On September 12, 2008 12:35:10 am JeanYiYi wrote: > Dear openssl guru: > > I am new in openssl. I have some questions regarding to 'CRL Distribution > Points extension'. I did read the RFC. but I am still confused about some > details. :-(. > > a) a certificate has a 'CRL Distribution Points extension'. What's > configured in this extension is one and only one CRL or maybe multiple > CRL(s)? > It is a pointer to the CRL where this certificates revocation entry will appear in the event that it is revoked.
This is usually the CRL signed by the CA that issued the certificate that contains the CRLDP. The only time that you could have "multiple CRLs", is if you have some sort of strange delegated revocation model in your PKI. In practice, that is very, very rarely done. > b) the extension may have multiple CDP(s). Can each CDP have multiple > URI(s), such as a LDAP and a HTTP? > I'm not sure what you mean - a certificate may have a single instance of the CRLDP extension. Within this extension, there may be multiple URIs that contain pointers to the CRL, as you hinted, usually an LDAP or HTTP url. > c) If the extension has multiple CDP(s), do those CDP(s) point to the same > CRL or different CRL? > Usually the same CRL, just published in different formats. > d) Let's say I have a certificate which only have a DirName in its 'CRL > distribution points extension'. If I reserve the setting and replace slash > with comma, I can get an DN for ldap query, right? > Depends on your LDAP client, but usually yes. However, this is probably a bad practice, because you would have to have all of your relying parties configured somehow to know which server to ask for that DN. It is a FAR better solution to include a LDAP URL, instead of a DirName. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
