The concatenation of two digitally signed CRLs is not a valid digitally signed CRL. Some applications may happen to have code to explicitly support this hack, but that ability could actually be a security hole as an enemy could concatenate an outdated and a current CRL, fooling such applications into thinking the revocations in the old CRL still apply (Which would be relevant if a CA temporarily "revokes" half-issued certificates as part of its procedures).
On 11/15/2011 1:52 PM, Olivier Sessink wrote:
Hi all, on various sources on the internet I found that it is possible to concatenate two X509 CRL's together. cat file1.pem file2.pem> combined.pem However, if I run openssl crl -in combined.pem -text -noout I see only the revoked certificates from file1.pem Is this not supported? Should I use a different command? Is this a bug? Thanks for your help, Olivier ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
