Re: Possible clarification to RFC 2459

[Russ Housley <housley@xxxxxxxxxx>]

Tom:

Your proposed text is too simple.  Consider the Indirect CRL case.  CA1
uses a CRL Distribution Point (CDP) extension to specifify that CA2 will
issue CRLs for reason CA compromise.  Also, CA3 uses a CRL Distribution
Point (CDP) extension to specifify that CA2 will issue CRLs for reason key
compromise.  So, CA3's CRL must include at least reason codes for CA
compromise and key compromise.  

Russ


At 11:25 AM 6/7/99 -0400, tgindin@us.ibm.com wrote:
>     The current definition of Issuing Distribution Point leaves it relatively
>unclear whether the presence of the "DistributionPoint" field within this
>extension indicates that the CRL at that distribution point is a partial 
>CRL.  I
>would like to suggest that the following text be added to RFC 2459 section
>5.2.5:
>
>     Where the issuingDistributionPoint extension contains either a DN or an
>RDN, the distribution point SHOULD contain only certificates which contain a 
>CRL
>Distribution Point extension one of whose DistributionPoint's contains the
same
>value in the "distributionPoint" field.
>
>     To make it clear that CRL Distribution Point's support partitioning even
>for URL's, the following existing text in section 4.2.1.14 could be
modified as
>follows:
>[Old]     the URI is a pointer to the current CRL for the associated reasons 
>and
>will be issued by the associated cRLIssuer.
>[New]     the URI is a pointer to a current CRL for the associated reasons for
>those certificates and will be issued by the associated cRLIssuer.  The CRL so
>referenced SHOULD contain only certificates whose CRL Distribution Point
>extension contains this URI and certificates not containing any CRL 
>Distribution
>Point extension.
>
>          Tom Gindin
>
>