If I just try to describe the problem in a different way it would be: According to the RFC, is it an error for a certificate and its chain not to have any CRLs and CRL distribtuion points?
If the answer to the above is yes, then what OpenSSL does is OK because the programmer would have to explicitly by way of writing callbacks or by way of disabling CRLs altogether handle the situation. If the answer is no, then the body of code that is operating today on the Internet and is using SSL (think of it as browsers) should operate with no errors. In this sense, OpenSSL would be an exception because its default and natural implementation causes an error. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org