At 07:28 AM 7/04/2007, Stephen Kent wrote:
...
After thinking about this some more, I propose the following text
"The CRL Number extension conveys a monotonically increasing
sequence number of positive integers for a given CA and scope. This
extension allows users to easily determine when a particular CRL
supersedes another CRL. The highest CRL Number value supersedes all
other CRLs issued by the CA with the same scope."
And to define the scope of the CRL in the PKI as follows:
The scope of the CRL is the set of certificates issued by this CA
under a given key. Thus the CRL contains the list of all revoked,
non-expired certificates issued by the CA using that key.
[...]
The profile allows the issuance of multiple current CRLs with
different scope by a single CA, with the scope being defined by the
key used by the CA. Thus if a CA acquires a new certificate,
containing a new public key (a re-key of the CA), the CA will begin
issuing a separate sequence of CRLs under that new key. In contrast,
if a CA acquire a new certificate but uses the same public key in
that certificate (a certificate renewal) the extant CRL sequence is maintained.
thanks Steve for this text - I agree with this description of the CRL
scope (as does Rob Kisteleki I believe), and I will add this text to
the draft.
regards,
Geoff
_______________________________________________
Sidr mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/sidr
