Hi Henry,
On 06.10.09 16:32, Henry Nebrensky wrote:
> It does kind of beg the question as to why the CRL URL isn't embedded in
> the certificate in the first place, which would be my dumb and naive
> solution...
The recommendation is that the CRL URL appropriate for a particular cert
is given in the CRL Distribution Points extension in the end-entity
certificate (i.e. the user or host cert).
The problem with putting it in the CA cert is that the URL would have to
stay the same for the lifetime of the CA (might be 5, 10, 20 years). By
putting it in the EE certs the CA has the option to phase out an old URL
as certs expire.
To be honest, I'm not sure what, if anything, browsers do with the value
from CRL Distribution Points...
David
--
Dr David O'Callaghan
Research Fellow - Grid-Ireland - e-INIS - Computer Architecture & Grid
School of Computer Science & Statistics,
Trinity College, Dublin 2, Ireland Telephone: +353 1 896 1536
|