Jeff Saremi <jsar...@morega.com> writes:
[...]
> Here's the code:
>
> cert.status = NOT_REVOKED;
> for (i = 0; i < cert.crldp.size; ++i)
> {
> /* some processing loops */
> if(cert.status == UNDETERMINED)
> {
> /* do what Bruce Stephens suggested */
> }
> }
No, I think RFC5280 is saying that you may have CRLs which were not
indicated by CRLDP. Even if there is no CRLDP at all, you may have
(through some other means) CRLs issued by some appropriate entity
(either the CA or a indirect CRL issuer).
If you don't have any of those (and you don't have any other mechanism
for verifying revocation status, such as OCSP) then that surely
shouldn't mean that the certificate is not revoked---it surely ought to
mean you don't know?
When designing your own applications you might reasonably choose to
regard such certificates as valid, or (alternatively) to reject them on
the grounds that revocation status can't be checked. Both seem
reasonable choices, depending on the circumstances.
I'm not sure what you should do if you're issuing certificates and want
people to always regard them as unrevoked. I suspect it depends how
much control you have over the software that other people are using. At
worst you might need to produce CRLs (which would always be empty) or
run an OCSP server.
[...]
> Now as a result of OpenSSL's imlementation, none of my clients who use
> OpenSSL will be able to deal with me online.
I don't think it has anything to do with OpenSSL. Other verifiers will
behave similarly (I happen to be familiar with CML and that'll behave
the same as OpenSSL, if revocation checking is enabled).
> Because my certificates do not have a CRL and CRLDP period. Should I
> stop doing business altogether? Should I contact my business partners
> and tell them that they should be applying a patch to their code,
> overriding verification failure in their certVerifyCallbacks? Let's
> just think that through a little.
If you want to support software that performs revocation checking then
you'll need to provide some way for that software to check revocation
status. That might be simple (provide an empty CRL with a nextUpdate
way off in the future).
But maybe that's not necessary: for software that only really addresses
you certs, maybe you can persuade the software not to perform revocation
checking.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
