hi all,
first of all, i'm not quite sure if this has already been discussed/
solved/... or it may be not the right place to post this,
so just ignore my mail in that case :)
i had a problem with openssl and modssl with crls: cas may rollover
their intermediate ca certs on a regular basis. the subject is the same
in the old and the new ca certificate, but there is a new key and
therefore the authority key identifier v3 extension differs in the
certs.
futheron if crls are always signed by the latest ca cert, crls cannot
be checked just by the subject name. the authority key identifier
extension needs also taken into account.
the same applies for modssl: it assumes, that it can check the
signature of a crl with the public key retrieved from the certificate
chain it received with the client's certificate (in case of ssl client
authentication). but this does not work out, since the crl may _not_
be signed by the same key.
i patched openssl (0.9.6) to deal with lookups by keyid. in my version
there are now also sym links with the subject/authority keyid.
then i adapted modssl (latest) to lookup the crl signature certificate
by
authority key identifier if available.
i know, a better solution would have been to implement the lookup
directly via ldap v3, but openldap does not have the certificate
matching functions yet (eg. for key id), so i did the
quick hack first. if i find time, i'll implement the ldap lookup
(and evt. the cert matching functions in openldap), since
this is in my opinion the way to go :)
if your interested in the patches, let me know and i can send them to
you.
cheers
-mh
--
Michael Hauber, [EMAIL PROTECTED]
DataCore GmbH, Witikonerstrasse 289, 8053 Zurich, Switzerland
S/MIME Cryptographic Signature