[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: "'Alex Deacon'" <alex@xxxxxxxxxxxx>, "Ambarish Malpani [ambarish@xxxxxxxxxxxx] (E-mail)" <ambarish@xxxxxxxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: Tom Biskupic <tbiskupic@xxxxxxxxxxxx>
Date: Tue, 8 Jun 1999 11:12:11 +0100
Cc: "Ietf-Pkix (E-mail)" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Baltimore
Sender: owner-ietf-pkix@xxxxxxx

Alex, Ambarish,Russ,

Something to take into account here is that some CAs may use the IDP for 
full CRLs in order to distinguish them from a ARLs. I see this as a 
requirement for CAs posting to directories in which case the CRL and ARL go 
into the same location and without this extension, are indistinguishable.

This makes the criteria somewhat more muddy as a partial CRL is then 
defined as one which has an IDP containing a DP that is not the same as the 
default location for the issuing CA. That is, the only way to tell if this 
is a partial CRL is that it has something in the IDP to say it was issued 
to somewhere different to the default location.

You could argue that splitting a CRL between a CRL/ARL is effectively 
partitioning however in most cases the question you want answered is 
'Should this CRL contain this end user certificate if it is revoked" and 
this criteria won't help.

Now if CDPs where being used just to allow full CRLs to be published to a 
URI or some other type of location (ie a full CRL published to a URI) then 
you have no way to tell at all.

Tom Biskupic

On Tuesday, June 08, 1999 4:07 AM, Alex Deacon [SMTP:alex@verisign.com] 
wrote:
>
> OK, on first though this sound like a reasonable way to specify a full 
CRL.
> Basically, what you are saying is that if a cert using application gets a
> cert which contains a CDP pointing to a particular partition, but for 
some
> reason this application only has a CRL which does not contain an IDP, 
then
> they can be confident that they can verify the status of the cert based 
on
> this CRL.
>
> Right?
>
> Alex
>
> > -----Original Message-----
> > From: Ambarish Malpani [mailto:ambarish@valicert.com]
> > Sent: Monday, June 07, 1999 3:06 PM
> > To: tgindin@us.ibm.com; ietf-pkix@imc.org
> > Subject: RE: Possible clarification to RFC 2459
> >
> >
> >
> > I agree with what Tom wants - would like to be able to
> > distinguish whether a CRL is a full or a partial CRL. Can we
> > add the following paragraph to section 5.2.5:
> >
> > A full CRL from/for a CA MUST NOT contain the
> > issuingDistributionPoint extension, unless it is an indirect CRL,
> > in which case, it MAY contain the issuingDistributionPoint
> > extension with only the indirectCRL field set to true.
> >
> > Would this work for most people? Any objections?
> > Ambarish
> >
> >
> > ---------------------------------------------------------------------
> > Ambarish Malpani
> > Architect					         650.567.5457
> > ValiCert, Inc.				
> > ambarish@valicert.com
> > 1215 Terra Bella Ave.		              http://www.valicert.com
> > Mountain View, CA 94043-1833
> >
> >
> > > -----Original Message-----
> > > From: owner-ietf-pkix@imc.org
> > > [mailto:owner-ietf-pkix@imc.org]On Behalf
> > > Of tgindin@us.ibm.com
> > > Sent: Monday, June 07, 1999 8:25 AM
> > > To: Ambarish Malpani; ietf-pkix@imc.org
> > > Subject: Possible clarification to RFC 2459
> > >
> > >
> > >      The current definition of Issuing Distribution Point
> > > leaves it relatively
> > > unclear whether the presence of the "DistributionPoint" field
> > > within this
> > > extension indicates that the CRL at that distribution point
> > > is a partial CRL.  I
> > > would like to suggest that the following text be added to RFC
> > > 2459 section
> > > 5.2.5:
> > >
> > >      Where the issuingDistributionPoint extension contains
> > > either a DN or an
> > > RDN, the distribution point SHOULD contain only certificates
> > > which contain a CRL
> > > Distribution Point extension one of whose DistributionPoint's
> > > contains the same
> > > value in the "distributionPoint" field.
> > >
> > >      To make it clear that CRL Distribution Point's support
> > > partitioning even
> > > for URL's, the following existing text in section 4.2.1.14
> > > could be modified as
> > > follows:
> > > [Old]     the URI is a pointer to the current CRL for the
> > > associated reasons and
> > > will be issued by the associated cRLIssuer.
> > > [New]     the URI is a pointer to a current CRL for the
> > > associated reasons for
> > > those certificates and will be issued by the associated
> > > cRLIssuer.  The CRL so
> > > referenced SHOULD contain only certificates whose CRL
> > > Distribution Point
> > > extension contains this URI and certificates not containing
> > > any CRL Distribution
> > > Point extension.
> > >
> > >           Tom Gindin
> > >
> > >
> > >
> > >
> >

Prev by Date: Re: Summary, was Re: Every time ..., was Re: General formula
Next by Date: Re[2]: Summary, was Re: Every time ..., was Re: General form
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread