On Wed, Oct 15, 2008, Vineet Kumar wrote: > It doesn't look like cert_crl() in openssl code follows what you refer > to as "strict" revocation check. Neither does the RFC. Is there a > doc/RFC that outlines strict revocation criteria? Am I right in saying > that openssl does not do that? >
OpenSSL has several options relating to CRL checking. It can perform no checking, checking of just the EE cert and the whole chain. The RFC3280 behaviour in the absence of a CRL is determined by the last paragraph of 6.3.3 where the status is UNDETERMINED. It has to be this way or an attacker could block the downloading of a CRL and allow a revoked certificate to be used. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
