What if my cert happened to expire 1 month later? Would that mean if someone
did compromise my cert and sent signed e-mails before it expired (but
*after* I added to the CRL), then after it expires, that signed e-mail
would appear VALID - as it wouldn't be in the CRL anymore?
No, it will be in the CRL. The rules say that a revoked cert must appear in (at least?) one CRL after its expiration period. Without that, as you point out, there is a gap during which the cert could appear valid.
/r$
-- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
