Kaspar Brand wrote: > From reading RFC 5280 section 4.2.1.13, however, it seems to me that > conformant implementations should rather not follow redirects: > > If the DistributionPointName contains a general name of type URI, the > following semantics MUST be assumed: the URI is a pointer to the > current CRL for the associated reasons and will be issued by the > associated cRLIssuer. When the HTTP or FTP URI scheme is used, the > URI MUST point to a single DER encoded CRL as specified in > [RFC2585]. HTTP server implementations accessed via the URI SHOULD > specify the media type application/pkix-crl in the content-type > header field of the response.
Not that I'm endorsing setting cert/CRL download up with HTTP redirects but I cannot derive from the text snippet above that it's forbidden or explicitly not recommended. Also RFC 2585 (referenced in above text) does not say anything like this in section "3 HTTP Conventions". I'm rather scared of implementations not capable to follow HTTP redirects. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
