Björn Lantz
Thu, 28 Jan 2010 09:18:13 -0800
Dear listreaders,I have a question about whos/which CRL the crlDistributionPoints in a certificate should point out. I have spent a few days looking for a recommendation or common practice, but without success.
The alternatives for a certificate are of course to point out its own crl, the issuers crl or none at all. Should certificates with CA:false have crlDistributionPoints, or just those with CA:true?
I think the best practice would be that every issuing CA in a chain maintains, signs and points out its own crl. A leaf/user cert may, but in my oppinion must not, point out its issuers crl.
+------+ +------+ | root | cdp | root | contains revoked certs | cert |----->| crl | that root has issued +------+ +------+ ^ | +------+ +------+ | CA | cdp | CA | contains revoked certs | cert |----->| crl | that CA has issued +------+ +------+ ^ ^ | | +------+ | | user | cdp (opt)| | cert |----------+ +------+As every certificate except the root in a chain has an issuer, to check the revocation status of a certificate one should always check the crlDistributionPoints found one level above, in the issuers certificate.
This way, when establishing a session with a previuosly not known party, all the crl:s in the trust chain can have been pre-fetched and cached.
Does anyone know if there are any guidelines, recommendations or common practices for this?
/Björn Lantz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org