Thanks Jason, good info.
So when the distributed CRL is installed within a browser, the browser is what goes out and retrieves the CRL, and not the web server. Is that correct? And that doesn't sound reliable either.
Regarding IIS, when I connect to an IIS machine, which happens to also be the
Steve Larson wrote:
I am wanting to get CRL Distribution Points working within my client
certs.
Using Apache I am able to get certificate revocation working using the
SSLCARevocationFile directive (using a local file).
Using a http://www.webserver.com/crlfile.crl within the cert (CRL
Distrib
Peter,
Thanks for sharing.
However, I disagree on a few points. OpenSSL does have
some CRL handling capability. Please refer to O'REILLY
OpenSSL book as well as x509_verify_cert() source
code.
Lincoln
--- Peter Sylvester <[EMAIL PROTECTED]>
wrote:
> >
> > I am not sure Apache actually has th
>
> I am not sure Apache actually has this capability at
> all. Local CRLs are used in OpenSSL's
> x509_verify_cert() function, and since it doesn't
> involve network download, it is handled by OpenSSL.
There is no functionality of CRL in mod_ssl or openssl.
OpenSSL allows to extract programmati
I am not sure if Apache does that. Local CRLs are
handled differently since they are fed into OpenSSL
x509_verify_cert function. Fetching and downloading
CRL from CDPs for every transaction is too costly for
most applications.
CDP extension may, at the option of the CA, be either
critical or non
I am not sure Apache actually has this capability at
all. Local CRLs are used in OpenSSL's
x509_verify_cert() function, and since it doesn't
involve network download, it is handled by OpenSSL.
CDP extension may, at the option of the CA, be either
critical or non-critical. However, the Internet
Ce
