On Thu, Apr 14, 2005, Eddy Tan wrote: > --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > > OpenSSL does that automatically. What you'd really need to do > > is to check for critical CRL extensions in the verify callback > > > when you get that error. If IDP is the only critical extension > > > present *and* if it is empty (length 2) you can safely ignore > > that error. > > Thatīs a really quick response :-) Thanks! > Last question, if a user certificateīs already been revoked, > will it be removed from the CAīs LDAP server instantly? > My understanding is if itīs trivial to update the CRL regularly, > it should be pretty easy to remove userCertificates from the > server as well. > > If thatīs the case, we can then, rather checking on the CRL, > query specific user certificate from the CA server. >
No in general that wont happen. There are several reason why it is useful to retrieve a certificate after it has been revoked. For example if it was possible to determine the certificate was used *before* it was revoked. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
