revocations for
CA-certificates.
3. If onlySomeReasons is present, the CRL only contains revocations for
the identified reason or reasons, otherwise the CRL contains revocations
for all reasons.
Thus, if the onlyContainsUserCerts is false AND onlyContainsCACerts is
false AND onlySomeReasons is absent AND indirectCRL is false, then the CRL
is complete.
Russ
At 11:48 AM 6/3/99 -0700, Ambarish Malpani wrote:
>
>Hi Folks,
> Have a quick question about RFC 2459 and CRLDPs.
>
>If a CA issues both full CRLs and CRLDPs (which are partitioned
>based on the serial number of the cert), how can an application
>figure out whether it has the full CRL or a DP?
>
>I know a DP (if it is not the full CRL), must contain the Issuing
>Distribution Point (IDP) extension. However, I believe most CAs
>are putting the IDP extension within their full CRLs also. So,
>is there any way for a application to figure out whether it has
>the full CRL or just a DP?
>
>Regards,
>Ambarish
>
>
>---------------------------------------------------------------------
>Ambarish Malpani
>Architect 650.567.5457
>ValiCert, Inc. ambarish@valicert.com
>1215 Terra Bella Ave. http://www.valicert.com
>Mountain View, CA 94043-1833
>