I was browsing through NIST's "Conformance Testing of Relying Party
Client Certificate Path Processing Logic" document where I am not
sure whether "Test 19" has the correct conformance expectation:
--- Test 19--
The following path should not be successfully validated; it contains a
path without
re
Hello Vineet:
On October 15, 2008 02:40:52 pm Vineet Kumar wrote:
> I was browsing through NIST's "Conformance Testing of Relying Party
> Client Certificate Path Processing Logic" document where I am not
> sure whether "Test 19" has the correct conformance expectation:
> --- Test 19--
> The follo
It doesn't look like cert_crl() in openssl code follows what you refer
to as "strict" revocation check. Neither does the RFC. Is there a
doc/RFC that outlines strict revocation criteria? Am I right in saying
that openssl does not do that?
Thanks,
Vineet
On Wed, Oct 15, 2008 at 11:48 AM, Patrick P
On Wed, Oct 15, 2008, Vineet Kumar wrote:
> It doesn't look like cert_crl() in openssl code follows what you refer
> to as "strict" revocation check. Neither does the RFC. Is there a
> doc/RFC that outlines strict revocation criteria? Am I right in saying
> that openssl does not do that?
>
OpenS
Yes, but it looks like if openssl has to conform to JITC tests then in
order to accept an EE, a CRL **signed by EE's CA** better be present.
It doesn't matter if a CRL is present but signed by some other CA in
the cert-chain, no? This strictness of who the CRL's signer should be
can make sense in r
Vineet Kumar wrote:
> Yes, but it looks like if openssl has to conform to JITC tests then in
> order to accept an EE, a CRL **signed by EE's CA** better be present.
> It doesn't matter if a CRL is present but signed by some other CA in
> the cert-chain, no? This strictness of who the CRL's signer s
Thanks, I am convinced now and also reconciled what you said with the
code in the subroutine: check_crl().
Thanks once again,
Vineet
On Wed, Oct 15, 2008 at 2:51 PM, Patrick Patterson
<[EMAIL PROTECTED]> wrote:
> Vineet Kumar wrote:
>> Yes, but it looks like if openssl has to conform to JITC tes
Hi Patrick and Steve,
Just to confirm one last thing about the NIST/RFC3280 discussion
below again: if there is no CRL present at all for a given CA and we
are doing string revocation information checking, then we fail the
associated request?
Or in other words, is absence of a CRL for a given CA
