Geoff, Thanks for your responses. Please see below for my further comments.
>> 2. How do you perform the validation of a CRL? >RFC6487 provided no guidance, and referred to RFC5280, so that is still the >case. >nothing changes herre. >> How is it similar to or different from how you validate a ROA? >There are no resources in a CRL so I presume that section 6.1 of RFC5280 is >a good procedure to follow. >> How do you walk the certificate hierarchy in the case of a CRL validation >> process? >> I.e. How are the "encompassing" rules applied? >huh - I’ll say it again just to be sure: CRLs have no resources. But what about the CA certificate under which the CRL was issued? That certificate has resources in it. Don't you need to validate that certificate before you validate the CRL? Does the RP apply the revised (lenient) algorithm in that validation process as well? Or, does the RP need to use two separate validation algorithms -- (1) the revised (lenient encompassing) algorithm for ROAs (or EE certs), and (2) the existing (strict encompassing) algorithm elsewhere? After re-reading Steve Kent's post, I realize that he asked a similar question earlier: http://www.ietf.org/mail-archive/web/sidr/current/msg07442.html (Please see his 3rd last paragraph -- about CRLs) Sriram _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
