Re: cert == crl

[Pavel Krylov <Pavel.Krylov@xxxxxxxxxxxxxx>]

Thank you Russ for your reply. Okay, I understood the case I had
written.
Could you answer me the same question, if certificate's CRLDP extension
had Distribution Point in it and crlIssuer in the same time. What 
restrictions are applied to the crlIssuer?

Thanks a lot.

Pavel

Russ Housley wrote:
> 
> If the CRLIssuer GN is a DirectoryName, then the CRL can be found in the
> LDAP or X.500 Directory.  I think that all of the other cases are ambiguious.
> 
> Russ
> 
> At 08:18 PM 12/8/99 +0300, Pavel Krylov wrote:
> >Hi all,
> >
> >I would be grateful if someone helped me with one case in CRL
> >processing.
> >A certificate has some information how to find appropriate CRLs
> >to check revokation status of the certificate. This information includes
> >certificate issuer name (DN), alternative issuer name (GN) and CRLDPs
> >extension, which in its order includes distribution point (dp, i.e.
> >a choice between fullName(GN) and nameRelativeToCRLIssuer (rdn) ),
> >reason codes and cRLIssuer name (GN).
> >
> >Okay, how I understand CRL processing begins from certificate, i.e.
> >getting proper information to find appropriate CRL. Suppose, we have
> >a certificate with following fields ( only mentioned to CRL ):
> >
> >         cert
> >          |_ issuer (DN)
> >          |_ altIssuer (GN)
> >          |_ certExtensions
> >             |_ CRLDPs extension
> >                |_ crldp
> >                   |_ cRLIssuer (GN)
> >
> >i.e. dp is absent, but cRLIssuer is present in CRLDPs extension.
> >In this case I have a name of issuer of needed CRL, but it is
> >represented by GN type. Say, I have some CRLs to try to apply them
> >for the certificate. But each CRL has issuer (DN) and altIssuer (GN).
> >So my question is how cRLIssuer(GN) is supposed to be compared with
> >crl.issuer(DN) and crl.altIssuer(GN)??
> >
> >Any ideas?
> >
> >Thanks a lot.
> >
> >Pavel Krylov