On Fri, Oct 30, 2009, Adam Rosenstein wrote: > Ahh, that explains it. Thanks for looking into it. > > The documentation on iCRLs was a little cryptic to me. It said that no > lookup methods were used (?). Now you say the store is also not used. How > do I get the iCRL into the verification process? Also, does the current > 1.0.0 icrl code enforce the "same trust-anchor" method of tying iCRL issuer > to the CA it is revoking for? >
You can get CRLs into the process using X509_STORE_CTX_set0_crls(). As indicated in the docs, some protocols (PKCS#7 and CMS) do this automatically. At some point indirect CRL lookup using stores will be included too. The indirect CRL code though is very new and (apart from the PKITS tests) untested. Yes it does include the same trust anchor requirement of RFC5280. Some security concerns have been raise on the PKIX mailing lists about the possibilities of unathorised CRLs being accepted in some scenarios which is why the indirect CRL checking is disabled by default. > I'd be happy to help continue testing indirect CRLs, as they are a feature > we would like. We have root and first-level intermediate CA's on smartcards > "offline" (in a safe) because they are infrequently used. We would like to > have a single indirect CRL issuer (issued by root) so we can require full > chain CRL checking AND enforce timely updates to the CRL's while keeping our > infrequently used private keys out of normal circulation. > > Having a single CRL might cause problems with circular dependencies. There was a PKITS test that included this but it was later marked as not being required. It's a case of how you issue a CRL for the indirect CRL issuer. If it issues a CRL covering itself then it is effectively indicating its own validity. In the case of the indirect CRL issuer private key being compromised that is of course not trustworthy. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
