On Mon, Jun 14, 2010, matteo mattau wrote: > > Hi,thanks for attention.The CRLs expires all at the same time, all the CRL > has the same "nextupdate" date and time.So all the CRLs are valid when I use > them to validate the certificate. The situation is the one described as > "real world". The CA manager has decided togenerate several CRLs, all valid, > all with the same nextupdate attribute, the download url is > likehttp://ca.domain.com/CRLn, where n is from 1 to 100.Into the CRL I've > not seen a critical issuer distribution point extention. Sorry, but I've > not understood what is the right way to check if the certificate is revoked > in this case...and how I can configureopenssl to support multiple CRLs of > the same issuer. I have to useone file for each CRL, and N symbolic link, or > one file with all the CRL concatenated,and only one symbolic link? thanks > in advance,M.M. >
If there are no extensions to indicate that the CRL scope is limited (see RFC3280 et al) then this is a non-standard implementation which OpenSSL cannot handle by default nor would any other RFC3280 compliant validation process. If the URLs are http (not https) then this is rather problematical because an attacker with a revoked certificate could intercept the transfer and replace their CRL with one of different scope and it would look valid. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
