[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CRL Distribution Points

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>, "'Russ Housley'" <housley@xxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: CRL Distribution Points
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Tue, 26 Oct 1999 17:01:44 -0700

Russ,

You need to ensure that an indirect issuer of the
CRL fragment can be identified, so that the signature
can be appropriately verified, as per the X.509 model.

How would we do that with your standard today? - whilst
also pointing to the location of the value in 
a directory/uri-resolver?
 

> -----Original Message-----
> From: Santosh Chokhani [mailto:chokhani@cygnacom.com]
> Sent: Tuesday, October 26, 1999 4:39 PM
> To: 'Russ Housley'; ietf-pkix@imc.org
> Subject: RE: CRL Distribution Points
> 
> 
> Russ:
> 
> Please Annex M on X.509 Draft Amendment.  It will be a good 
> idea to include
> Annex M, point to it or borrow the applicable sections in the 
> PKIX RFC.
> 
> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Tuesday, October 26, 1999 12:58 PM
> To: ietf-pkix@imc.org
> Subject: CRL Distribution Points
> 
> 
> In reviewing the document that Tim recently posted, I 
> realized that we were 
> not really clear about the semantics of a DistributionPoint 
> with an absent 
> distributionPoint, a present reasons, and a present 
> cRLIssuer.  The ASN.1 
> is repeated below for those who have not memorized it.
> 
> If the cRLDistributionPoints extension does not contain a 
> DistributionPointName, but does contain a cRLIssuer, then following 
> semantics MUST be assumed:
> 
> 1) If the cRLIssuer is of type directoryName, then the 
> certificateRevocationList attribute in the Directory entry of 
> the cRLIssuer 
> contains the current CRL for the associated reasons.
> 
> 2) If the cRLIssuer is of type URI, then the URI is a pointer to the 
> current CRL for the associated reasons.  The expected values 
> for the URI 
> are those defined in 4.2.1.7.
> 
> 3) Processing rules for other values are not defined by this 
> specification.
> 
> Does this seem right?
> 
> Russ
> 
> = = = = = = = = = =
> 
>     CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF 
> DistributionPoint
> 
>     DistributionPoint ::= SEQUENCE {
>          distributionPoint       [0]     
> DistributionPointName OPTIONAL,
>          reasons                 [1]     ReasonFlags OPTIONAL,
>          cRLIssuer               [2]     GeneralNames OPTIONAL }
> 
>     DistributionPointName ::= CHOICE {
>          fullName                [0]     GeneralNames,
>          nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
> 
>     ReasonFlags ::= BIT STRING {
>          unused                  (0),
>          keyCompromise           (1),
>          cACompromise            (2),
>          affiliationChanged      (3),
>          superseded              (4),
>          cessationOfOperation    (5),
>          certificateHold         (6) }
>

Prev by Date: RE: CRL Distribution Points
Next by Date: RE: CRL Distribution Points
Previous by thread: RE: CRL Distribution Points
Next by thread: RE: CRL Distribution Points
Index(es):
- Date
- Thread