CRLs are signed by the CA certificate whose subsidiary certificates are mentioned (or not) in the CRL. So a CRL is verified just like any other signed document. You need any certificates in the chain, which may or may not be supplied along with the CRL, see PKCS#7 format and/or the
openssl crl2pkcs7
command at http://www.openssl.org/docs/apps/crl2pkcs7.html
In addition you need an independently trusted copy of the root certificate, just like with verifying ANY certificate or signing.
PAILLETTE Frédéric wrote:
Hi all !
I don't anderstand how CRL are verified, someone can explain me a little please.
CRL are not included in the certificate but a link to the CRL is included in the certificate issuer, no ?
If a certificate contains a link, how the pointed CRL is verified ?
Bonne chance mon ami
-- "An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street..."
Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]