Jeff Saremi <jsar...@morega.com> writes: [...]
> According to the RFC, is it an error for a certificate and its chain not > to have any CRLs and CRL distribtuion points? No, but you're perhaps confusing things by joining the two together. On CRL DPs, "this profile RECOMMENDS support for this extension by CAs and applications". On CRLs, the end of section 5 says "Conforming CAs are not required to issue CRLs if other revocation or certificate status mechanisms are provided." [...] > If the answer is no, then the body of code that is operating today on > the Internet and is using SSL (think of it as browsers) should operate > with no errors. In this sense, OpenSSL would be an exception because > its default and natural implementation causes an error. Application writers have to consider what to do about revocation. One option is for an application to ignore the possibility of revocation, and OpenSSL can easily be used to do that. Otherwise the application must have some functionality to request OCSP, provide CRLs, etc. And (again) this is not specific to OpenSSL. Other certificate verifiers will (when asked to check revocation status) also reject certification paths where revocation status is unavailable. Any that don't do that are surely broken? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org