3.In 4, last paragraph: "... Where two or more CRLs issued by a
single CA are present in a certificate repository, the CRL with the
highest value of the "CRL Number" field supersedes all other CRLs
issued by this CA."
When doing a rekey, a CA may have more than one key pair working in
parallel, therefore must issue more than one CRL. In this case, the
highest CRL number does not supersede all CRLs by that CA.
I've consulted section 5.2.3 of RFC 3280 and the text is that a CRL
Number "conveys a monotonically increasing sequence number for a
given CRL scope and CRL issuer. This extension allows users to
easily determine when a particular CRL supersedes another CRL."
Section 4 of this draft already defines the scope as "all
certificates issued by this CA" and the "The CRL Issuer is the CA"
So even when re-keying in the CA, RFC3280 appears to indicate that
the highest CRL supersedes all other CRL.
I don't propose changing the text at this point, as it appears that
the draft's text is already consistent with RFC 3280.
(I must admit that I'm a bit at sea when thinking about a
certificate issued with CA's key pair A being revoked with CA's key
pair B, but my interpretation of the text in 3280 appear to allow
precisely that!)
After thinking about this some more, I propose the following text
"The CRL Number extension conveys a monotonically increasing sequence
number of positive integers for a given CA and scope. This extension
allows users to easily determine when a particular CRL supersedes
another CRL. The highest CRL Number value supersedes all other CRLs
issued by the CA with the same scope."
And to define the scope of the CRL in the PKI as follows:
"The scope of the CRL MUST be "all certificates issued by this CA
using a given key pair". The contents of the CRL are a list of all
non-expired certificates issued by the CA using a given key pair that
have been revoked by the CA.
[...]
The profile allows the issuance of multiple current CRLs with
different scope by a single CA, with the scope being defined by the
key pair used by the CA."
Is this text clearer?
Geoff
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
