Re: About CRL Utility (crlutil)
Patrick, POC wrote: About that -u option: does NSS use the URL at all? (like automatically fetching a fresh CRL once the CRL expires), or is it just simply stored in the cert db for the crlutil user to retrieve at a later date (using cerlutil -L)? I don't think NSS uses it other than providing a way to save / retrieve the value. I believe PSM (a component of the Mozilla / Netscape browsers) uses it as the download location if you enable automatic refresh of CRLs.
About CRL Utility (crlutil)
1. Why isn't this utility mentioned in http://www.mozilla.org/projects/security/pki/nss/tools? 2. The utility has the -u url option when importing. What for? 3. When it imports a CRL, what exactly is the validation that is performed on the CRL, besides signature verification of the issuing CA? Shouldn't it also check the trust flags of the CA, and only import the CRL if the issuing CA is *trusted*? -- POC