[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRL version number discrepancy

To: Hans Nilsson <hans.nilsson@xxxxxxxxxxx>
Subject: Re: CRL version number discrepancy
From: Hoyt.Kesterson@xxxxxxxx
Date: Wed, 25 Aug 1999 06:27:16 -0700
Cc: ietf-pkix@xxxxxxx

actually we have had this debate. the text is correct in 509 but it was
considered an unnecessary complication in the pkix profile. the 509 text was to
broaden the amount of interworking between different versions. i understood the
pkix position to be that with minimal deployment of earlier versions, the 509
text didn't buy anything (other that possible confusion)

i (and the x500 group) considered the text still useful but decided to make it
optional. the "shall" will be changed to a "may". this will allow a profile to
broaden interaction if necessary. whatever pkix decides to do, there will be no
conflict with the standard.

    hoyt




Hans Nilsson <hans.nilsson@iD2tech.com> on 08/24/99 11:34:06 PM

To:   ietf-pkix@imc.org
cc:    (bcc: Hoyt Kesterson/US/BULL)
Subject:  CRL version number discrepancy




There is a discrepancy between X.509 and RFC 2459.

X.509 states:

If any extensions included in a CertificateList are defined as critical, the
version element of the CertificateList shall be present.  If no extensions
defined as critical are included, the version element shall be absent. This
may permit a implementation that only supports version 1 CRLs to still use
the CRL if in its examination of the revokedCertificates sequence in the
CRL, it does not encounter an extension. An implementation that supports
version 2 (or greater) CRLs may be able to optimize its processing if it can
determine early in processing that no critical extensions are present in the
CRL.

RFC 2459 states that:

Conforming CAs that issue CRLs MUST issue version 2 CRLs,

and, later,

When extensions are used, as required by this profile, this field MUST be
present and MUST specify version 2 (the integer value is 1.

The question is now:
When we issue CRLS with non-crictical extensions, should the version number
be omitted (according to X.509) or present and set to 2 (according to RFC
2459?

Until further notice, we regard X.509 as having precedence over RFC 2459. Is
this correct?

Regards
Hans Nilsson

Prev by Date: multinational directories
Next by Date: Re: Subdividing the NR bit.
Previous by thread: CRL version number discrepancy
Next by thread: RE: CRL version number discrepancy
Index(es):
- Date
- Thread