RFC 5280 states:
CRL issuers issue CRLs. The CRL issuer is either the CA or an entity that has been authorized by the CA to issue CRLs. CAs publish CRLs to provide status information about the certificates they issued. However, a CA may delegate this responsibility to another trusted authority.
Q: Is there a standard way for a CA to "authorize" a particular CRL issuer that is not the actual CA?
In other words, if a CA certificate contains a CRL Distribution Point URL that contains a CRL that is signed by some key other than the SubjectKey of "this" cert (the one containing the CRL Distribution Point extension), how does "this" CA indicate the valid keys that can sign that CRL?
The CDP entry will contain a cRLIssuer value to indicate what the expected signer of the CRL at that location is.
Then the CRL had to assert that it is an indirectCRL via the Issuing Distribution Point extension.
If the CRL signer is subject is not the same as the issuing CA subject then both Windows and OpenSSL will stop at this point and pretend the CRL doesn’t exist (per https://security.stackexchange.com/questions/242185/deployment-tips-to-support-indirect-crls). But they do, per that question and answer, support the concept to let the CA use a different key for the CA and the CRL signing.