[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Possible clarification to RFC 2459

To: ietf-pkix@xxxxxxx
Subject: RE: Possible clarification to RFC 2459
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Wed, 9 Jun 1999 17:00:37 -0400 (EDT)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

>> [Dave]
>>   "A CRL containing an issuingDistributionPoint extension with the
>>   distributionPoint field present MUST be authoritative for all
>>   certificates* that do not contain a CRLDistributionPoints extension."
>> 
>>  *user certs, CA certs, or both, as specified in the IDP.


> [Tom Gindin]   Should that really be "with the distributionPoint field present"
> or "without the distributionPoint field present"?  It would seem to be true when
> the distributionPoint field is absent.

I meant "with the distributionPoint field present or absent", but intended to
emphasise that the case where it is present should be interpreted no differently
with respect to certs without CRLdp than the case where it is absent.


> I would say that "A CRL containing an
> issuingDistributionPoint extension with the   distributionPoint field containing
> a DN MUST be authoritative for all certificates that contain that value of the
> field in their  CRLDistributionPoints extension", and also that "A CRL
> containing an issuingDistributionPoint extension without the distributionPoint
> field present MUST be authoritative for all certificates* that do not contain a
> CRLDistributionPoints extension."  What isn't obvious, I suppose, is whether
> CRL's at named distribution points (with a DN name, as there are specifics about
> DP's with URI names) cover certificates without distribution points.


Tom,
That is an excellent statement of the problem!

Assume that a CA issues three certs with:
  Cert1[no CRLdp]  Cert2[CRLdp 2]    Cert3[CRLdp 3]

And assume that the CA may publish three CRLs, with the following
distributionPoint fields:
  CRL1[no DP]      CRL2[DP 2]        CRL3[DP 3]

Then the CRLs are authoritative for the following certs:

  CRL1             CRL2              CRL3
  -----            -----             -----
  Cert1            Cert1?            Cert1?
  Cert2            Cert2               -
  Cert3              -               Cert3

As you say, it may not be obvious that CRLs at named distribution
points cover certs without distribution points (the ones marked
with a ? in the table).

I believe that RFC 2459 should be clarified, if necessary, to ensure
that CRL2 and CRL3 MUST be authoritative for Cert1.  That way, CRL2 can
be regarded as a "full CRL", so can CRL3, and the CA has maximum
flexibility in deciding whether to populate the CRLdp extension in its
certs.  A CA taking maximum advantage of dynamic partitioning would
never have to issue a bulky CRL1 but could still meet the requirement
of publishing a "full CRL".

That's why I disagree with Ambarish's proposal that only CRL1 (the one
with no DP field) be defined as a "full CRL".

Prev by Date: Re: Certificate requests for encryption keys
Next by Date: Re: Certificate requests for encryption keys
Previous by thread: RE: Possible clarification to RFC 2459
Next by thread: RE: Possible clarification to RFC 2459
Index(es):
- Date
- Thread