> On 30 Nov 2015, at 8:58 AM, Sriram, Kotikalapudi > <[email protected]> wrote: > > Geoff, > > Thanks for your responses. Please see below for my further comments. > >>> 2. How do you perform the validation of a CRL? > >> RFC6487 provided no guidance, and referred to RFC5280, so that is still the >> case. >> nothing changes herre. > >>> How is it similar to or different from how you validate a ROA? > >> There are no resources in a CRL so I presume that section 6.1 of RFC5280 is >> a good procedure to follow. > >>> How do you walk the certificate hierarchy in the case of a CRL validation >>> process? >>> I.e. How are the "encompassing" rules applied? > >> huh - I’ll say it again just to be sure: CRLs have no resources. > > But what about the CA certificate under which the CRL was issued? > That certificate has resources in it. > Don't you need to validate that certificate before you validate the CRL? > Does the RP apply the revised (lenient) algorithm in that validation process > as well? > Or, does the RP need to use two separate validation algorithms -- > (1) the revised (lenient encompassing) algorithm for ROAs (or EE certs), and > (2) the existing (strict encompassing) algorithm elsewhere? > > After re-reading Steve Kent's post, I realize that he asked a similar > question earlier: > http://www.ietf.org/mail-archive/web/sidr/current/msg07442.html > (Please see his 3rd last paragraph -- about CRLs)
I would’ve thought that if you can establish a chain of Issuer / subject certs that connect a chosen Trust Anchor to the CA that issued the CRL then you have a sound reason to accept the CRL. Given that the CRL has no resources there does not seem to be any resource attribute test that can be applied here. Geoff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
