RFC Errata
RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008
Note: This RFC has been updated by RFC 6818, RFC 8398, RFC 8399, RFC 9549, RFC 9598, RFC 9608, RFC 9618
Source of RFC: pkix (sec)
Errata ID: 7164
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Aaron Gable
Date Reported: 2022-10-14
Rejected by: Deb Cooley
Date Rejected: 2024-10-29
Section 5.2.5 says:
If the distributionPoint field is absent, the CRL MUST contain entries for all revoked unexpired certificates issued by the CRL issuer, if any, within the scope of the CRL.
It should say:
If the distributionPoint field is absent, the CRL MUST contain entries for all revoked unexpired certificates issued by the CRL issuer.
Notes:
The removed phrase does not appear in the original text that this requirement is derived from, ITU-T Rec. X.509 (08/2005) Section 8.6.2.2: "If the issuing distribution point field, the AA issuing distribution point field, and the CRL scope field are all absent, the CRL shall contain entries for all revoked unexpired public-key certificates issued by the CRL issuer."
The removed phrase does not serve to create a stricter requirement; rather it creates a looser requirement which allows a CRL which does contain entries for all revoked unexpired certificates *within its scope* to not include the distributionPoint field. Given that the distributionPoint field serves an important security purpose in preventing substitution attacks, it is unlikely that this loosening was the intent of the original authors.
--VERIFIER NOTES--
Verifier notes: Discussed here: https://mailarchive.ietf.org/arch/msg/pkix/YuErTrIPYt7MzTKE6R_KRqNouto/