[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Possible clarification to RFC 2459
Right on! (assuming that the CRL is currently valid, issued by
the right CA, has the right signature....)
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@valicert.com
1215 Terra Bella Ave. http://www.valicert.com
Mountain View, CA 94043-1833
> -----Original Message-----
> From: Alex Deacon [mailto:alex@verisign.com]
> Sent: Monday, June 07, 1999 8:07 PM
> To: 'Ambarish Malpani'; tgindin@us.ibm.com; ietf-pkix@imc.org
> Subject: RE: Possible clarification to RFC 2459
>
>
>
> OK, on first though this sound like a reasonable way to
> specify a full CRL.
> Basically, what you are saying is that if a cert using
> application gets a
> cert which contains a CDP pointing to a particular partition,
> but for some
> reason this application only has a CRL which does not contain
> an IDP, then
> they can be confident that they can verify the status of the
> cert based on
> this CRL.
>
> Right?
>
> Alex
>
> > -----Original Message-----
> > From: Ambarish Malpani [mailto:ambarish@valicert.com]
> > Sent: Monday, June 07, 1999 3:06 PM
> > To: tgindin@us.ibm.com; ietf-pkix@imc.org
> > Subject: RE: Possible clarification to RFC 2459
> >
> >
> >
> > I agree with what Tom wants - would like to be able to
> > distinguish whether a CRL is a full or a partial CRL. Can we
> > add the following paragraph to section 5.2.5:
> >
> > A full CRL from/for a CA MUST NOT contain the
> > issuingDistributionPoint extension, unless it is an indirect CRL,
> > in which case, it MAY contain the issuingDistributionPoint
> > extension with only the indirectCRL field set to true.
> >
> > Would this work for most people? Any objections?
> > Ambarish
> >
> >
> >
> ---------------------------------------------------------------------
> > Ambarish Malpani
> > Architect 650.567.5457
> > ValiCert, Inc.
> > ambarish@valicert.com
> > 1215 Terra Bella Ave.
http://www.valicert.com
> Mountain View, CA 94043-1833
>
>
> > -----Original Message-----
> > From: owner-ietf-pkix@imc.org
> > [mailto:owner-ietf-pkix@imc.org]On Behalf
> > Of tgindin@us.ibm.com
> > Sent: Monday, June 07, 1999 8:25 AM
> > To: Ambarish Malpani; ietf-pkix@imc.org
> > Subject: Possible clarification to RFC 2459
> >
> >
> > The current definition of Issuing Distribution Point
> > leaves it relatively
> > unclear whether the presence of the "DistributionPoint" field
> > within this
> > extension indicates that the CRL at that distribution point
> > is a partial CRL. I
> > would like to suggest that the following text be added to RFC
> > 2459 section
> > 5.2.5:
> >
> > Where the issuingDistributionPoint extension contains
> > either a DN or an
> > RDN, the distribution point SHOULD contain only certificates
> > which contain a CRL
> > Distribution Point extension one of whose DistributionPoint's
> > contains the same
> > value in the "distributionPoint" field.
> >
> > To make it clear that CRL Distribution Point's support
> > partitioning even
> > for URL's, the following existing text in section 4.2.1.14
> > could be modified as
> > follows:
> > [Old] the URI is a pointer to the current CRL for the
> > associated reasons and
> > will be issued by the associated cRLIssuer.
> > [New] the URI is a pointer to a current CRL for the
> > associated reasons for
> > those certificates and will be issued by the associated
> > cRLIssuer. The CRL so
> > referenced SHOULD contain only certificates whose CRL
> > Distribution Point
> > extension contains this URI and certificates not containing
> > any CRL Distribution
> > Point extension.
> >
> > Tom Gindin
> >
> >
> >
> >
>