I am forwarding this message to the openssl-dev list so as to ask for
support in generating such CSLs (read on). Some chance in getting help
to write the code ??? Actually the CRLs do not support extentions in
OpenSSL, isn't it ??
--- Massimiliano Pala ([EMAIL PROTECTED])
[EMAIL PROTECTED] wrote:
>
> Massimiliano Pala <[EMAIL PROTECTED]>@toutatis.comune.modena.it on
> 01/24/2000 12:51:03 PM
>
> Sent by: [EMAIL PROTECTED]
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: OCSP and CSL
>
> Hi all,
>
> (first of all I apologize for my english(?), now let's go on ... )
>
> working about an OCSP server to be included in the OpenCA package
> I found very strange the lack of some kind of CSL (Certificate
> Suspension List). If there is something similar I'm not aware of,
> please report it and ignore this mail ...
>
> For CSL I mean a sort of CRL (same structures, formats), but carrying
> a list of only suspended certificates: this is obviously useful for
> ocsp implementations and considering the fact that in most env you'll
> not be requested for certificate status changing very often, issuing
> this kind of lists, I think, could be useful.
>
> [Tom Gindin] I believe that a CSL, in this sense, is probably just a CRL
> whose issuingDistributionPoint extension contains an onlySomeReasons field
> specifying the certificateHold bit and no other bit. This doesn't require
> any change to the standards. However, it does bring up another point. Why
> is certificateHold included in ReasonFlags but not removeFromCRL? If a
> delta CRL is issued for a CRL partitioned by reason code, it seems to me
> from the definition of issuingDistributionPoint that removeFromCRL could
> only be included in a delta CRL with the onlySomeReasons field missing,
> which goes against the point of having CRL's partitioned on a reason code
> basis at all. If it is assumed that entries with reason removeFromCRL are
> permitted in any delta CRL whenever ReasonFlags contains certificateHold,
> we should probably amend the IDP extension description to make this clear.
>
> (snip)
S/MIME Cryptographic Signature
