According to the current PEM/MIME what is the recommended
interaction between a user and a PCA for getting the latest CRL?
In RFC 1424, I would compose a CRL-RETRIEVAL-REQUEST with the
Issuer: field set to the issuer's name. But the <id> for the
application/key-request has no "DN only" form like this. How
would I request the CRL for the TIS PCA, for example?
What you would do is send an application/key-request message with the
Issuer field only to set to an appropriate <id> value. For example,
Content-Type: application/key-request
Issuer: DN, <keyid>, <distinguished name of issuer>
An obvious question to ask is, "what do I set <keyid> to, since it must
be non-null?"
The answer is that you use the key identifier for the public key of the
issuer identified by the distinguished name specified in the ISSUER
field that signed the CRL you wish to retrieve. Boy is that a mouthful.
Keep in mind that an issuer may have multiple public keys, perhaps one
for each of the "many" algorithms it supports. Thus, an issuer may have
multiple CRLs that it issues, one for each public key.
I agree that if an issuer (or any user for that matter) has exactly one
public key then the inclusion of the key identifier is superfluous.
However, in order to guarantee forward compatibility with the future
existence of multiple keys, it is best to require it.
Jim