On Thu, Apr 14, 2005, Eddy Tan wrote: > --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > > So *in this case* that critical extension can be safely > > ignored. > > but then for sanity check, if I made a script to get all revoked > serial numbers on that CRL then comparing user certificate´s > serial number with the ones in the CRL´s list; will that be > considered an "OK" verification? >
OpenSSL does that automatically. What you'd really need to do is to check for critical CRL extensions in the verify callback when you get that error. If IDP is the only critical extension present *and* if it is empty (length 2) you can safely ignore that error. It would be better if the CA fixed their certificates though: I'd regard issuing a critical empty IDP extension as broken. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
