[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: cert == crl

To: "'Pavel Krylov'" <Pavel.Krylov@xxxxxxxxxxxxxx>
Subject: RE: cert == crl
From: "Tom Biskupic" <tbiskupic@xxxxxxxxxxxxx>
Date: Tue, 14 Dec 1999 12:27:33 -0000
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>

Pavel, Russ,

If I understand this correctly, the Location where the CRL can be obtained
is either determined by the DP or if the DP is absent by the CRL Issuer
Name.

In the same way that you can have a DP Name that is a URI or an email
address etc couldn't the CRL Issuer name also be a URI? I know it's a bit of
a strange case but imagine the CRL Issuer certificate had no subject but
only a subject alternative name.

In terms of Pavel's question - if both DP and issuer are specified aren't
they both quite independant? ie the location of the CRL could be quite
different to what is implied by the CRL Issuer name(s).

Tom Biskupic

> -----Original Message-----
> From: Pavel Krylov [mailto:Pavel.Krylov@trustworks.com]
> Sent: Tuesday, December 14, 1999 10:31 AM
> Cc: ietf-pkix@imc.org
> Subject: Re: cert == crl
>
>
>
> Thank you Russ for your reply. Okay, I understood the case I had
> written.
> Could you answer me the same question, if certificate's CRLDP
> extension
> had Distribution Point in it and crlIssuer in the same time. What
> restrictions are applied to the crlIssuer?
>
> Thanks a lot.
>
> Pavel
>
> Russ Housley wrote:
> >
> > If the CRLIssuer GN is a DirectoryName, then the CRL can be
> found in the
> > LDAP or X.500 Directory.  I think that all of the other
> cases are ambiguious.
> >
> > Russ
> >
> > At 08:18 PM 12/8/99 +0300, Pavel Krylov wrote:
> > >Hi all,
> > >
> > >I would be grateful if someone helped me with one case in CRL
> > >processing.
> > >A certificate has some information how to find appropriate CRLs
> > >to check revokation status of the certificate. This
> information includes
> > >certificate issuer name (DN), alternative issuer name (GN)
> and CRLDPs
> > >extension, which in its order includes distribution point (dp, i.e.
> > >a choice between fullName(GN) and nameRelativeToCRLIssuer (rdn) ),
> > >reason codes and cRLIssuer name (GN).
> > >
> > >Okay, how I understand CRL processing begins from certificate, i.e.
> > >getting proper information to find appropriate CRL.
> Suppose, we have
> > >a certificate with following fields ( only mentioned to CRL ):
> > >
> > >         cert
> > >          |_ issuer (DN)
> > >          |_ altIssuer (GN)
> > >          |_ certExtensions
> > >             |_ CRLDPs extension
> > >                |_ crldp
> > >                   |_ cRLIssuer (GN)
> > >
> > >i.e. dp is absent, but cRLIssuer is present in CRLDPs extension.
> > >In this case I have a name of issuer of needed CRL, but it is
> > >represented by GN type. Say, I have some CRLs to try to apply them
> > >for the certificate. But each CRL has issuer (DN) and
> altIssuer (GN).
> > >So my question is how cRLIssuer(GN) is supposed to be compared with
> > >crl.issuer(DN) and crl.altIssuer(GN)??
> > >
> > >Any ideas?
> > >
> > >Thanks a lot.
> > >
> > >Pavel Krylov
>

Follow-Ups:
- Re: cert == crl
  - From: Pavel Krylov

References:
- Re: cert == crl
  - From: Pavel Krylov

Prev by Date: Re: cert == crl
Next by Date: Re: cert == crl
Previous by thread: Re: cert == crl
Next by thread: Re: cert == crl
Index(es):
- Date
- Thread