Nelson B Bolyard wrote: > Anybody know of a CA that uses that extension in its CRLs? > A URL for such a CRL would be welcome.
http://www.pki.admin.ch/crl/AdminCA-CD-T01.crl has one (only includes a distributionPoint in the form of a directoryName, no other parameters are included, though). > Assuming that is the question, the answer depends on the capabilities of > the http engine supplied by the application for NSS to use for performing > those http requests. For Mozilla browsers, I believe the answer is that > the redirection will be followed. That is not deemed a security risk, > given that the final CRL is itself a signed document whose signature is > verified with the public key of the CA who issued the cert being checked. >From reading RFC 5280 section 4.2.1.13, however, it seems to me that conformant implementations should rather not follow redirects: If the DistributionPointName contains a general name of type URI, the following semantics MUST be assumed: the URI is a pointer to the current CRL for the associated reasons and will be issued by the associated cRLIssuer. When the HTTP or FTP URI scheme is used, the URI MUST point to a single DER encoded CRL as specified in [RFC2585]. HTTP server implementations accessed via the URI SHOULD specify the media type application/pkix-crl in the content-type header field of the response. Kaspar _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
