Hello,
>From looking at the code (nss\lib\certhigh\certvfy.c) it looks like NSS
when checking a cert does the CRL check this way:
1. look up the CRL based on CA name
2. verify the CRL signature
3. Verify the date validity of the CRL
4. check if cert is in CRL
The problem is that if you don't get a new CRL update for some reason,
all certs issued by that CA will be flagged as invalid...
By question though is what code (logic) does Communicator use?
Communicator seems to still use an expired CRL for checking a cert's
status (I cehcked this in my lab). NSS however does not (see logic
above, it errors out before checking the actual CRL). Isn't Communicator
based on the NSS code?
BTW, how does one import a CRL (issued say by CMS) into the IE browser
client? When I attempt ot import from CMS web page, IE forces me to save
the CRL in a file on my disk. That's fine, but how does one import from
there? Will search MS Knowledge Base...
-- Patrick
