Michael Ströder wrote: > Not that I'm endorsing setting cert/CRL download up with HTTP redirects > but I cannot derive from the text snippet above that it's forbidden or > explicitly not recommended.
In my interpretation of RFC 5280, the statement "When the HTTP or FTP URI scheme is used, the URI MUST point to a single DER encoded CRL" implicitly disallows redirects - the URI would not point to a CRL then, but to another URI instead. > I'm rather scared of implementations not capable to follow HTTP redirects. >From a short look at the HTTP client built into libpkix, I don't think that it's willing to handle anything other than "200 OK" (http://lxr.mozilla.org/seamonkey/source/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c#244): > 244 if (client->responseCode != 200) { > 245 client->connectStatus = HTTP_ERROR; > 246 goto cleanup; (Things are different if Necko is used, of course.) Kaspar _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
