According to the current PEM/MIME what is the recommended
interaction between a user and a PCA for getting the latest CRL?
In RFC 1424, I would compose a CRL-RETRIEVAL-REQUEST with the
Issuer: field set to the issuer's name. But the <id> for the
application/key-request has no "DN only" form like this. How
would I request the CRL for the TIS PCA, for example?
What you would do is send an application/key-request message with the
Issuer field only to set to an appropriate <id> value. For example,
Content-Type: application/key-request
Issuer: DN, <keyid>, <distinguished name of issuer>
An obvious question to ask is, "what do I set <keyid> to, since it must
be non-null?"
The answer is that you use the key identifier for the public key of the
issuer identified by the distinguished name specified in the ISSUER
field that signed the CRL you wish to retrieve. Boy is that a mouthful.
Let met ask this way: Suppose I receive a PEM/MIME signed message from
someone and they also include an application/key-data with a
<certchain>. (And suppose the sender has not included the optional
<crl> fields.) Where do I find the <keyid> for the issuers to request
the CRLs ? It is not in the <certchain>. Am I missing an interchange
that has to happen somewhere?
- Jeff