It doesn't look like cert_crl() in openssl code follows what you refer to as "strict" revocation check. Neither does the RFC. Is there a doc/RFC that outlines strict revocation criteria? Am I right in saying that openssl does not do that?
Thanks, Vineet On Wed, Oct 15, 2008 at 11:48 AM, Patrick Patterson <[EMAIL PROTECTED]> wrote: > Hello Vineet: > > On October 15, 2008 02:40:52 pm Vineet Kumar wrote: >> I was browsing through NIST's "Conformance Testing of Relying Party >> Client Certificate Path Processing Logic" document where I am not >> sure whether "Test 19" has the correct conformance expectation: >> --- Test 19-- >> The following path should not be successfully validated; it contains a >> path without >> revocation data: >> Trust Anchor CP.01.01, Trust Anchor CRL CP.01.01, Intermediate >> Certificate CP.05.01, >> End Certificate CP.05.01 >> ---- >> > So - what the chain is is: > > Trust Anchor (with a CRL that could have the Intermediate Cert in it) > Intermediate Cert (with *no* CRL that could have the end certificate in it) > End Certificate. > >> What the above test-case says is the following: >> 1. There is a 3 level cert-chain: >> TrustAnchor(root)-->IntermediateCert#37-->EndCert#38 >> 2. There is a CRL signed by the same root as above and having only one >> entry: that of an intermediate CA Ca1-06.01(#39) not part of the above >> chain. >> >> But then this is what RFC3280(Certs & CRL Policies) says: >> 6.3.2 Initialization and Revocation State Variables ....... >> (b) cert_status: ..... This variable is initialized to the >> special value UNREVOKED. >> >> 6.3.3 CRL Processing >> >> This algorithm begins by assuming the certificate is not revoked. >> The algorithm checks one or more CRLs until either the certificate >> status is determined to be revoked or sufficient CRLs have been >> checked to cover all reason codes. >> >> >> Taking the snips from sections 6.3.2 and 6.3.3 above, it is evident >> that absence of a cert's entry from the CRL means accept the cert. But >> the doc says reject it because "it contains a path without >> revocation data". What am I missing? >> > Well, as I hinted at above, there is no revocation information available for > the end certificate itself (the Intermediate Certificate is not publishing a > CRL). Thus, if you are using strict revocation information checking, the > above chain should fail, because you can't look up the status of the end > certificate. > > If you want a good example of code for a PDVal tool that implements all of the > tests in the NIST suite, please take a look at Pathfinder - it's available > at: > > http://www.carillon.ca/tools.php > > Have fun. > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
