@techreport{lamps-bonnell-keyusage-crl-validation-04,
    number =    {draft-lamps-bonnell-keyusage-crl-validation-04},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-lamps-bonnell-keyusage-crl-validation/04/},
    author =    {Corey Bonnell and Tadahiko Ito and Tomofumi Okubo},
    title =     {{Clarification to processing Key Usage values during CRL validation}},
    pagetotal = 6,
    year =      2025,
    month =     apr,
    day =       16,
    abstract =  {RFC 5280 defines the profile of X.509 certificates and certificate revocation lists (CRLs) for use in the Internet. This profile requires that certificates which certify keys for signing CRLs contain the key usage extension with the cRLSign bit asserted. Additionally, RFC 5280 defines steps for the validation of CRLs. While there is a requirement for CRL validators to verify that the cRLSign bit is asserted in the keyUsage extension of the CRL issuer's certificate, this document clarifies the requirement for relying parties to also verify the presence of the keyUsage extension in the CRL issuer's certificate. This check remediates a potential security issue that arises when relying parties accept a CRL which is signed by a certificate with no keyUsage extension, and therefore does not explicitly have the cRLSign bit asserted.},
}