RFC5280 regarding CRL Distribution Points

[lechugaletal]

The following section of RFC5280 specifies that certificates issued by a certain CA MUST not include the extension filed "CRL Issuer" for certificate extension "CRL Distribution Points":

RFC5280 Section 4.2.1.13
The cRLDistributionPoints extension is a SEQUENCE of DistributionPoint. A DistributionPoint consists of three fields, each of which is optional: distributionPoint, reasons, and cRLIssuer. While each of these fields is optional, a DistributionPoint MUST NOT consist of only the reasons field; either distributionPoint or cRLIssuer MUST be present. If the certificate issuer is not the CRL issuer, then the cRLIssuer field MUST be present and contain the Name of the CRL issuer. If the certificate issuer is also the CRL issuer, then conforming CAs MUST omit the cRLIssuer field and MUST include the distributionPoint field.

As i've seen when using zlint, there is no specific lint for this topic. Is there a chance of checking this specific condition?

[CBonnell]

The BRs in sections 7.1.2.1 (b) and 7.1.2.2 (e) mandate that CA certificates assert the cRLSign KU bit. Given that the bit is asserted, the CA is by definition the CRL issuer for certificates it issues. Thus, it is inappropriate to include the cRLIssuer field in certificates that the CA issues.

Given this, if we are limiting ourselves to a BR lint, then I think this lint would be as simple as flagging an error if the cRLIssuer field is present and/or distributionPoint is absent. The logic gets more difficult if it's an RFC lint, as there no obligation in 5280 for a CA to also be the CRL issuer; the CA certificate would also have be examined if it has the cRLSign KU bit asserted.