On Wed, Mar 16, 2011, Jeff Saremi wrote: > If I call X509_STORE_get1_crls(ctx, nm) with nm being the issuer name, > the method is supposed to return a list of CRL's with that issuer name. > How does it do that when it comes to CRLs issued by a CRL issuer > authorized by the original issuer? > Does it use Authority Key Identifier? >
Well that issuer name is a guide for the simplest case. For indirect CRLs it can get more complex. In general you return any CRLs you think might be relevant for the current certificate and return them. It doesn't matter if some are incorrect (wrong issuer) or not current, they will be scored and the most appropriate one used. You might for example download CRLs from CRLDP in the current certificate (possibly cached) and return all of them. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org