Hello Björn; On January 28, 2010 05:40:57 am Björn Lantz wrote: > Dear listreaders, > > I have a question about whos/which CRL the crlDistributionPoints in a > certificate should point out. I have spent a few days looking for a > recommendation or common practice, but without success. > Check out the "Four Bridges" - US Federal Bridge / CertiPath / SAFE / Higher Education. Also, the guidance for when and who should have a CRL DP is fairly clear in RFC5280, and how to process that CRL DP.
In that model, End Entity (user/device) certificates have a CRL Distribution point that points to the CRL where that certificate will appear should it be revoked, and this CRL is normally signed by the issuer. Above the EE, you have a signing CA - it has a CRL distribution point which points to the ARL where it would appear should it be revoked, and this CRL is signed by the Root CA. The Root CA doesn't have a CRL DP. It is a trust anchor, and in the event that it is revoked, it will never appear on any CRL. Notification of Revocation of a Trust Anchor must be handled via some other, out of band method. Your model is exactly off by one. The User cert MUST contain a CRL DP (or rather SHOULD - there are several cases where checking the validity of even end entity certs probably can't be automatically done) pointing to the CRL of the issuer. the Issuer MUST contain a CRL DP pointing to the ARL where it would appear. The ROOT must NOT have a CRLDP, since that would be self referential. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
