[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CRL Distribution Points
Russ:
Please Annex M on X.509 Draft Amendment. It will be a good idea to include
Annex M, point to it or borrow the applicable sections in the PKIX RFC.
-----Original Message-----
From: Russ Housley [mailto:housley@spyrus.com]
Sent: Tuesday, October 26, 1999 12:58 PM
To: ietf-pkix@imc.org
Subject: CRL Distribution Points
In reviewing the document that Tim recently posted, I realized that we were
not really clear about the semantics of a DistributionPoint with an absent
distributionPoint, a present reasons, and a present cRLIssuer. The ASN.1
is repeated below for those who have not memorized it.
If the cRLDistributionPoints extension does not contain a
DistributionPointName, but does contain a cRLIssuer, then following
semantics MUST be assumed:
1) If the cRLIssuer is of type directoryName, then the
certificateRevocationList attribute in the Directory entry of the cRLIssuer
contains the current CRL for the associated reasons.
2) If the cRLIssuer is of type URI, then the URI is a pointer to the
current CRL for the associated reasons. The expected values for the URI
are those defined in 4.2.1.7.
3) Processing rules for other values are not defined by this specification.
Does this seem right?
Russ
= = = = = = = = = =
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6) }