Jon Bendtsen wrote:
i can verify a certificate against a root certificate, with
openssl verify -CAfile root.ca rsacert.pem
but how do i know that the certificate i try to verify has not been revoked?
At the risk of seeming to oversimply a VERY complicated issue:
1. You have been downloading Certificate Revocation Lists (CRLs) from the CA that issed the certificate, so you have a current CRL, and the serial number of the certificate in question does NOT appear on that CRL (this is one reason serial numbers must be unique).
-or-
2. You conduct an Online Certificate Status Protocol (OCSP) transaction with the verfication point listed in the certificate.
I suspect consulting the appropriate Internet RFC documents might be informative, although googling for OCSP and/or Certificate Revocation Lists would also bring in much info...
Note that this must be done by the "verifying party", which in most cases on the Internet is a web browser like IE or Netscape, so we don't have access to the source code and we are at the mercy of the software vendors as to how and when this is done.
My sense at this point is that there is not a whole lot of OCSP being done out there (comments?) nor do end-users really religiously download CRLs, so the issue of revocation is a bit of an embarrasment for the PKI community as a whole.
Maybe this is one of the reasons why PKI is "three years out, and has been for the past five years"...
For our part, we are issuing fairly short-lived (1 year) end user certificates, knowing that if worst comes to worst, our losses are limited to one year's exposure. We hope that is good enough for a medium security PKI.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
