On Wed, Jun 5, 2013 at 1:33 PM, Carl Wallace <c...@redhoundsoftware.com>wrote:
> > From: Phillip Hallam-Baker <hal...@gmail.com> > Date: Wednesday, June 5, 2013 1:26 PM > > To: Carl Wallace <c...@redhoundsoftware.com> > Cc: Rob Stradling <rob.stradl...@comodo.com>, "wpkops@ietf.org" < > wpkops@ietf.org>, Adam Langley <a...@chromium.org> > Subject: Re: [wpkops] Some questions about revocation reasons > > Probably better to just ask what CRLs they issue and for each whether the > frequency of issue for full and deltas, and whether they use distribution > points > > > I don't think so. Part of the point could be to identify and stamp out > some of the unused corners. Denying the existence of such things does not > seem helpful. Documenting pervasive lack of support (which I thought was > part of this effort) may help. > I thought we were talking about the CAs... For the Clients I would expect the situation to be binary, either they support a feature or not. If they support direct delta CRLs and indirect but not indirect deltas we are in trouble. > Indirect raises another issue. By definition an indirect CRL is not issued > by the issuing CA. But that gets us into some complex semantic games. What > does it mean if the GeoTrust CRL is signed by Thawte? Is that indirect or > direct? > > What I am getting at here is that maybe the issues are going to be a > little more complex than a binary choice. The term CA can get rather > slippery. It is an organizational concept and PKIX only deals in > certificates and trust anchors. From a processing standpoint it seems > 'obvious' to me that there 'should' be a CRL associated with every > certificate signing cert. But the spec was originally written from the > assumption that a CA was identical to a trust anchor. So it gets rather > murky, particularly as trust anchors were rolled over. > > Some points to ponder: > > * Could DigiNotar have issued a CRL that clients would have accepted as > validating certs of other CAs? > > > Or if not a CRL, could DigiNotar have issued an OCSP responder certificate > that was authorized to provide responses for any CA? > Another good question. Easy to say what we think they should do in that one situation. But there are many corner cases that the clients have to support. Very easy to assume that we know the answers. > > -- Website: http://hallambaker.com/
_______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
