Michael Ströder wrote, On 2008-06-28 02:03: > Nelson Bolyard wrote: >> I'm working on some code to handle the "Issuing Distribution Point" >> extension in CRLs.
Note that the above statement is not a reference to the "CRL Distribution Point" extension that appears in some certificates, but rather is a reference to an "Issuing Distribution Point" extension that appears in a CRL. I mention this because I've received some email replies that appeared not to be clear on that point. > What happens if the CRL's URL is redirected to another URL? I think you're asking what happens if the attempt to fetch a CRL itself (say, via an http GET request) results in an http redirection response from the server. Assuming that is the question, the answer depends on the capabilities of the http engine supplied by the application for NSS to use for performing those http requests. For Mozilla browsers, I believe the answer is that the redirection will be followed. That is not deemed a security risk, given that the final CRL is itself a signed document whose signature is verified with the public key of the CA who issued the cert being checked. That check takes place after the cert being checked has been shown to be issued by a CA that is trusted. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
