Vineet Kumar wrote: > Yes, but it looks like if openssl has to conform to JITC tests then in > order to accept an EE, a CRL **signed by EE's CA** better be present. > It doesn't matter if a CRL is present but signed by some other CA in > the cert-chain, no? This strictness of who the CRL's signer should be > can make sense in real world but it doesn't look like openssl has any > flag to conform to such rules. Pl. correct me if I am wrong. > The case where the CRL is signed by someone other than the certificate's signer is the reason that the CRL Issuer field of the CRL Distribution point is available.
>From RFC3280: "If the certificate issuer is not the CRL issuer, then the cRLIssuer field MUST be present and contain the Name of the CRL issuer." This makes it VERY unambiguous - the CRL for a given certificate must be signed by it's immediate issuer. Consequently, that is why the NIST test that you mentioned before fails. It is not good enough to have some "CRL signed by some other CA in the Cert Chain". Absent the CRLIssuer field, the CRL *MUST* be signed by the same CA as that which signed the End Certificate. Have fun. Patrick. > Vineet > > On Wed, Oct 15, 2008 at 1:26 PM, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: >> On Wed, Oct 15, 2008, Vineet Kumar wrote: >> >>> It doesn't look like cert_crl() in openssl code follows what you refer >>> to as "strict" revocation check. Neither does the RFC. Is there a >>> doc/RFC that outlines strict revocation criteria? Am I right in saying >>> that openssl does not do that? >>> >> OpenSSL has several options relating to CRL checking. It can perform no >> checking, checking of just the EE cert and the whole chain. >> >> The RFC3280 behaviour in the absence of a CRL is determined by the last >> paragraph of 6.3.3 where the status is UNDETERMINED. >> >> It has to be this way or an attacker could block the downloading of a CRL and >> allow a revoked certificate to be used. >> >> Steve. >> -- >> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >> OpenSSL project core developer and freelance consultant. >> Homepage: http://www.drh-consultancy.demon.co.uk >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [email protected] >> Automated List Manager [EMAIL PROTECTED] >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
