[cgl_discussion] about the requirement for PKI CA Support
Paul Kierstead
paul.kierstead at alcatel.com
Thu Jun 19 06:29:46 PDT 2003
Zhao, Forrest wrote:
> *I'm a bit confused with one of CGL 2.0 requirement: ID *7.3.4 *Name
> *PKI CA Support
>
>
>
> 1
>
> The requirement says: "Certificate Management/Request protocols are
> not a requirement; CRL Support (Certification Revocation List) is
> required"
>
>
>
> We know that CRL support is one component of Certificate Management
> protocols (RFC 2510), how should we understand this contradiction?
> Does this "CRL support" mean that CGL 2.0 only support the publication
> of CRL, not support the creation of CRL?
>
>
>
> 2
>
> If we only support the publication of certificate and CRL in PKI CA, I
> don't think this PKI CA have much use. So I'd like to ask a question:
> what indeed do we want a PKI CA to do in CGL 2.0? Just for the
> publication of certificate and CRL?
>
>
You do not need management protocols in order to create a CRL. For
example, a CRL can be created from the command line or a custom GUI. The
certificate management protocols allow a standardized mechanism to
request (and other operations) a certificate from a remote location.
This is not necessary IMO for the rather small PKI required for CGL.
--
Paul Kierstead
Alcatel Canada - R&I - Security group
600 March Road - Kanata, ON, Canada K2K 2E6
Phone: +1 613 784 3822 Fax: +1 613 784 8944
http://home.ca.alcatel.com/kan/rad/riottawa/Projects/Security/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/cgl_discussion/attachments/20030619/a898f2c1/attachment-0001.htm
More information about the cgl_discussion
mailing list