I think I can help Tony find some references which help
support that the "Typical" case is in fact the only
allowed one.
On pages 246 or so of Book 2, the CRL are discussed and
2 important points are made:
1) The CRLNumber (CRL extension) must be incremented each
time a new CRL is Issued. This would imply that a cert chain
validator is responsible for finding the most recent (by number)
CRL for processing.
2) Specifcally on Page 246, each time a CRL is issued, it MUST
contain the complete list of all unexpired, revoked certificates
for that Issuer. So there is no benefit to having 2 parallel
CRL paths, each path must contain the same information.
Now, that being said, I suppose the BCI can list 2 different
CRLs for the same Issuer, but certchain validators should
look for the most up-to-date CRL and use that one. And I would
hazard a guess that if someone DOES put 2 CRLs from the same
Issuer in the BCI, you are inviting trouble. It would not
surprise me if some implementations didn't handle this
correctly.
-Terence
Quoting Lewis, Tony ([EMAIL PROTECTED]):
> On Monday, May 14, 2001 3:07 AM, Mykhailo Lyubich wrote:
>
> > can a BCI contain a references to two valid CRLs
> > which belong to the same certification authority?
>
> Typically, the BCI will contain the serial number of the most recently
> issued CRL. However, I cannot find anything in Book 2 that explicitly
> prohibits two serial numbers from being listed for the same distinguished
> name.
> _________________________________________________________________
> Tony Lewis ([EMAIL PROTECTED])
> Chief Systems Architect, Internet Commerce
> Visa International Service Association
