Dr Stephen Henson wrote:
>
> Massimiliano Pala wrote:
> >
> > I am forwarding this message to the openssl-dev list so as to ask for
> > support in generating such CSLs (read on). Some chance in getting help
> > to write the code ??? Actually the CRLs do not support extentions in
> > OpenSSL, isn't it ??
> >
>
> Well it does support extensions but not IDP or deltaCRL.
>
> Rhe standard CRL generation utility 'ca' can't handle CRL entry
> extensions either. 'ca' probably isn't suited to the task and something
> like an option to the 'crl' program to allow a CRL to be generated from
> a config file would IMHO be the best way.
>
> This probably wont make it into 0.9.5 but maybe the next release...
What I was thinking was about the signatures of the CRLs with that kind
of extentions... can CRLs be signed by a certificate that is not the CA
certificate (for their usage them can not be signed by the ca because
it is not connected to the net...) ???
It could be useful to add this kind of CSLs to the Apache server to allow
for suspension of certificates before issuing a new CRL is possible...
What do you think ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
P.S.: Another question, probably OT (sorry), someone of you is going to
the IETF 47th meeting ??? I've been asked to go there to partecipate
to the workshops, although a decision is not taken yet, probably there
are no funds.... :-( What's the story for the OpenSSL people (hope
better than mine... ) ???
S/MIME Cryptographic Signature
