microsoft.public.win2000.security news group, Steven L Umbach
As
far as the empty CDP/AIA, that depends on your particular needs for
security
and performance.
The requirement for empty AIA and CRL distribution points for a root CA
has nothing to do with performance nor security. For the AIA, the AIA
location is used to build a certificate chain and the AIA distribution
point in an issued certificate is used to locate the certificate of the
CA that issued that certificate. To find the root CA certificate, all we
need is the AIA location from any certificate issued by the root. The
root is the top level so once we have its certificate, we don't need to
find anymore, therefore no need for an AIA distribution point in it.
As far as having an empty CDP location for the root, RFC 3280 calls for
applications to stop revocation checking one level below a self signed
certificate in the chain. Also, keep in mind that a CRL is a signed
document, so with the root CA you've got a chicken and egg situation. If
you were to revoke the root CA certificate, you then need to use the
revoked certificate to sign the CRL that contains the revocation.
I have also read where it is recommended in many situations
to increase the length of CRL life to six months for the offline CA based
on
the assumption that it is secured and the likelyhood that it would ever
have
it's certificate revoked is extremely unlikely.
Now you're confusing the CRL that a root CA issues (which would only
ever contain certificates that it issued) with a theoretical CRL that
would contain its own certificate.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)