Jeff Saremi <jsar...@morega.com> writes: [...]
> Section 6.3.3. of RFC 5280 - CRL Processing > "This algorithm begins by assuming that the certificate is not revoked.... > For each distribution point (DP) in the certificate's CRL distribution > points extension, for each corresponding CRL ...." > > So my expectation is that after I instruct OpenSSL to perform CRL > checking -- whether I set or not set any CRLs -- no checking must be > done on any certificates which don't have CRLDP in them. I think you should read on. Specifically, the last paragraph seems to me to indicate different behaviour is intended: If the revocation status has not been determined, repeat the process above with any available CRLs not specified in a distribution point but issued by the certificate issuer. For the processing of such a CRL, assume a DP with both the reasons and the cRLIssuer fields omitted and a distribution point name of the certificate issuer. That is, the sequence of names in fullName is generated from the certificate issuer field as well as the certificate issuerAltName extension. After processing such CRLs, if the revocation status has still not been determined, then return the cert_status UNDETERMINED. That seems to me more natural: if there's no CRLDP then check any relevant CRL. If (after all this) you fail to find any relevant CRLs, then the revocation status is undetermined. [...] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org