[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Possible clarification to RFC 2459
The current definition of Issuing Distribution Point leaves it relatively
unclear whether the presence of the "DistributionPoint" field within this
extension indicates that the CRL at that distribution point is a partial CRL. I
would like to suggest that the following text be added to RFC 2459 section
5.2.5:
Where the issuingDistributionPoint extension contains either a DN or an
RDN, the distribution point SHOULD contain only certificates which contain a CRL
Distribution Point extension one of whose DistributionPoint's contains the same
value in the "distributionPoint" field.
To make it clear that CRL Distribution Point's support partitioning even
for URL's, the following existing text in section 4.2.1.14 could be modified as
follows:
[Old] the URI is a pointer to the current CRL for the associated reasons and
will be issued by the associated cRLIssuer.
[New] the URI is a pointer to a current CRL for the associated reasons for
those certificates and will be issued by the associated cRLIssuer. The CRL so
referenced SHOULD contain only certificates whose CRL Distribution Point
extension contains this URI and certificates not containing any CRL Distribution
Point extension.
Tom Gindin