Many many thanks for Patrick. Now, I am clear about this extension. Best Regards Jean
Patrick Patterson-3 wrote: > > On September 12, 2008 12:35:10 am JeanYiYi wrote: >> Dear openssl guru: >> >> I am new in openssl. I have some questions regarding to 'CRL Distribution >> Points extension'. I did read the RFC. but I am still confused about some >> details. :-(. >> >> a) a certificate has a 'CRL Distribution Points extension'. What's >> configured in this extension is one and only one CRL or maybe multiple >> CRL(s)? >> > It is a pointer to the CRL where this certificates revocation entry will > appear in the event that it is revoked. > > This is usually the CRL signed by the CA that issued the certificate that > contains the CRLDP. > > The only time that you could have "multiple CRLs", is if you have some > sort of > strange delegated revocation model in your PKI. In practice, that is very, > very rarely done. > >> b) the extension may have multiple CDP(s). Can each CDP have multiple >> URI(s), such as a LDAP and a HTTP? >> > I'm not sure what you mean - a certificate may have a single instance of > the > CRLDP extension. Within this extension, there may be multiple URIs that > contain pointers to the CRL, as you hinted, usually an LDAP or HTTP url. > >> c) If the extension has multiple CDP(s), do those CDP(s) point to the >> same >> CRL or different CRL? >> > Usually the same CRL, just published in different formats. > >> d) Let's say I have a certificate which only have a DirName in its 'CRL >> distribution points extension'. If I reserve the setting and replace >> slash >> with comma, I can get an DN for ldap query, right? >> > Depends on your LDAP client, but usually yes. However, this is probably a > bad > practice, because you would have to have all of your relying parties > configured somehow to know which server to ask for that DN. It is a FAR > better solution to include a LDAP URL, instead of a DirName. > > > Have fun. > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/a-question-about-CRL-distribution-points-extension-in-a-certificate.-tp19448232p19457916.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
