[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: cert == crl

To: "'Pavel Krylov'" <Pavel.Krylov@xxxxxxxxxxxxxx>
Subject: RE: cert == crl
From: "Tom Biskupic" <tbiskupic@xxxxxxxxxxxxx>
Date: Tue, 14 Dec 1999 16:04:15 -0000
Cc: <ietf-pkix@xxxxxxx>
Importance: Normal
In-reply-to: <>

Pavel,

If you take the assumption that CRLs from only one issuer are placed in a
given DP then could you just compare the DP in the CDP with the DP in the
IDP (or CRLScope Extension) of the CRL?

This seems kinda naive to me but will it work? Does it make sense/is it
valid for multiple issuers to place CRLs in the same DP?

Tom Biskupic

> -----Original Message-----
> From: Pavel Krylov [mailto:Pavel.Krylov@trustworks.com]
> Sent: Tuesday, December 14, 1999 12:48 PM
> To: Tom Biskupic
> Cc: ietf-pkix@imc.org
> Subject: Re: cert == crl
>
>
>
> Hi Tom,
> may be I wrote my questions not clearly ( sorry for that ), but my
> misunderstanding lies not in obtaining of a proper CRL by CRLDPs
> certificate extension. It lies when I've obtained some CRLs by
> crl distribution point ( pointed in CRLDPs certificate extension )
> and I need to choose appropriate CRLs from that amount. One of
> necessary tests is to check that crl.issuer matches with the cRLIssuer
> ( which is in CRLDPs extension ). How I noticed in my
> previous letters,
> crl.issuer is DN, but cRLIssuer is GN, so I'm trying to discover all
> limitations on their comparing. Hope, I make my problem clear.
>
> Pavel.
>
> Tom Biskupic wrote:
> >
> > Pavel, Russ,
> >
> > If I understand this correctly, the Location where the CRL
> can be obtained
> > is either determined by the DP or if the DP is absent by
> the CRL Issuer
> > Name.
> >
> > In the same way that you can have a DP Name that is a URI
> or an email
> > address etc couldn't the CRL Issuer name also be a URI? I
> know it's a bit of
> > a strange case but imagine the CRL Issuer certificate had
> no subject but
> > only a subject alternative name.
> >
> > In terms of Pavel's question - if both DP and issuer are
> specified aren't
> > they both quite independant? ie the location of the CRL
> could be quite
> > different to what is implied by the CRL Issuer name(s).
> >
> > Tom Biskupic
> >
> > > -----Original Message-----
> > > From: Pavel Krylov [mailto:Pavel.Krylov@trustworks.com]
> > > Sent: Tuesday, December 14, 1999 10:31 AM
> > > Cc: ietf-pkix@imc.org
> > > Subject: Re: cert == crl
> > >
> > >
> > >
> > > Thank you Russ for your reply. Okay, I understood the case I had
> > > written.
> > > Could you answer me the same question, if certificate's CRLDP
> > > extension
> > > had Distribution Point in it and crlIssuer in the same time. What
> > > restrictions are applied to the crlIssuer?
> > >
> > > Thanks a lot.
> > >
> > > Pavel
> > >
> > > Russ Housley wrote:
> > > >
> > > > If the CRLIssuer GN is a DirectoryName, then the CRL can be
> > > found in the
> > > > LDAP or X.500 Directory.  I think that all of the other
> > > cases are ambiguious.
> > > >
> > > > Russ
> > > >
> > > > At 08:18 PM 12/8/99 +0300, Pavel Krylov wrote:
> > > > >Hi all,
> > > > >
> > > > >I would be grateful if someone helped me with one case in CRL
> > > > >processing.
> > > > >A certificate has some information how to find appropriate CRLs
> > > > >to check revokation status of the certificate. This
> > > information includes
> > > > >certificate issuer name (DN), alternative issuer name (GN)
> > > and CRLDPs
> > > > >extension, which in its order includes distribution
> point (dp, i.e.
> > > > >a choice between fullName(GN) and
> nameRelativeToCRLIssuer (rdn) ),
> > > > >reason codes and cRLIssuer name (GN).
> > > > >
> > > > >Okay, how I understand CRL processing begins from
> certificate, i.e.
> > > > >getting proper information to find appropriate CRL.
> > > Suppose, we have
> > > > >a certificate with following fields ( only mentioned to CRL ):
> > > > >
> > > > >         cert
> > > > >          |_ issuer (DN)
> > > > >          |_ altIssuer (GN)
> > > > >          |_ certExtensions
> > > > >             |_ CRLDPs extension
> > > > >                |_ crldp
> > > > >                   |_ cRLIssuer (GN)
> > > > >
> > > > >i.e. dp is absent, but cRLIssuer is present in CRLDPs
> extension.
> > > > >In this case I have a name of issuer of needed CRL, but it is
> > > > >represented by GN type. Say, I have some CRLs to try
> to apply them
> > > > >for the certificate. But each CRL has issuer (DN) and
> > > altIssuer (GN).
> > > > >So my question is how cRLIssuer(GN) is supposed to be
> compared with
> > > > >crl.issuer(DN) and crl.altIssuer(GN)??
> > > > >
> > > > >Any ideas?
> > > > >
> > > > >Thanks a lot.
> > > > >
> > > > >Pavel Krylov
> > >
>

Follow-Ups:
- Re: cert == crl
  - From: Pavel Krylov

References:
- Re: cert == crl
  - From: Pavel Krylov

Prev by Date: Re: cert == crl
Next by Date: Re: Shifting around the risk burden, Re:
Previous by thread: Re: cert == crl
Next by thread: Re: cert == crl
Index(es):
- Date
- Thread