[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: <tgindin@xxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Mon, 7 Jun 1999 15:06:26 -0700
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

I agree with what Tom wants - would like to be able to
distinguish whether a CRL is a full or a partial CRL. Can we
add the following paragraph to section 5.2.5:

A full CRL from/for a CA MUST NOT contain the
issuingDistributionPoint extension, unless it is an indirect CRL,
in which case, it MAY contain the issuingDistributionPoint
extension with only the indirectCRL field set to true.

Would this work for most people? Any objections?
Ambarish
 

---------------------------------------------------------------------
Ambarish Malpani
Architect					         650.567.5457
ValiCert, Inc.				        ambarish@valicert.com
1215 Terra Bella Ave.		              http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: owner-ietf-pkix@imc.org 
> [mailto:owner-ietf-pkix@imc.org]On Behalf
> Of tgindin@us.ibm.com
> Sent: Monday, June 07, 1999 8:25 AM
> To: Ambarish Malpani; ietf-pkix@imc.org
> Subject: Possible clarification to RFC 2459
> 
> 
>      The current definition of Issuing Distribution Point 
> leaves it relatively
> unclear whether the presence of the "DistributionPoint" field 
> within this
> extension indicates that the CRL at that distribution point 
> is a partial CRL.  I
> would like to suggest that the following text be added to RFC 
> 2459 section
> 5.2.5:
> 
>      Where the issuingDistributionPoint extension contains 
> either a DN or an
> RDN, the distribution point SHOULD contain only certificates 
> which contain a CRL
> Distribution Point extension one of whose DistributionPoint's 
> contains the same
> value in the "distributionPoint" field.
> 
>      To make it clear that CRL Distribution Point's support 
> partitioning even
> for URL's, the following existing text in section 4.2.1.14 
> could be modified as
> follows:
> [Old]     the URI is a pointer to the current CRL for the 
> associated reasons and
> will be issued by the associated cRLIssuer.
> [New]     the URI is a pointer to a current CRL for the 
> associated reasons for
> those certificates and will be issued by the associated 
> cRLIssuer.  The CRL so
> referenced SHOULD contain only certificates whose CRL 
> Distribution Point
> extension contains this URI and certificates not containing 
> any CRL Distribution
> Point extension.
> 
>           Tom Gindin
> 
> 
> 
>

References:
- Possible clarification to RFC 2459
  - From: tgindin

Prev by Date: RE: I-D ACTION:draft-ietf-pkix-ipki-ecdsa-01.txt
Next by Date: RE: Problem with RFC 2459?
Previous by thread: Possible clarification to RFC 2459
Next by thread: Re: Possible clarification to RFC 2459
Index(es):
- Date
- Thread