On Tue, Jan 04, 2005, [EMAIL PROTECTED] wrote:
> Hello!
> I send the certificates from this case to You ("Dr. Stephen Henson"). Is my
> problem more clear now?
>
Yes, there are two separate issues here.
One is that OpenSSLs CRL handling isn't currently advanced enough to handle
more complex cases.
The other issue is related to the PKI form itself. AFAICS it is equivalent to
the case where separate CA and CRL signing keys are in use. This would mean
that some applications might happily check revocation status against a CRL
that is out of scope.
Both of these problems are as a result of al the subordinate CAs having the
same name. If they had different names all would be OK.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
