Patrick wrote:
> Hello,
>
> From looking at the code (nss\lib\certhigh\certvfy.c) it looks like NSS
> when checking a cert does the CRL check this way:
> 1. look up the CRL based on CA name
> 2. verify the CRL signature
> 3. Verify the date validity of the CRL
> 4. check if cert is in CRL
>
> The problem is that if you don't get a new CRL update for some reason,
> all certs issued by that CA will be flagged as invalid...
>
> By question though is what code (logic) does Communicator use?
Yes, it is.(that code has changed very little, if at all since
Communicator.
> Communicator seems to still use an expired CRL for checking a cert's
> status (I cehcked this in my lab). NSS however does not (see logic
> above, it errors out before checking the actual CRL). Isn't Communicator
> based on the NSS code?
Yes, If your aren't getting these results, my guess is you are running
into some other case.
>
> BTW, how does one import a CRL (issued say by CMS) into the IE browser
> client? When I attempt ot import from CMS web page, IE forces me to save
> the CRL in a file on my disk. That's fine, but how does one import from
> there? Will search MS Knowledge Base...
>
> -- Patrick
