Hello all, I had a couple questions about X509 CRLs.
1) It appears that OpenSSL does not check my tree against the CRLs I provide. If I revoke my own leaf certificate, and establish mutually-authenticated SSL, OpenSSL does not prevent the connection from going through. However if I revoke the peer's leaf certificate, it will fail with the revoked certificate error. Is this by intention? Should I manually check my tree against the CRL before allowing the user to establish a connection? 2) Can a child CA revoke a parent CA? If I import a CRL to my system, should I check only the children of the CA for a matching serial and mark that certificate "Revoked", or should I also check the parents for revocation? What about a certificate that is signed by a parent, but isn't in the child's chain? Two example PKI trees: A -> B -> C -> D A -> E -> F -> G Let's say that certificate authority "B" imports a CRL. Which certificates should be checked for revocation? Only C, D? Only B, C, D? Only A, B, C, D? All of them? Much appreciated, Thaddeus This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Futurex company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Futurex company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
