(First: I'm sorry. I misunderstood something I read in the OpenSSL documentation. CRLs are always V2 according to RFC5280.)
I have not heard of the ability to specify or process multiple scopes in OpenSSL; however, have you verified that the CRL Extension "Issuing Distribution Point" is different between the two CRLs? This is where different scopes are specified (section 5.2.5 of RFC 5280). -Kyle H 2009/1/29 Kyle Hamilton <aerow...@gmail.com>: > I think you're trying to assume something that cannot be assumed: you > assume that ALL unexpired CRLs are considered. This is not the case. > As Dominiqué said, only the CRL that has the latest signature time is > considered. This is evident in the name of the file type: Certificate > Revocation *List*. > > It is legal to issue a CRL that revokes a certificate (possibly with > an type of "onhold", for V3 CRLs) with an expiration time of 2 years > in the future, and the next hour the to remove the revocation status. > If all simultaneously-valid CRLs are considered, then the intended > consequence of "unrevoking" the certificate would be impossible. > > This is why the CRL must contain the *complete* list of *all* revoked > certificates which have not yet expired. > > There is a PKIX extension, "delta CRLs", which defines for V3 CRLs a > way to allow for adding to the list of the most-recently-issued full > CRL. In order to support unrevocation, there is a special status type > (called "remove_from_crl") for the delta CRL which is to be > interpreted as removing the certificate from the revocation list; > however, in a full V3 CRL, that status type is illegal. And in V2 > CRLs (the default, since many implementations do not handle V3 CRLs) > there is no means of specifying the extension that contains a status > type regardless. > > This is specified in PKIX (currently RFC 5280); in order to maintain > standards-conformance OpenSSL cannot change this behavior. (Nor can > it even offer an option to change it, since its job is to maintain > security-system interoperability, not capriciously make it less > secure.) > > -Kyle H > > 2009/1/29 Giang Nguyen <cau...@hotmail.com>: >>> > I was under the impression that openssl allows loading multiple CRLs >>> > for the same issuer. But, this does not seem to be the case as is >>> > proved by using "openssl verify". >>> > >>> > $ ls -l ./ca/ >>> > total 24 >>> > lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 -> >>> > cacert.pem -----> the CA cert >>> > lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 -> >>> > revoked_48.pem ----> revokes only cert48.pem >>> > lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 -> >>> > revoked_49.pem -----> revokes only cert49.pem >>> > -rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem >>> > -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem >>> > -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem >>> > >>> > $ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem >>> > cert49.pem: OK >>> > >>> > $ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem >>> > cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology, >>> > Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com >>> > <mailto:fakeem...@example.com> >>> > error 23 at 0 depth lookup:certificate revoked >>> > 29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert >>> > already in hash table:x509_lu.c:418: >>> > >>> A CRL ( Certificat revocation list) is the list of ALL the revoked >>> certificates at the time it is issued >>> So if at time t1 a certificate 48 is revoked >>> then all the subsequent CRLs MUST indicate that the certificate 48 as >>> revoked >>> >>> If later at time t2 the certificate 49 is revoked >>> hen all the subsequent CRLs MUST indicate that both certificate 48 and >>> certificate 49 arte revoked >>> >>> Thus only the lasT CRL has to considered . Since the delivery times of >>> the CRLs are close together >>> it is not easy to check into the example which is ithe last CRL >> >> i think you misunderstood the question. >> the issue at hand is not about "older" and "latest" copies of a particular >> (certificate revocation) list, but it is about two *distinct* simultaneously >> valid and active (certificate revocation) lists that are issued/maintained >> by the same issuer. >> >> http://tools.ietf.org/html/rfc5280#section-5 >> >> Each CRL has a particular scope. The CRL scope is the set of >> certificates that could appear on a given CRL. For example, the >> scope could be "all certificates issued by CA X", "all CA >> certificates issued by CA X", "all certificates issued by CA X that >> have been revoked for reasons of key compromise and CA compromise", >> or a set of certificates based on arbitrary local information, such >> as "all certificates issued to the NIST employees located in >> Boulder". >> >> ________________________________ >> Hotmail(R) goes where you go. On a PC, on the Web, on your phone. See how. > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
