[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Query on draft-ietf-ipsec-pki-req-03.txt



Walker, Jesse writes:
> Greg,
> 
> Yes, I know; a lot of implementations do forward CRLs as part of their
> negotiations. The question is whether this must be required. If the draft
> requires all implementations do certificate validation, then I don't see how
> conformance is possible unless the draft also requires implementations to
> pass CRLs.
> 
> -- Jesse

Jesse,

I'm not sure that in-band CRL distribution should be a MUST.  First, 
some environments may prefer to leave CRLs as optional.  For instance,
perhaps other mechanisms are available (OCSP, etc.).  Second, we don't
yet know what the market will decide regarding distribution of revocation
information.  Currently, the answer is probably "none of the above", 
although one could envision such things as OCSP, CRLDistributionPoints,
or something else becoming "the answer".  Since in-band distribution
of CRLs is probably the only choice we currently have, I think it
should receive a SHOULD.

I'd prefer text along the lines of

    Unless configured to do otherwise, implementations SHOULD return CRLs
    in response to CRL CERTREQ messages.

A warning about possible interoperability problems probably wouldn't
hurt either.

brian
briank@network-alchemy.com



References: