On Mon, Jun 14, 2010, Jakob Bohm wrote: > Note to list: I am aware of at least one public CA (TDC OCES) who (at least > planned to) split > their CRL into smaller parts, each covering only revocations for a range of > certificate serial > numbers. The certificates themselves then contained/contain different CRL > download URLs > depending on the serial number. > [snip] > * I don't know if this CA practice is fully standards compliant, but it > exists in the real world,
As long as the appropriate extensions are included in the CRLs this is fine. The CRL for example would have a critical issuer distribution point extension. That way implementations that don't support IDP will reject the CRL due to an unhandled critical extension. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
