Re: Empty CRL Issuer DNs?
2007-03-01 13:59:03 GMT
Sean Mullan wrote: > MUST the CRL issuer field always contain a non-empty DN under RFC > 3280? On my reading, this would appear to be the case, but the RFC > never explicitly says so like it does for the Certificate issuer > field. Either way, it would be nice if this was clarified for 3280-bis. Yes, the CRL issuer field MUST include a non-empty DN. Section 126.96.36.199 of 3280/3280bis simply says that "[t]he issuer name field MUST contain an X.500 distinguished name (DN)." It is my guess that this was intended to mean a non-empty DN, otherwise there would have been no reason to use a capitalized "MUST" since the CRL syntax requires that the issuer field include a DN. There is a statement in section 188.8.131.52 (Subject) of 3280/3280bis that does more clearly indicate that the issuer field in a CRL must include a non-empty DN: If the subject is a CRL issuer (e.g., the key usage extension, as discussed in 184.108.40.206, is present and the value of cRLSign is TRUE) then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field (section 220.127.116.11) in all CRLs issued by the subject CRL issuer. I agree that it would make sense to modify the sentence in 18.104.22.168 to read: The issuer name field MUST contain a non-empty X.500 distinguished name (DN). Dave(Continue reading)