Re: [pkix] [x500standard] Indirect CRLs

"Erik Andersen" <> Tue, 17 November 2015 08:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6F6681B2C96 for <>; Tue, 17 Nov 2015 00:37:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.59
X-Spam-Status: No, score=-1.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FbRvmc3sBAkc for <>; Tue, 17 Nov 2015 00:36:59 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 320821B2C94 for <>; Tue, 17 Nov 2015 00:36:59 -0800 (PST)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 4201511170936555145; Tue, 17 Nov 2015 09:36:55 +0100
From: "Erik Andersen" <>
To: "'Santosh Chokhani'" <>, <>, "'PKIX'" <>
References: <002701d12053$dee21d30$9ca65790$> <012001d1208f$d8cab330$8a601990$> <003b01d1210f$ead18240$c07486c0$>
In-Reply-To: <003b01d1210f$ead18240$c07486c0$>
Date: Tue, 17 Nov 2015 09:36:55 +0100
Message-ID: <004c01d12113$1dd26d00$59774700$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_004D_01D1211B.7F97E670"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQHe19kKlDjUbKxoDOCow0BcjpR94QJLV6rQAUpwCuueZ8U8cA==
Content-Language: en-gb
Archived-At: <>
Subject: Re: [pkix] [x500standard] Indirect CRLs
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Nov 2015 08:37:01 -0000

Hi Santosh,


In continuation, I checked the X.509 definition for  indirect CRL :


3.5.36   indirect CRL (iCRL): A revocation list that contains at least
revocation information about certificates issued by authorities other than
that which issued this CRL.


This could be a little confusing.


As I understand from your answer, if I as CA delegate the CRL issuing to a
closely related function or even if I locally generate a new PKC with
another subject name  just for signing CRLs, it is still an indirect CRL.






Fra: pkix [] På vegne af Erik Andersen
Sendt: 17 November 2015 09:14
Til: 'Santosh Chokhani' <>om>;; 'PKIX' <>
Emne: Re: [pkix] [x500standard] Indirect CRLs


Hi Santosh,


Thanks a lot for your answer.


My first impression reading the text was that an indirect CRL is one that
potentially holds revocation information from multiple CAs. Others may have
the same impression. I will check X.509 to see  if it  clear enough on this


Kind regards,




Fra: pkix [] På vegne af Santosh Chokhani
Sendt: 16 November 2015 17:57
Til: <> ; 'PKIX'
< <> >
Emne: Re: [pkix] [x500standard] Indirect CRLs


Yes.  That is an indirect CRL.


Note that the CA needs to assert appropriate cRLIssuer in the
DistributionPoint field of CRL DP extension of each certificate the CA


[] On Behalf Of Erik Andersen
Sent: Monday, November 16, 2015 4:48 AM
To: PKIX < <> >
Cc: Directory list <
<> >
Subject: [x500standard] Indirect CRLs


I have a question related to indirect CRLs. RFC 5280 in Section 5:


If the scope of the CRL includes one or more certificates issued by

an entity other than the CRL issuer, then it is an indirect CRL.


If a CA has delegated CRL issuing to another entity, but this entity only
issues revocation status for certificates issued by that CA, is the CRL then
an indirect CRL?