The following point is unclear to me: >>a) CRL is valid (regarding issuance time) >> if thisUpdate >= checkTime and thisUpdate <= now.
As far as I understand; The X509 and 3280 validation algorithm only have ONE point in time, which is consider either as 'now' or 'time to check' according you personal taste. Either the machine implmenting the algo has a local clock, so it initializes the time to check to it, or you give it to the algo from some other source. Thus, using the current time, as well as the check time cannot correspond to anything defined, or X509_cmp_time(X509_CRL_get_lastUpdate(crl), NULL) looks problematic to me. I don't understand: thisUpdate >= checkTime Isn't this the other way around? A CRL is valid when the time to check is between thisupdate and nextupdate? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
