Kyle,
Kyle Hamilton wrote:
I am minded of the CRL entry reason "remove from CRL". Does NSS
properly handle that reason-code?
The reason code "remove from CRL" is only applicable to delta CRLs. In
addition, this is only allowed if the certificate had the status of "on
hold" in the base CRL. You cannot otherwise unrevoke other certificates
according to RFC3280 and its replacements.
Currently, NSS does not support delta CRLs. Neither does libpkix.
So, the answer is no, this particular reason code is not handled by NSS
at this time.
But a temporary revocation can still be dealt with without the use of
delta CRLs. libpkix can fetch a full CRL where a certificate entry has
the reason code of "on hold", and will be treated as revoked. And if the
CA unrevokes it later, libpkix can pick up the next full CRL from the CA
that no longer lists that certificate.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
