On Sat, Jan 15, 2005, Massimiliano Pala wrote: > Dr. Stephen Henson wrote: > [...] > >Check to see if the CRL has an authority key id and if so if it matches the > >subject key id of the CA you are using. If not then the problem is that the > >wong CA and hence wrong public key is being used to verify the CRL > >signature. > > You are right, unfortunately I have to deal with a PKI where multiple > certs are issued to every SubCA -- all of them are valid at the same time, > and issued to the same Subject, what changes is the Key and the keyUsage... > a real mess... > > I guess no 'standard' client is capable of verifying correctly the CRLs as > the certificate used to issue certs is not the same used to sign CRLs... > aaaarrrgghh! >
It's something which may be supported at some stage. Can you send me the CAs and CRLs involved so I can check them? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]