Thanks to Leon and Juan.
Maybe it should be OCSP(Online certificate status protocol) instead of OSPF.
When choose Tools-Options-Security-Advanced in Outlook Express,
There's an option about
revocation checking, you can choose between only when online or never.
If you choose only when online,
then when a signed mail was received by Outlook Express, the certificate
in the mail will be check about whether
it's already revoked. How Outlook Express can perform this task? Does
Outlook express use OCSP protocol
to get real-time CRL list for the revocation checking task?
And there exists a CRL distribution points extension(CDP) in X.509 v3
certificate, The CDP extension identifies
how CRL information is obtained(see RFC2459).
See below:
cRLDistributionPoints ::= {
CRLDistPointsSyntax }
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName[5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID[8] OBJECT IDENTIFIER}
uniformResourceIdentifier can contain the LDAP URL infomation of the CRL
issuer.
So although a certificate don't contain a CRL, I still have question:
When an application written by me
(act as a secure mail client) receive a signed mail and if it would check
the certificate in the mail has already
been revoked by CA, does the CDP extension in the certificate give enough
information(such as LDAP URL)
for my application to retrieve the latest CRL from the LDAP server of CA?
Or else how can my secure email client
obtain the latest CRL list from CA on a regular periodic basis (e.g.,
hourly, daily, or weekly) to make the client more
secure?
have a nice day!
Wooce
- Original Message -
From: ZILBER,LEONID (HP-NewJersey,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, November 21, 2001 10:58 AM
Subject: RE: questions about CRL check
X.509 certificate does NOT contain ANYTHING related to CRL.
but X.509 contains a serial number which WILL be included in VeriSign
issued
CRL list in case the certificate was revoked.
http://onsitecrl.verisign.com/ in the site where you can check if you
certificate was revoked.
put serial number of revoked certificate and you will see it in the list.
I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you
also can use OSPF (smth like this) protocol to get real-time CRL list.
Hope this helps!
Leon
-Original Message-
From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 1:31 PM
To: [EMAIL PROTECTED]
Subject: Re: questions about CRL check
It seems like there's a problem in concepts, a certifcate cannot
contain a
CRL, but a CRL can contain one or more certificates. Considering that,
a
certificate cannot even be sure to be contained in a CRL, that can only
known by checking the CRL. Regarding your second question, a
certificate
cannot get a CRL, that's a CA job, the CA defines how often the CRL
will be
available, so you need to do this manually.
i hope it helps, bye.
Juan Carlos Albores Aguilar
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, November 20, 2001 8:49 PM
Subject: questions about CRL check
Hi,
1. Does a X.509 certificate be sure to contain a certification
revocation list?
2. If a X.509 certificate contains a CRL, is there an interface
defined
in
it on how to get the latest CRL from CA to replace the current CRL?
Any RFC defined it?
Thank you and have a nice day.
Sincerely,
Wooce
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]