On Wed, Apr 05, 2006, Holger Menzer wrote: > Hello, > > is it possible to implement indirect Certificate Revocation Lists with > OpenSSL? > There is an entry in the man page to x509v3_config [1], saying it cannot > currently be set or displayed... But maybe someone hacked it anyway > (- by using ASN.1 or DER for example). > > If it's possible, how can it be done? >
You can create the things using OpenSSL 0.9.9-dev only. They are also displayed correctly. Correctly partitioning the CRLs is down to the user setting the config correctly. The config file format for that option isn't documented but it isn't hard to work out. Just include the string "indirectCRL" and it will set the flag. The OpenSSL verify code does not currently support them, it may well do in the not too distant future. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
