I asked..
This is a point I still do not understand -- HOW DOES THE
RECIPIENT OF A PEM MESSAGE KNOW WHERE TO SEND A REQUEST FOR A
CERTIFICATE OR A CRL? All that PEM puts in the message is the
Distinguished Name of the CA. Where will the "PEM user agent" go
"automatically" to get the required certificate?
Steve answered...
Every PCA is required (RFC 1422 3.4.2.5) to provide an interface to a
global CRL database, and every user is expected to know the email
address of his PCA. RFC 1424 provide the format for email requests
against this database. PCAs may provide other means of CRL database
access beyond what is required by the RFCs.
But I must still be missing something basic..
1> If I receive a message with a certificate (or an IA/Version number),
it will have the distinguished name of a CA (not a PCA) in it. This is
not my CA and if I have never heard of it before how do I address a
request to it for its current CRL?
2> Since I, as the receiver of the message, have no contractual
relationship to the CA, what assurance do I have that the CA will
respond with a CRL in a timely fashion to my request?
3> Part of security is (a) non-denial of service, and (b) receiver non-
repudiation; can these ever be assured in a PEM environment? (Or
perhaps more to the point; when have I received a message? - when it is
delivered or when the verification process is complete?)
4> Where is it stated that a user (I assume this means the possessor of
a key or certificate) must even know who the PCA is, especially in the
case of multiple CA's between the user and the PCA?
5> Is it legal to create a PCA that PROHIBITS its CAs from revoking a
certificate? (Now that's a PCA that I could learn to love!)
Tom Jones - ViaCrypt div. of Lemcom Sys