Hi, I have a somewhat generic question regarding verifying CRL signature, which is not specifically wrt Netscape or Mozilla, but it is crypto related, so I was hoping that someone here could provide some guidance... My apologies in advance, as I know that this is off-topic...
My understanding is that CRLs are signed by the CA. In our case, we have a 2-level CA hierarchy, with a root CA, and a sub-root CA. The sub-root CA is issuing both client and server certs, and thus the sub-root CA also produces a CRL. I'm assuming that in the above scenario, the sub-root CA, and not the root CA, signs the CRL with its private key. I believe that this is correct. Now, our server is using the CRL from the sub-root CA for checking for client certificate revocation. But, in order to check the signature of the CRL from the sub-root CA, doesn't the server need the sub-root CA's certificate? The reason that I'm asking this is that I did an experiment: 1) Originally, I had the CRL and the certs from both the root CA and the sub-root CA installed on our server, which is configured for both client and server authentication, and everything was working fine. 2) I then removed the sub-root CA cert completely from the server. This, I thought, would break the chain of trust, and more specifically, would cause the server to no longer be able to use the CRL, since it couldn't check the CRL signature. 3) I was kind of surprised that even after removing the sub-root CA cert from the server, everything still seemed to be working, including the server checking the revocation status of client certs. I guess that "where I am" is that I'm coming close to the conclusion that the server is not checking the CRL signature, but I keep wondering if there may some other possible way that the server could be getting the public key of the sub-root CA for doing CRL signature checking? I hope that someone might be able to clarify this... Thanks, Jim _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
