On Wed, Jun 25, 2003, Lee Dilkie wrote: > This question intrigues me as well. Does the crl check key on the presence > of the crl extension in the certificate or does it assume that all > certificates have a crl regardless of the certificate extension. I would > expect the behaviour that you describe only for certificates that have the > crl extension. You (well, the code) shouldn't reject a certificate that > doesn't contain a crl extension. If that is the way the code behaves, then I > must have misunderstood your explanation and I'm sorry. If it does reject > certificate without a crl extension, is there any way to know the failure > was due to a missing crl on a certificate with no crl extension? >
It always assumes that a certifcate will have an accessible current CRL. As I mentioned the absence of a CRLDP extension doesn't necessarily mean that the CA doesn't issue CRLs: just that it doesn't give details about how to download them in the certificate. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
