Richard Levitte - VMS Whacker wrote: > Well, with my scheme, the "entire chain" goes from the leaf to your > point of trust, not further. Checking CRLs between those two points > makes sense, doesn't it? Henrik Nordström outlined the reasons to do > so in message > <[EMAIL PROTECTED]>.
Yes, of course. Provided that there exists any CRLs to check in the first place. > The lack of CDPs is a burden, I agree. That doesn't make you avoid > CRLs, though, which is what I thought you said you were doing. Quite > the contrary, in fact... We're trying out this implementation, our goal being to be flexible enough to handle certificate chains with: 1) CDPs in the certificates, 2) well known CDPs, 3) no CRLs what so ever, and 4) mixed conditions. Therefore, we need to be able to relax CRL checking for some certificates and fall back to out-of-band actions for revocations. Not desireable, but nevertheless a reality in a few cases that we have seen. Mats ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
