Kaspar Brand wrote re RFC 5280:
Note that it refers to the DistributionPoint*Name*, not the DistributionPoint itself - i.e. the CDP extension of a certificate can certainly include multiple HTTP URIs (all pointing to the same CRL).
<snip>
FWIW, here's the definition from RFC 5280, which might help in determining all the nesting levels:id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
Ah, OK, thanks for clarifying this for me; this is what happens when I get into interpreting specs :-(
So the bottom line appears to be that Hongkong Post (or any other CA) could include multiple DistributionPoints, of which one referenced the URI for the full CRL and another referenced the URI for the partitioned CRL. Please correct me if I'm wrong.
Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
