[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CRL Distribution Points

To: ietf-pkix@xxxxxxx
Subject: CRL Distribution Points
From: Russ Housley <housley@xxxxxxxxxx>
Date: Tue, 26 Oct 1999 11:57:54 -0500

In reviewing the document that Tim recently posted, I realized that we were not really clear about the semantics of a DistributionPoint with an absent distributionPoint, a present reasons, and a present cRLIssuer. The ASN.1 is repeated below for those who have not memorized it.

If the cRLDistributionPoints extension does not contain a DistributionPointName, but does contain a cRLIssuer, then following semantics MUST be assumed:

1) If the cRLIssuer is of type directoryName, then the certificateRevocationList attribute in the Directory entry of the cRLIssuer contains the current CRL for the associated reasons.

2) If the cRLIssuer is of type URI, then the URI is a pointer to the current CRL for the associated reasons. The expected values for the URI are those defined in 4.2.1.7.

3) Processing rules for other values are not defined by this specification.

Does this seem right?

Russ

= = = = = = = = = =

CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }

DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }

ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6) }

Prev by Date: New version of PKIX - IPsec draft
Next by Date: Re: directory entry with NULL DN
Previous by thread: New version of PKIX - IPsec draft
Next by thread: RE: CRL Distribution Points
Index(es):
- Date
- Thread