Mads Rasmussen wrote:
> 
> Hi there,
> 
> A question about certificates:
> 
> In the rfc 2459 definition of the crl format
> 
> 5.1 CRL Fields (page 42)
> 
> TBSCertList  ::=  SEQUENCE {
> 
> .
> .
> .
> 
> revokedCertificate         SEQUENCE OF SEQUENCE
>     {
>      userCertificate       CertificateSerialNumber,
>      revocationDate        Time,
>      crlEntryExtensions    Extensions OPTIONAL
>     } OPTIONAL,
> crlExtensions      [0]     EXPLICIT Extensions OPTIONAL
> 
> }
> 
> My doubt is that the OPTIONAL extensions (crlEntry and crlExtensions)
> doen't seem to be used. I have tested CRLs from VeriSign, GlobalSign
> and Thawte but none uses the OPTIONAL fields just.
> 
> I know that the version number for the CRL changes from 1 to 2 when
> these fields are present but I cannot find one CRL as an example
> 

You can make these using the 'ca' tool in OpenSSL 0.9.7.

One reason these are fairly rare is that some software (older versions
of Netscape for example) wont parse V2 CRLs.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to