Bob,
I agee with you in that we belive the maintainance of Revocation lists
and their management is a function of the CA application and not a
function of X.500. We envisage X.500 as the storage and distribution
mechanism for X.509 Certificates. The current Revocation status of a
certifcate is relevant to the certificate and should be kept with it,
but the management of CRLs and dissemination of that data is to a wide
ranging audience and subject to local policies(regarding risk) to
include them in a standard.
Regards
Chris
------------ ORIGINAL ATTACHMENT --------
SENT 07-25-95 FROM SMTPGATE (Jueneman(_at_)gte(_dot_)com)
I don't mean to criticise the Mitre work, for I know nothing about it. But
X.500 is clear intended to be a means of distributing certificates and CRLs,
not as a corporate database
In my view, any signed messages that are received should be archived along with
the complete chain of certificates and a current CRL. A centralized corporate
facility for doing that is a nice idea, but rather independent of the
distribution problem, unless we were to decide that it would be best if the CA
were to archive all past certificates and CRLs and make them available by an
on-line request (whether X.500 based or other).
Bob