On Mon, Dec 29, 2003, Joseph Bruni wrote: > I've run into an interesting situation and need some advice. I'm building a > server that will be validating clients via certs. So, I've coded this to > handle CRLs, but I've encountered that if a CRL has "expired" no > certificates related to that CA are considered valid. I'm not sure this a > good way to go because I don't want to shut down communications just because > of a CRL that hasn't been updated. The certificates that had been revoked > are still revoked! >
The reason this is often done is that if you allow an expired CRL to be used then someone could use a revoked certificate that hadn't been revoked in the expired CRL but has been revoked in the current one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
