Since EVERY PCA provides access to a GLBLA CRL database, then
contacting YOUR PCA will get you access to the CRLs for EVERY CA, not
just the ones certified by YOUR PCA. Of course you DO KNOW the
identity of the PCA under which ANY certificate was signed (since
validation of a certificate requires tracing it back through a single
PCA to the root). BUT, you don't need to know that information
because your PCA has a responsibility to provide access to the WHOLE
CRL database for you.
Steve,
Thanks. This clears a lot up. One thing I'm still unclear on - does this
include all CA's which are directly certified by a PCA (as opposed to
another CA), or all CA's everywhere?
If it does apply to each and every CA in existence, is each of these CAs
required to provide their CRLs directly to the PCA, or can a CA which is
directly subordinate to a PCA send the CRLs of all of its subordinate CAs
en masse to the PCA?
Example:
/US/Bellcore is directly subordinate to a PCA. It is therefore required to
provide its CRL to its PCA on a regular basis. The PCA will then distribute
the Bellcore CRL to all other PCAs.
A number of CAs are subordinate to /US/Bellcore/. These include
/US/Bellcore/Lab1 and /US/Bellcore/Lab2. Are these two CAs also required
to send their CRLs to the PCA on a regular basis, or can they just send
them to /US/Bellcore/, which will then send all three CRLs to the PCA
during its weekly (daily, monthly, whatever) shipment?
Although this may sound like a trivial distinction, it makes a difference
in our implementation strategy.
Let me know if I can clarify further.
Thanks,
Anish Bhimani