I think this is not so correct. When you verify the validity of an X509 certificate, you download the CRL specified in the CDP extension and you must verify that the CRL is signed by the same CA certificate that issued the certificate (through the authorityKeyIndentifier extension). If you sign the CRL with another key, this ckeck will fail in third party software.
Of course you can force this in OpenCA by modifying the Perl code :-) On 9/8/07, John Zornig <[EMAIL PROTECTED]> wrote: > Is it possible in Open CA to configure a CRL Issuer or Revocation Authority > which can be online and issuing regular CRLs for an offline CA? > > i.e. the CRLs would be signed by a CRL Issuer key rather than the CA key. > > I can't find any mention of this in the doco. > -- Diego ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
