Re: Questions

["David A. Cooper" <david.cooper@nist.gov>]

Jonathan Schulze-Hewett wrote:

>Dave,
>	Thanks for the answers. Following up on the LDAP requirement. Test
>4.4.7 seems very directory related in that the product is supposed to pull
>the correct CRL from the directory entry. This contradicts your statement
>about none of the tests requiring an LDAP server in your reply to my
>previous e-mail. Will this be corrected before the final draft? What about
>the NIST profile that says that All products should run this test?
>

Jonathan,

I don't think that there is any need to change test 4.4.7.  I can see 
that the description of the test may be misleading since it mentions the 
intermediate CA's directory entry, but this test can still be run 
without use of a directory.

If one is testing an S/MIME client (or any client that verifies signed 
CMS messages), then the sample S/MIME messages can be used, and the 
sample message corresponding to this test includes both the good CRL and 
the bad CRL.

If you are running a test with a client that does not obtain CRLs from 
either a directory or the sample S/MIME messages, then how the test can 
be run depends on how the client expects to receive input.  If the 
client can accept a collection of certificates and CRLs, with the client 
figuring out on its own which CRL to use with which certificate, then 
both CRLs can be provided as input.

The only case in which it would be difficult to run test 4.4.7 in its 
intended fashion would be if the client being tested required the input 
to include a single CRL for each certificate.  In this case, the best 
one could do would be to run the test twice, first using the bad CRL to 
verify that the client recognized that the CRL could not be used and 
then a second time using the good CRL.

Dave