Good morning, > Massimiliano Pala wrote:
>> certificate and in the ca cert (outlook or exchange owa e.g. gives a >> failure while checking the crl). > > Is this due to the presence of the CDP (CRL Distribution Point) in both > the CA and EE (End Entity) certificates ? What happens if you have the > CDP *only* in the EE certs ? Does Outlook (or exchange) works ? In my expierience a CRL has to be installed first before using. For Outlook/IE you install it into the local certificate store and for Mozilla into its own certificate manager. This must always be done by hand in the first time. Mozilla can update it frequently but that is too not a good idea. Certificates must be validated in realtime and without any additional effort to the user. I recomment using OCSP links in each certificate. Mozilla has a build in OCSP client that checks the validity by reading the OCSP link in the extension. For any other application there are several third party clients running in backround and do OCSP queries. >> Anyway, Thawte for example does not have the crl links in all certs >> eather :-) > This is just another example of the difficulties for extensions to be > useful.. too much static.. :-( CRL's can get a size of many MB's. When millions of users download and check it on the same time the CA can run into trouble. However, some CA's sell extensions like OCSP or CDP as an additional service... Best regards Ralf ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
