Jeff Saremi jsar...@morega.com writes:
[...]
According to the RFC, is it an error for a certificate and its chain not
to have any CRLs and CRL distribtuion points?
No, but you're perhaps confusing things by joining the two together. On
CRL DPs, this profile RECOMMENDS support for this
I'm not sure how you read this. I read it like a programmer.
In programming primitives, the spec would be coded like this:
Here's the spec:
This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP) in the certificate's CRL distribution
points
Jeff Saremi jsar...@morega.com writes:
[...]
Here's the code:
cert.status = NOT_REVOKED;
for (i = 0; i cert.crldp.size; ++i)
{
/* some processing loops */
if(cert.status == UNDETERMINED)
{
/* do what Bruce Stephens suggested */
}
}
No, I think RFC5280 is saying that you
This was mentioned briefly in another thread by myself. I thought it
deserved its own discussion. The copies of how it went on are pasted below.
Section 6.3.3. of RFC 5280 - CRL Processing
This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP)
Jeff Saremi jsar...@morega.com writes:
[...]
Section 6.3.3. of RFC 5280 - CRL Processing
This algorithm begins by assuming that the certificate is not revoked
For each distribution point (DP) in the certificate's CRL distribution
points extension, for each corresponding CRL
So my