The combined crl means a certificate revocation list including all revoked certificate for the whole (and single) CA and the partitioned one is a more light crl limited to a known number of emitted certificate. CAs must publish a number of partitioned crls that covers all issued certificates and certificate cdp can point to the relative partitioned one or to the combined crl. Is not the scope of partitioned crls to be combined in a big one but only to make download faster also for CA with a large number of revoked certificate (a combined , classic crl can be larger than 10 MB). A valid alternative is OCSP.
-----Messaggio originale----- Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Jakob Bohm Inviato: martedì 15 novembre 2011 14:07 A: openssl-users@openssl.org Oggetto: Re: concatenate two CRL's The concatenation of two digitally signed CRLs is not a valid digitally signed CRL. Some applications may happen to have code to explicitly support this hack, but that ability could actually be a security hole as an enemy could concatenate an outdated and a current CRL, fooling such applications into thinking the revocations in the old CRL still apply (Which would be relevant if a CA temporarily "revokes" half-issued certificates as part of its procedures). On 11/15/2011 1:52 PM, Olivier Sessink wrote: > Hi all, > > on various sources on the internet I found that it is possible to > concatenate two X509 CRL's together. > > cat file1.pem file2.pem> combined.pem > > However, if I run > openssl crl -in combined.pem -text -noout I see only the revoked > certificates from file1.pem > > Is this not supported? Should I use a different command? Is this a bug? > > Thanks for your help, > Olivier > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
