Re: X.509 v3 support (CRLs and critical extensions)

Mark:

I would have thought that perhaps there would only be a CRL entry critical
extension if some form of 'special handling' of the revoked certificate was
required, which would indicate that this certificate was only being used in
a particular application.  Thus there probably should have been a
complementary critical extension in the issued certificate itself, so that
a user outside of this application, unable to perform this special handling,
would never be using the certificate.

Having a CRL receiver ignore extensions in entries revoking certificates it 
doesn't have would then be beneficial in that a CA doesn't need to issue
multiple (simultaneous) CRLs for each flavour of critical extension.


Sounds logical.  I shall support the clarification of the spec in the direction 
you suggest.

Warwick

<Prev in Thread]	Current Thread	[Next in Thread>
Re: X.509 v3 support (CRLs and critical extensions), warwick (w.s.) ford <= Re: X.509 v3 support (CRLs and critical extensions), Jueneman Re: X.509 v3 support (CRLs and critical extensions), Mark Wahl Re: X.509 v3 support (CRLs and critical extensions), Jueneman Re: X.509 v3 support (CRLs and critical extensions), warwick (w.s.) ford Re: X.509 v3 support (CRLs and critical extensions), Mark Wahl

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Random e-mail names, Ned Freed
Next by Date:	Re: Are we a standards committee?, Ned Freed
Previous by Thread:	Re: which version of certificate (was: Key selectors), Jueneman
Next by Thread:	Re: X.509 v3 support (CRLs and critical extensions), Jueneman
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Random e-mail names, Ned Freed

Next by Date:

Re: Are we a standards committee?, Ned Freed

Previous by Thread:

Re: which version of certificate (was: Key selectors), Jueneman

Next by Thread:

Re: X.509 v3 support (CRLs and critical extensions), Jueneman

Indexes:

[Date] [Thread] [Top] [All Lists]