Julien Pierre wrote:
Technically, the revocation information from CRLs does not expire. nextUpdate only means the CA should have more recent information available, not that the CRL is expired. So I don't see it as wrong to still do the OCSP check.
There is no in-band mechanism other than nextUpdate to rely on to decide that a CRL is expired .
Moreover, RFC 3280 says : [The client]... acquires a suitably-recent CRL and checks that the certificate serial number is not on that CRL. The meaning of "suitably-recent" may vary with local policy, but it usually means the most recently-issued CRL.
Jean-Marc, There's a verb missing from this next sentence you wrote, and understanding that sentence depends entirely on the missing verb. Please fill in the missing verb, here | v
As a general rule, it's a bad idea to something that was only reluctantly inserted as a may in a RFC.
Thanks.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto