Re: [pkix] [x500standard] Indirect CRLs

"Santosh Chokhani" <santosh.chokhani@gmail.com> Thu, 19 November 2015 16:27 UTC

Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 535E81B2C56 for <pkix@ietfa.amsl.com>; Thu, 19 Nov 2015 08:27:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id viJwie9Tm_bk for <pkix@ietfa.amsl.com>; Thu, 19 Nov 2015 08:27:25 -0800 (PST)
Received: from mail-qg0-x22f.google.com (mail-qg0-x22f.google.com [IPv6:2607:f8b0:400d:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A44AA1B2C69 for <pkix@ietf.org>; Thu, 19 Nov 2015 08:26:33 -0800 (PST)
Received: by qgea14 with SMTP id a14so54290475qge.0 for <pkix@ietf.org>; Thu, 19 Nov 2015 08:26:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:thread-index :content-language; bh=1dRTyCcY3CamsvURQ2da831hBG8Is7jGaD6B83fJYj8=; b=rKntLlNZXsPxBvlwdvL8z2TNkymQyNMKQ/K9Eo55SYGaDaOpAEUuS+qgbTLjwjlF+N DQyXHdGqiPKoUrHodoouYmeTQtD5oq271PRr0eSRqIFfS84pww33NKoGxTMv4/M4lnyw 5lcqfFnCldofZsBI/rD513YznC5YPv8hC4zbiJO+p5gCuG/GZvrY065F/yxyKRX4nAxs zRIjJR45ueiu8YOqZdS4OlZLBMU3RHPdp+PyhoR9MN4WTRKFSLy2UK5kFlPu1zWWwE6V 9qpATijQMxfMsL+cNtGpXvLy5SOUSv/nK1YBWS2UTUYyuOqava/T2vPt7NLoFjQyHWsg jfPA==
X-Received: by 10.140.173.65 with SMTP id t62mr8392851qht.96.1447950392782; Thu, 19 Nov 2015 08:26:32 -0800 (PST)
Received: from SantoshBrain (pool-108-31-66-4.washdc.fios.verizon.net. [108.31.66.4]) by smtp.gmail.com with ESMTPSA id r66sm2504354qhb.35.2015.11.19.08.26.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Nov 2015 08:26:32 -0800 (PST)
From: "Santosh Chokhani" <santosh.chokhani@gmail.com>
To: <mrex@sap.com>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp>
In-Reply-To: <20151119145411.819BD1A383@ld9781.wdf.sap.corp>
Date: Thu, 19 Nov 2015 11:26:34 -0500
Message-ID: <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQICz3cyssVdITZDFlUOYl/1wIFVRJ5ALVDA
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/SwC0-MR8MCmw-YM3uTbg2w3aIM8>
Cc: x500standard@freelists.org, 'PKIX' <pkix@ietf.org>
Subject: Re: [pkix] [x500standard] Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 16:27:27 -0000

Without doing the latter, the relying party will not be able to use the
indirect CRL to verify the revocation status of the certificate in the scope
of the indirect CRL.

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com] 
Sent: Thursday, November 19, 2015 9:54 AM
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: Re: [pkix] [x500standard] Indirect CRLs

Santosh Chokhani wrote:
> Yes.  That is an indirect CRL.
> 
> Note that the CA needs to assert appropriate cRLIssuer in the 
> DistributionPoint field of CRL DP extension of each certificate the CA 
> issues.

Huh?  The latter comment has exactly nothing to do with indirect CRLs.

-Martin