Stefano Bergamasco wrote:
>
> "The error was: The certificate revocation list for this site's certificate
> is not yet valid.
> Reload a new certificate revocation list."
> UserB's e-mail is correctly rejected because:
> "The error was: This operation cannot be performed because a required
> certificate has
> been revoked."
>
> What does it mean that "the certificate revocation list is not yet valid"? I
> have no newer CRL to download (and it would make little sense to publish one
> now, because the one I have is anyway newer than CertA)!
>
> Doing the same with Outlook Express gives no problems (only CertB is
> rejected).
>
> The CRL was downloaded as application/x-pkcs7-crl
>
> Any help?
> Shall I publish a CRL BEFORE any e-mail is sent beetween my users?
Netscapes CRL handling isn't documented apart from a vague mention of
the MIME type. I managed to fill in a few gaps by doing some
experiments.
The behaviour I noticed and seen reported seems a little unusual to say
the least. It has been mentioned that once it donwloads a CRL for a
given CA it always expects it to be up to date otherwise it chokes on
all certificates from that authority.
Anyway in your case it might be a time problem. The CRL contains two
fields which signal the validity period of a CRL. These are called
thisUpdate and nextUpdate but displayed as Last Update and Next Update.
Basically the time the revocation check takes place has to fall between
the two dates so if one PC clock is wrong or has timezone differences
that might explain it.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
