Elliott:
I agree with you; however, there are still some large Cas that do not issue
CRLs. How should we deal with this situation? Should we say that
certificates for such CAs cannot be used with S/MIME?
Russ
At 11:30 AM 3/20/98 -0500, Elliott Ginsburg wrote:
In section 2.1:
"...All agents SHOULD check the nextUpdate field in the CRL against the
current time. If the current time is later than the nextUpdate time, the
actioin that the agent takes is a local decision. For instance, it could
warn a human user, it could retrieve a new CRL if able, and so on."
I think that since this section requires the checking of certs against
CRLs, that we ought to require (MUST) that the agent check the nextUpdate
field. I also think that we can be a little more specific about what the
agent does if it is later than this time. I suggest the following:
"...All agents MUSTcheck the nextUpdate field in the CRL against the
current time. If the current time is later than the nextUpdate time, the
agent MUST take some appropriate action. For instance, one recommended set
of actions would be: 1) retrieve a new CRL if possible, or 2) issue a
warning that revocation could not be checked."
elliott ginsburg