I am working with CRLs and signatures in e-mail; I have the following
problem with Netscape Messenger (4.61)
I emitted two certificates (say UserA and UserB). I gave them to a couple of
friends. UserA wrote me a signed e-mail. After that I revoked UserB's
certificate and published a CRL. Then I told Him (UserB) to write me a
signed e-mail.
Of course before downloading the CRL into Netscape both e-mails had no
problems. I expected that after getting the CRL UserA's mail would look good
and UserB would be marked as invalid because of the revocation.
With my surprise UserA's e-mail is marked as invalid because :
"The error was: The certificate revocation list for this site's certificate
is not yet valid.
Reload a new certificate revocation list."
UserB's e-mail is correctly rejected because:
"The error was: This operation cannot be performed because a required
certificate has
been revoked."
What does it mean that "the certificate revocation list is not yet valid"? I
have no newer CRL to download (and it would make little sense to publish one
now, because the one I have is anyway newer than CertA)!
Doing the same with Outlook Express gives no problems (only CertB is
rejected).
The CRL was downloaded as application/x-pkcs7-crl
Any help?
Shall I publish a CRL BEFORE any e-mail is sent beetween my users?
Stefano Bergamasco
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
