Re: [pkix] [x500standard] Indirect CRLs

"Santosh Chokhani" <santosh.chokhani@gmail.com> Mon, 16 November 2015 16:57 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACB21A6FA7 for <pkix@ietfa.amsl.com>; Mon, 16 Nov 2015 08:57:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GmKVGuBSCjvP for <pkix@ietfa.amsl.com>; Mon, 16 Nov 2015 08:57:17 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70761A6FA3 for <pkix@ietf.org>; Mon, 16 Nov 2015 08:57:15 -0800 (PST)
Received: by qkao63 with SMTP id o63so118226219qka.2 for <pkix@ietf.org>; Mon, 16 Nov 2015 08:57:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:thread-index:content-language; bh=L4cjmwydEy5SDKq0lspoacW2B19yM16s7JU+fkG1ub8=; b=ZBTDo2w/b70N0sEEewUzP3kFKXlRGilIRzQbV8pEgCcQ0Dfmhae4EK5998Y4yoba9z SRMDmGtzfQVJYO2pjJMWy7jJIYZ5vAPOWrwRAh4i86go4LGMGVo7N8a3EtEEsnjmUk9M w/+L9nmbFMPSx+KgiCgjMO4XRdlijTIlRHB0dh563OCJUWIvQwmBSmIABVLtJdtWYVJ2 wpUqvZmyAEtIIYaIsWQEbC3PeOPY5pLC/CanCmDukEM4sodsuj5WH4Eapfeh+AS/JGSn msVHlOV0uGvSHmFJyZ/RdsjFFQsdWnpsbvotMwEP7uE0uaXWoY12icomxbdi74jsuuJl dKFQ==
X-Received: by 10.55.40.211 with SMTP id o80mr36628469qko.93.1447693034566; Mon, 16 Nov 2015 08:57:14 -0800 (PST)
Received: from SantoshBrain (pool-108-31-66-4.washdc.fios.verizon.net. [108.31.66.4]) by smtp.gmail.com with ESMTPSA id x44sm8918208qgx.44.2015.11.16.08.57.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Nov 2015 08:57:13 -0800 (PST)
From: "Santosh Chokhani" <santosh.chokhani@gmail.com>
To: <x500standard@freelists.org>, "'PKIX'" <pkix@ietf.org>
References: <002701d12053$dee21d30$9ca65790$@x500.eu>
In-Reply-To: <002701d12053$dee21d30$9ca65790$@x500.eu>
Date: Mon, 16 Nov 2015 11:57:15 -0500
Message-ID: <012001d1208f$d8cab330$8a601990$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0121_01D12065.EFF56E80"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHe19kKlDjUbKxoDOCow0BcjpR94Z6DbLkA
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/HD4WLwj7Ixn6ZBgw0gO-KT8ShlM>
Subject: Re: [pkix] [x500standard] Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2015 16:57:19 -0000

Yes.  That is an indirect CRL.

 

Note that the CA needs to assert appropriate cRLIssuer in the
DistributionPoint field of CRL DP extension of each certificate the CA
issues.

 

From: x500standard-bounce@freelists.org
[mailto:x500standard-bounce@freelists.org] On Behalf Of Erik Andersen
Sent: Monday, November 16, 2015 4:48 AM
To: PKIX <pkix@ietf.org>
Cc: Directory list <x500standard@freelists.org>
Subject: [x500standard] Indirect CRLs

 

I have a question related to indirect CRLs. RFC 5280 in Section 5:

 

If the scope of the CRL includes one or more certificates issued by

an entity other than the CRL issuer, then it is an indirect CRL.

 

If a CA has delegated CRL issuing to another entity, but this entity only
issues revocation status for certificates issued by that CA, is the CRL then
an indirect CRL?

 

Erik