> > I was under the impression that openssl allows loading multiple CRLs > > for the same issuer. But, this does not seem to be the case as is > > proved by using "openssl verify". > > > > $ ls -l ./ca/ > > total 24 > > lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 -> > > cacert.pem -----> the CA cert > > lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 -> > > revoked_48.pem ----> revokes only cert48.pem > > lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 -> > > revoked_49.pem -----> revokes only cert49.pem > > -rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem > > -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem > > -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem > > > > $ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem > > cert49.pem: OK > > > > $ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem > > cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology, > > Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com > > <mailto:fakeem...@example.com> > > error 23 at 0 depth lookup:certificate revoked > > 29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert > > already in hash table:x509_lu.c:418: > > > A CRL ( Certificat revocation list) is the list of ALL the revoked > certificates at the time it is issued > So if at time t1 a certificate 48 is revoked > then all the subsequent CRLs MUST indicate that the certificate 48 as > revoked > > If later at time t2 the certificate 49 is revoked > hen all the subsequent CRLs MUST indicate that both certificate 48 and > certificate 49 arte revoked > > Thus only the lasT CRL has to considered . Since the delivery times of > the CRLs are close together > it is not easy to check into the example which is ithe last CRL
i think you misunderstood the question. the issue at hand is not about "older" and "latest" copies of a particular (certificate revocation) list, but it is about two *distinct* simultaneously valid and active (certificate revocation) lists that are issued/maintained by the same issuer. http://tools.ietf.org/html/rfc5280#section-5 Each CRL has a particular scope. The CRL scope is the set of certificates that could appear on a given CRL. For example, the scope could be "all certificates issued by CA X", "all CA certificates issued by CA X", "all certificates issued by CA X that have been revoked for reasons of key compromise and CA compromise", or a set of certificates based on arbitrary local information, such as "all certificates issued to the NIST employees located in Boulder". _________________________________________________________________ HotmailĀ® goes where you go. On a PC, on the Web, on your phone. http://www.windowslive-hotmail.com/learnmore/versatility.aspx#mobile?ocid=TXT_TAGHM_WL_HM_versatility_121208
