Tom,
Yes, you did miss something basic in my response. Ley me
highlight the critical words:
Every PCA is required (RFC 1422 3.4.2.5) to provide an interface to a
^^^^^^^^^
global CRL database, and every user is expected to know the email
^^^^^^
address of his PCA. RFC 1424 provide the format for email requests
^^^^^^^
against this database. PCAs may provide other means of CRL database
access beyond what is required by the RFCs.
Since EVERY PCA provides access to a GLBLA CRL database, then
contacting YOUR PCA will get you access to the CRLs for EVERY CA, not
just the ones certified by YOUR PCA. Of course you DO KNOW the
identity of the PCA under which ANY certificate was signed (since
validation of a certificate requires tracing it back through a single
PCA to the root). BUT, you don't need to know that information
because your PCA has a responsibility to provide access to the WHOLE
CRL database for you.
As for your other points, RFC 1421 explicitly states that denial of
service is not a security service provided by PEM, even though the
context in which you asked the question is moot. RFC 1422 states that
every PEM UA must be capable of sending a full certification path, so
each user must have a means of acquiring this path. Section 2.1 in
RFC 1424 notes that the response to a certification request message
includes the full certification path, so that is a likely means of
acquiring the PCA identity info. Every PCA publishes its policy
statement and within that statement is the mailbox address for CRL
queries (RFC 1422, Section 3.4.3 item #5). So, there is always a
means for the user to learn the identity of his PCA and to use that
information to locate the PCA's CRL retrieval mailbox. All the
answers to these questions are available in the RFCs.
Steve