[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Problem with RFC 2459?

To: "'Russ Housley'" <housley@xxxxxxxxxx>
Subject: RE: Problem with RFC 2459?
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Mon, 7 Jun 1999 15:12:36 -0700
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi Russ,
    Here is a potential model a CA could assume, comply with
the spec and still produce partial CRLs without any of the
issuingDistributionPoint flags set:

If the CA partitions CRLs based on the serial number of the
certificate (say serialNumber %13). Now, the CA has 13 partial
CRLs, with onlyContainsUserCerts and onlyContainsCACerts set
to false and onlySomeReasons not set. How can an application
distinguish any of these 13 CRLs from a full CRL?

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect					         650.567.5457
ValiCert, Inc.				        ambarish@valicert.com
1215 Terra Bella Ave.		              http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Friday, June 04, 1999 3:02 PM
> To: Ambarish Malpani
> Cc: ietf-pkix@imc.org
> Subject: Re: Problem with RFC 2459?
> 
> 
> Ambarish:
> 
> The IDP has the following syntax:
> 
>    issuingDistributionPoint ::= SEQUENCE {
>         distributionPoint       [0] DistributionPointName OPTIONAL,
>         onlyContainsUserCerts   [1] BOOLEAN DEFAULT FALSE,
>         onlyContainsCACerts     [2] BOOLEAN DEFAULT FALSE,
>         onlySomeReasons         [3] ReasonFlags OPTIONAL,
>         indirectCRL             [4] BOOLEAN DEFAULT FALSE }
> 
> If indirectCRL is false (the default case), then X.509-1993 says the
> following three things that taken together answer your question:
> 
> 1.  If onlyContainsUserCerts is true, the CRL only contains 
> revocations for
> end-entity certificates.
> 
> 2.  If onlyContainsCACerts is true, the CRL only contains 
> revocations for
> CA-certificates.
> 
> 3.  If onlySomeReasons is present, the CRL only contains 
> revocations for
> the identified reason or reasons, otherwise the CRL contains 
> revocations
> for all reasons.
> 
> Thus, if the onlyContainsUserCerts is false AND onlyContainsCACerts is
> false AND onlySomeReasons is absent AND indirectCRL is false, 
> then the CRL
> is complete.
> 
> Russ
> 
> 
> At 11:48 AM 6/3/99 -0700, Ambarish Malpani wrote:
> >
> >Hi Folks,
> >    Have a quick question about RFC 2459 and CRLDPs.
> >
> >If a CA issues both full CRLs and CRLDPs (which are partitioned
> >based on the serial number of the cert), how can an application
> >figure out whether it has the full CRL or a DP?
> >
> >I know a DP (if it is not the full CRL), must contain the Issuing
> >Distribution Point (IDP) extension. However, I believe most CAs
> >are putting the IDP extension within their full CRLs also. So,
> >is there any way for a application to figure out whether it has
> >the full CRL or just a DP?
> >
> >Regards,
> >Ambarish
> >
> >
> >---------------------------------------------------------------------
> >Ambarish Malpani
> >Architect					         650.567.5457
> >ValiCert, Inc.				        
> ambarish@valicert.com
> >1215 Terra Bella Ave.		              
http://www.valicert.com
>Mountain View, CA 94043-1833
>

Follow-Ups:
- RE: Problem with RFC 2459?
  - From: Russ Housley

References:
- Re: Problem with RFC 2459?
  - From: Russ Housley

Prev by Date: RE: Possible clarification to RFC 2459
Next by Date: Re: Summary, was Re: Every time ..., was Re: General formula
Previous by thread: Re: Problem with RFC 2459?
Next by thread: RE: Problem with RFC 2459?
Index(es):
- Date
- Thread