This may be getting OT - but I'm not sure where else to ask...
I'm using OpenSSL to generate S/MIME certs for Outlook and Mozilla. The two MUAs can send encrypted/signed emails fine to each other. I wanted to check if CRL was working WRT S/MIME, so I revoked a cert and then sent an encrypted email to another account using that revoked cert. Neither Mozilla or Outlook mentioned any problem - they happily opened the message! Actually that's not quite true - Mozilla shows the signed icon as broken - but only says "the signature is invalid" - not quite the same as "the certificate has been revoked - don't trust the contents" I would have expected...
I'm still having difficulty getting the crlDistributionPoints to work within the certs, but I know the CRLs within the two systems were up-to-date as I manually installed the CRL (yes, generated after revoking the cert, and checked via "openssl crl" to ensure the serial number was in it :-) into Mozilla and IE (and therefore Outlook).
Is this a known problem? Pretty darn useless if the MUA doesn't tell you that a cert has been revoked...
Pretty fundementally broken.
-- Cheers
Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
