[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cert == crl
Hi Tom,
may be I wrote my questions not clearly ( sorry for that ), but my
misunderstanding lies not in obtaining of a proper CRL by CRLDPs
certificate extension. It lies when I've obtained some CRLs by
crl distribution point ( pointed in CRLDPs certificate extension )
and I need to choose appropriate CRLs from that amount. One of
necessary tests is to check that crl.issuer matches with the cRLIssuer
( which is in CRLDPs extension ). How I noticed in my previous letters,
crl.issuer is DN, but cRLIssuer is GN, so I'm trying to discover all
limitations on their comparing. Hope, I make my problem clear.
Pavel.
Tom Biskupic wrote:
>
> Pavel, Russ,
>
> If I understand this correctly, the Location where the CRL can be obtained
> is either determined by the DP or if the DP is absent by the CRL Issuer
> Name.
>
> In the same way that you can have a DP Name that is a URI or an email
> address etc couldn't the CRL Issuer name also be a URI? I know it's a bit of
> a strange case but imagine the CRL Issuer certificate had no subject but
> only a subject alternative name.
>
> In terms of Pavel's question - if both DP and issuer are specified aren't
> they both quite independant? ie the location of the CRL could be quite
> different to what is implied by the CRL Issuer name(s).
>
> Tom Biskupic
>
> > -----Original Message-----
> > From: Pavel Krylov [mailto:Pavel.Krylov@trustworks.com]
> > Sent: Tuesday, December 14, 1999 10:31 AM
> > Cc: ietf-pkix@imc.org
> > Subject: Re: cert == crl
> >
> >
> >
> > Thank you Russ for your reply. Okay, I understood the case I had
> > written.
> > Could you answer me the same question, if certificate's CRLDP
> > extension
> > had Distribution Point in it and crlIssuer in the same time. What
> > restrictions are applied to the crlIssuer?
> >
> > Thanks a lot.
> >
> > Pavel
> >
> > Russ Housley wrote:
> > >
> > > If the CRLIssuer GN is a DirectoryName, then the CRL can be
> > found in the
> > > LDAP or X.500 Directory. I think that all of the other
> > cases are ambiguious.
> > >
> > > Russ
> > >
> > > At 08:18 PM 12/8/99 +0300, Pavel Krylov wrote:
> > > >Hi all,
> > > >
> > > >I would be grateful if someone helped me with one case in CRL
> > > >processing.
> > > >A certificate has some information how to find appropriate CRLs
> > > >to check revokation status of the certificate. This
> > information includes
> > > >certificate issuer name (DN), alternative issuer name (GN)
> > and CRLDPs
> > > >extension, which in its order includes distribution point (dp, i.e.
> > > >a choice between fullName(GN) and nameRelativeToCRLIssuer (rdn) ),
> > > >reason codes and cRLIssuer name (GN).
> > > >
> > > >Okay, how I understand CRL processing begins from certificate, i.e.
> > > >getting proper information to find appropriate CRL.
> > Suppose, we have
> > > >a certificate with following fields ( only mentioned to CRL ):
> > > >
> > > > cert
> > > > |_ issuer (DN)
> > > > |_ altIssuer (GN)
> > > > |_ certExtensions
> > > > |_ CRLDPs extension
> > > > |_ crldp
> > > > |_ cRLIssuer (GN)
> > > >
> > > >i.e. dp is absent, but cRLIssuer is present in CRLDPs extension.
> > > >In this case I have a name of issuer of needed CRL, but it is
> > > >represented by GN type. Say, I have some CRLs to try to apply them
> > > >for the certificate. But each CRL has issuer (DN) and
> > altIssuer (GN).
> > > >So my question is how cRLIssuer(GN) is supposed to be compared with
> > > >crl.issuer(DN) and crl.altIssuer(GN)??
> > > >
> > > >Any ideas?
> > > >
> > > >Thanks a lot.
> > > >
> > > >Pavel Krylov
> >