OK, I built a new PKI and issued certs with both the CDP and/or/neither AIA
extensions. Here are some observations for any interested:
* The Crypto API will pick up the CRL automatically from the URI in the CDP
extension, if present.
* If it cannot be retrieved, validation fails.
* The CRL is
On 10/19/08, Dave wrote:
> OK, I built a new PKI and issued certs with both the CDP and/or/neither AIA
> extensions. Here are some observations for any interested:
>
> * The Crypto API will pick up the CRL automatically from the URI in the CDP
> extension, if present.
True.
> * If it cann
...
>
> > * The CRL is pulled from the CDP in the CA certificate
> (i.e. not the
> > end entity certs)
>
> Not true.
> Each certificate is validated against the CRL referred via
> its own CDP extension. If there is CDP on root CA it can suicide.
...
Certainly not the case in my test. I cr
The CRL that is used is of the CDP of the certificate where the
extension is specified. This also enables the CA to produce several
smaller CRLs, and attach each part to different set of certificates.
You can read [1] for more.
I don't know what you exactly do in your testing. I suggest you
insta
OK, I recant my comment about the CRL coming from the CA cert in this
implementation -- this was due to an error in my test setup where my peer
cert did _not_ have the CDP as I thought it did when I executed that test,
so placing the correct cert there gave the behaviour you describe. Thus I
also
