Re: [pkix] [x500standard] Indirect CRLs

"Erik Andersen" <era@x500.eu> Thu, 19 November 2015 16:51 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D80201B2CA0 for <pkix@ietfa.amsl.com>; Thu, 19 Nov 2015 08:51:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.591
X-Spam-Level:
X-Spam-Status: No, score=-1.591 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDf8kHlnyN1U for <pkix@ietfa.amsl.com>; Thu, 19 Nov 2015 08:51:40 -0800 (PST)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24471B2C9B for <pkix@ietf.org>; Thu, 19 Nov 2015 08:51:39 -0800 (PST)
Received: from Morten ([62.44.134.101]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201511191751358659; Thu, 19 Nov 2015 17:51:35 +0100
From: "Erik Andersen" <era@x500.eu>
To: <x500standard@freelists.org>, "'PKIX'" <pkix@ietf.org>
References: <012001d1208f$d8cab330$8a601990$@gmail.com> <20151119145411.819BD1A383@ld9781.wdf.sap.corp> <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com>
In-Reply-To: <070301d122e7$0ebf41a0$2c3dc4e0$@gmail.com>
Date: Thu, 19 Nov 2015 17:51:35 +0100
Message-ID: <001001d122ea$8d3aaee0$a7b00ca0$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJLV6rQki7Ndh+GnxkA8afJ1MxnUAICz3cyAloWsuCdjDqKAA==
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/scz80TSw6uRfPnPHs0LaM3dO0ZY>
Subject: Re: [pkix] [x500standard] Indirect CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 16:51:42 -0000

Within X.509 there is not even a small paragraph introducing indirect CRLs
where such information could be introduced. Besides the brief definition,
iCRLs are mentioned the first time within the CRL scope extension (which is
deprecated).

Erik
-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Santosh Chokhani
Sendt: 19 November 2015 17:27
Til: mrex@sap.com
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Emne: Re: [pkix] [x500standard] Indirect CRLs

Without doing the latter, the relying party will not be able to use the
indirect CRL to verify the revocation status of the certificate in the scope
of the indirect CRL.

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Thursday, November 19, 2015 9:54 AM
To: Santosh Chokhani <santosh.chokhani@gmail.com>
Cc: x500standard@freelists.org; 'PKIX' <pkix@ietf.org>
Subject: Re: [pkix] [x500standard] Indirect CRLs

Santosh Chokhani wrote:
> Yes.  That is an indirect CRL.
> 
> Note that the CA needs to assert appropriate cRLIssuer in the 
> DistributionPoint field of CRL DP extension of each certificate the CA 
> issues.

Huh?  The latter comment has exactly nothing to do with indirect CRLs.

-Martin

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix