On Wed, Jul 26, 2000 at 09:24:00AM +0200, Stefano Bergamasco wrote:
> I read that for suspending a certificate you may insert it in a CRL and
> then, after suspension period has passed, issue a new CRL not containing
> that certificate. I did so with OpenSSL and it worked fine with Netscape
> (after downloading the first CRL the certificate was marked as revoked, and
> after the 2nd CRL it was successfully verified). IE 5 doesn't allow me to do
> this: after revoking the cert it is marked revoked and I found no way to
> make it accept it again (both trying with automatic CRL verification and
> manual downloading).
> Any ideas?
>
This has been discussed some time ago on this list. IIRC then once a cert has
been revoked, then that should mean that it can never be valid again.
IMO certificate suspension only makes sense in an OCSP (or something similar)
environment, where you can say one of three things:
valid or suspended/status unknown or revoked.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
