> It always assumes that a certifcate will have an accessible > current CRL. As I > mentioned the absence of a CRLDP extension doesn't > necessarily mean that the CA > doesn't issue CRLs: just that it doesn't give details about > how to download > them in the certificate. > > Steve.
Ok, so I didn't missunderstand. My problem is this. Some CA's issue CRL's and some don't. The crl extension is the only way to know for sure that there is supposed to be a crl for an issued certificates. I fully agree with returning a verification failure if that crl isn't available. However, the case of a certificate without a crl extension is more difficult. It's not possible to know if there is an out-of-band crl or not. I would think a warning would be a better thing to give than an error. Or perhaps a(nother) flag to indicate that you wish to ignore crl-not-found errors for certificates with no crl extensions. Otherwise we end up with the case we have here. Someone wants to turn on crl checking because thats the right and secure thing to do, but the build-in verify is too strict and is not returning useful results. Short of writing his own verify code (a fairly major effort to get right) I worry that this will discourage using the crl checking features and we end up poorer off, security wise. just my thoughts. regards, -lee ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
