RE: Possible clarification to RFC 2459

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: Tom Biskupic <tbiskupic@baltimore.ie>
> 
> Dave,
> 
> I was thinking of the case where you have a certificate without a CDP 
> extension and you have a cached CRL containing an IDP. Do I need to get 
> another CRL or should this certificate be contained in the one I have?

I believe Russ' analysis answered the question.  If the cached CRL is not
an ICRL, and it is not partitioned by user/CA/reasons, then the cert without
a CRLdp MUST be contained in the cached CRL.

In other words, the *only* way to do partitioning other than by
user/CA/reasons is by using CRLdp extensions in certificates.

I think it is already obvious, but would not disagree with the following
clarification:

  "A CRL containing an issuingDistributionPoint extension with the
  distributionPoint field present MUST be authoritative for all
  certificates* that do not contain a CRLDistributionPoints extension."
  
  *user certs, CA certs, or both, as specified in the IDP.



> I think the bottom line is you can only use the CRL if its DP matches your 
> certificate's (either explicitly through a CDP extension or implicitly). 
> Presence/absence of an IDP is not enough to determine this.
> 
> I'm really arguing against Ambarish's statement (and not som much the other 
> Tom's [TomG's] original comments) so I guess we are off-topic a bit:-
> 
> "A full CRL from/for a CA MUST NOT contain the
> issuingDistributionPoint extension, unless it is an indirect CRL,
> in which case, it MAY contain the issuingDistributionPoint
> extension with only the indirectCRL field set to true."


I disagree with this restriction, because it prevents the cached CRL
(which may have been pushed or manually configured) from containing
a pointer enabling its successor to be pulled.