[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Subject: RE: Possible clarification to RFC 2459
From: tgindin@xxxxxxxxxx
Date: Wed, 9 Jun 1999 11:43:20 -0400
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

"David P. Kemp" <dpkemp@missi.ncsc.mil> on 06/09/99 10:31:27 AM

Please respond to "David P. Kemp" <dpkemp@missi.ncsc.mil>

To:   ietf-pkix@imc.org
cc:    (bcc: Tom Gindin/Watson/IBM)
Subject:  RE: Possible clarification to RFC 2459

> From: Tom Biskupic <tbiskupic@baltimore.ie>
>
> Dave,
>
> I was thinking of the case where you have a certificate without a CDP
> extension and you have a cached CRL containing an IDP. Do I need to get
> another CRL or should this certificate be contained in the one I have?

I believe Russ' analysis answered the question.  If the cached CRL is not
an ICRL, and it is not partitioned by user/CA/reasons, then the cert without
a CRLdp MUST be contained in the cached CRL.

In other words, the *only* way to do partitioning other than by
user/CA/reasons is by using CRLdp extensions in certificates.

I think it is already obvious, but would not disagree with the following
clarification:

  "A CRL containing an issuingDistributionPoint extension with the
  distributionPoint field present MUST be authoritative for all
  certificates* that do not contain a CRLDistributionPoints extension."

  *user certs, CA certs, or both, as specified in the IDP.

[Tom Gindin]   Should that really be "with the distributionPoint field present"
or "without the distributionPoint field present"?  It would seem to be true when
the distributionPoint field is absent.  I would say that "A CRL containing an
issuingDistributionPoint extension with the   distributionPoint field containing
a DN MUST be authoritative for all   certificates that contain that value of the
field in their  CRLDistributionPoints extension", and also that "A CRL
containing an issuingDistributionPoint extension without the distributionPoint
field present MUST be authoritative for all certificates* that do not contain a
CRLDistributionPoints extension."  What isn't obvious, I suppose, is whether
CRL's at named distribution points (with a DN name, as there are specifics about
DP's with URI names) cover certificates without distribution points.

> I think the bottom line is you can only use the CRL if its DP matches your
> certificate's (either explicitly through a CDP extension or implicitly).
> Presence/absence of an IDP is not enough to determine this.
>
> I'm really arguing against Ambarish's statement (and not som much the other
> Tom's [TomG's] original comments) so I guess we are off-topic a bit:-
>
> "A full CRL from/for a CA MUST NOT contain the
> issuingDistributionPoint extension, unless it is an indirect CRL,
> in which case, it MAY contain the issuingDistributionPoint
> extension with only the indirectCRL field set to true."

I disagree with this restriction, because it prevents the cached CRL
(which may have been pushed or manually configured) from containing
a pointer enabling its successor to be pulled.

Prev by Date: Re: Certificate requests for encryption keys
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread