RE: draft delta crl text
Carlin Covey <ccovey <at> cylink.com>
2001-06-01 13:56:00 GMT
A commendable job, but I do have a comment concerning the following
portion of the text:
"For each certificate whose status has changed since the generation
of the referenced base CRL:
(a) If the certificate is revoked for a reason included in the
scope of the CRL, list the certificate as revoked.
(b) If not (a), list the certificate with the reason code
Rule (a) is fine, but unfortunately rule (b) catches more certificates
in its net than was intended. A literal reading implies that
certificates should be listed with reason code removeFromCRL if their
status has changed in any way at all, e.g. newly created certificates,
newly expired certificates, and even revoked or "removed from hold"
certificates that are not within the scope of the CRL. (These are all
certificates whose status has changed that are "not (a)" )
Here's a suggestion for rule (b):
If the certificate was previously listed on the referenced base
CRL or a subsequent delta CRL with reason code certificateHold,
and that certificate is no longer on hold, list the certificate
with the reason code removeFromCRL.
By the way, although this is fairly obvious, for the sake of completeness