Hodie IV Non. Mai. MMXI, Viliam Ďurina scripsit: > Thanks very much for the hints. Finally, I decided to generate CRL for three > years and replace it, when something needs to be revoked, if ever. I think > the support is not good. We will have to distribute the CRL issuer > certificate to partner applications to be able to verify the CRL signature. > And generally, the support and knowledge about indirect crl is low among > developers...
That could lead to a problem with crypto toolkits that try to fetch a new CRL only when the actual has expired (it was a common behaviour some years ago, I don't know how this evolved). You could also pre-generate several CRLs, with a 1 month validity period, and "disclose" a new one regularly. -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com ----- Mammifère : se dit d'un animal à squelette, poilu, qui donne du lait. Exemple : une noix de coco. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org