ChangHee Lee wrote:
>
> Hello guys,
>
> In v3_enum.c, there is not 's2i' function.
> So, we can't use CRLReason extension field in CRL.
> I patch v3_enu.c, x509v3.h to use crlreason.
>
> The following is config file format:
>
> CRLReason=keyCompromise
>
Unfortunately its not as simple as that or I'd already have done it.
With CRLs there are two kinds of extension. There is a CRL extension
which applies to the whole CRL and there is a CRL *entry* extension
which applies to individual CRL entries: each entry can have its own set
of extensions.
CRLReason is an entry extension specifying the reason why an individual
certificate has been revoked: this isn't currently handled. What's
probably needed is a way to specify entry extensions when a certificate
is revoked by modifying 'ca' and the index.txt database format. Only
three simple PKIX entry extensions are really relevant so this isn't too
bad.
The patch you sent would make CRLReason a CRL extension (not an entry
extension).
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
