You are getting the question completely wrong!
This is not about CAs issuing partial, incremental and complete CRLs
(something OpenSSL has silly problems with handling). This is about
a user who though that concatenating CRL files as text would be a
valid way to produce a complete/combined CRL from partial CRLs.
A CA issuing both partial/incremental and complete/combined CRLs
can/should/will trivially sign both forms with its private key, resulting
in each released CRL being a single digitally signed DER structure
of the proper form.
(Sorry for the TOFU, but it fits the nature of this thread).
On 11/15/2011 2:57 PM, Francesco Petruzzi wrote:
The combined crl means a certificate revocation list including all revoked
certificate for the whole (and single) CA and the partitioned one is a more
light crl limited to a known number of emitted certificate. CAs must publish a
number of partitioned crls that covers all issued certificates and certificate
cdp can point to the relative partitioned one or to the combined crl.
Is not the scope of partitioned crls to be combined in a big one but only to
make download faster also for CA with a large number of revoked certificate (a
combined , classic crl can be larger than 10 MB). A valid alternative is OCSP.
-----Messaggio originale-----
Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
Per conto di Jakob Bohm
Inviato: martedì 15 novembre 2011 14:07
A: openssl-users@openssl.org
Oggetto: Re: concatenate two CRL's
The concatenation of two digitally signed CRLs is not a valid digitally signed CRL. Some
applications may happen to have code to explicitly support this hack, but that ability
could actually be a security hole as an enemy could concatenate an outdated and a current
CRL, fooling such applications into thinking the revocations in the old CRL still apply
(Which would be relevant if a CA temporarily "revokes" half-issued certificates
as part of its procedures).
On 11/15/2011 1:52 PM, Olivier Sessink wrote:
Hi all,
on various sources on the internet I found that it is possible to
concatenate two X509 CRL's together.
cat file1.pem file2.pem> combined.pem
However, if I run
openssl crl -in combined.pem -text -noout I see only the revoked
certificates from file1.pem
Is this not supported? Should I use a different command? Is this a bug?
Thanks for your help,
Olivier
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org