[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>, tgindin@xxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: RE: Possible clarification to RFC 2459
From: Alex Deacon <alex@xxxxxxxxxxxx>
Date: Mon, 7 Jun 1999 20:06:32 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

OK, on first though this sound like a reasonable way to specify a full CRL.
Basically, what you are saying is that if a cert using application gets a
cert which contains a CDP pointing to a particular partition, but for some
reason this application only has a CRL which does not contain an IDP, then
they can be confident that they can verify the status of the cert based on
this CRL.

Right?

Alex

> -----Original Message-----
> From: Ambarish Malpani [mailto:ambarish@valicert.com]
> Sent: Monday, June 07, 1999 3:06 PM
> To: tgindin@us.ibm.com; ietf-pkix@imc.org
> Subject: RE: Possible clarification to RFC 2459
> 
> 
> 
> I agree with what Tom wants - would like to be able to
> distinguish whether a CRL is a full or a partial CRL. Can we
> add the following paragraph to section 5.2.5:
> 
> A full CRL from/for a CA MUST NOT contain the
> issuingDistributionPoint extension, unless it is an indirect CRL,
> in which case, it MAY contain the issuingDistributionPoint
> extension with only the indirectCRL field set to true.
> 
> Would this work for most people? Any objections?
> Ambarish
>  
> 
> ---------------------------------------------------------------------
> Ambarish Malpani
> Architect					         650.567.5457
> ValiCert, Inc.				        
> ambarish@valicert.com
> 1215 Terra Bella Ave.		              http://www.valicert.com
> Mountain View, CA 94043-1833
> 
> 
> > -----Original Message-----
> > From: owner-ietf-pkix@imc.org 
> > [mailto:owner-ietf-pkix@imc.org]On Behalf
> > Of tgindin@us.ibm.com
> > Sent: Monday, June 07, 1999 8:25 AM
> > To: Ambarish Malpani; ietf-pkix@imc.org
> > Subject: Possible clarification to RFC 2459
> > 
> > 
> >      The current definition of Issuing Distribution Point 
> > leaves it relatively
> > unclear whether the presence of the "DistributionPoint" field 
> > within this
> > extension indicates that the CRL at that distribution point 
> > is a partial CRL.  I
> > would like to suggest that the following text be added to RFC 
> > 2459 section
> > 5.2.5:
> > 
> >      Where the issuingDistributionPoint extension contains 
> > either a DN or an
> > RDN, the distribution point SHOULD contain only certificates 
> > which contain a CRL
> > Distribution Point extension one of whose DistributionPoint's 
> > contains the same
> > value in the "distributionPoint" field.
> > 
> >      To make it clear that CRL Distribution Point's support 
> > partitioning even
> > for URL's, the following existing text in section 4.2.1.14 
> > could be modified as
> > follows:
> > [Old]     the URI is a pointer to the current CRL for the 
> > associated reasons and
> > will be issued by the associated cRLIssuer.
> > [New]     the URI is a pointer to a current CRL for the 
> > associated reasons for
> > those certificates and will be issued by the associated 
> > cRLIssuer.  The CRL so
> > referenced SHOULD contain only certificates whose CRL 
> > Distribution Point
> > extension contains this URI and certificates not containing 
> > any CRL Distribution
> > Point extension.
> > 
> >           Tom Gindin
> > 
> > 
> > 
> > 
>

Follow-Ups:
- RE: Possible clarification to RFC 2459
  - From: Ambarish Malpani

Prev by Date: Re: Summary, was Re: Every time ..., was Re: General formula
Next by Date: RE: Possible clarification to RFC 2459
Previous by thread: Re: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread