I was browsing through NIST's "Conformance Testing of Relying Party
Client Certificate Path Processing Logic" document where I am not
sure whether "Test 19" has the correct conformance expectation:
--- Test 19--
The following path should not be successfully validated; it contains a
path without
revocation data:
Trust Anchor CP.01.01, Trust Anchor CRL CP.01.01, Intermediate
Certificate CP.05.01,
End Certificate CP.05.01
----
What the above test-case says is the following:
1. There is a 3 level cert-chain:
TrustAnchor(root)-->IntermediateCert#37-->EndCert#38
2. There is a CRL signed by the same root as above and having only one
entry: that of an intermediate CA Ca1-06.01(#39) not part of the above
chain.
But then this is what RFC3280(Certs & CRL Policies) says:
6.3.2 Initialization and Revocation State Variables .......
(b) cert_status: ..... This variable is initialized to the
special value UNREVOKED.
6.3.3 CRL Processing
This algorithm begins by assuming the certificate is not revoked.
The algorithm checks one or more CRLs until either the certificate
status is determined to be revoked or sufficient CRLs have been
checked to cover all reason codes.
Taking the snips from sections 6.3.2 and 6.3.3 above, it is evident
that absence of a cert's entry from the CRL means accept the cert. But
the doc says reject it because "it contains a path without
revocation data". What am I missing?
Thanks in advance,
Vineet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
