> > - U1, U2, U3 are end-user certificates, issued by CA1
> > - U1 is revoked, and the CRL is published (lets call it CRLg1)
>
> The problem here is that you can't trust a CRL when its
> signature key is compromised.
I think that this is not the reason.
If a signature key is compromised but
I forgot to tell that I did these tests with version 1.0.0e.
Le 17/10/2011 14:14, Erwann Abalea a écrit :
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including the patch to use OpenSSL CRL validation, I've come to
disagree with what OpenSSL does.
My scheme is:
-
Le 17/10/2011 16:09, Jakob Bohm a écrit :
On 10/17/2011 3:47 PM, Erwann Abalea wrote:
Le 17/10/2011 14:34, Eisenacher, Patrick a écrit :
Hi Erwann,
-Original Message-
From: Erwann Abalea
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including
the patch to us
On 10/17/2011 3:47 PM, Erwann Abalea wrote:
Le 17/10/2011 14:34, Eisenacher, Patrick a écrit :
Hi Erwann,
-Original Message-
From: Erwann Abalea
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including
the patch to use OpenSSL CRL validation, I've come to
disa
Le 17/10/2011 14:34, Eisenacher, Patrick a écrit :
Hi Erwann,
-Original Message-
From: Erwann Abalea
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15),
including
the patch to use OpenSSL CRL validation, I've come to
disagree with what
OpenSSL does.
My scheme is:
Hi Erwann,
> -Original Message-
> From: Erwann Abalea
>
> Bonjour,
>
> While testing Apache-trunk (which will become apache 2.3.15),
> including
> the patch to use OpenSSL CRL validation, I've come to
> disagree with what
> OpenSSL does.
>
> My scheme is:
> - CA1 is a root (trust anchor)
Bonjour,
While testing Apache-trunk (which will become apache 2.3.15), including
the patch to use OpenSSL CRL validation, I've come to disagree with what
OpenSSL does.
My scheme is:
- CA1 is a root (trust anchor), which is now in its first generation
(lets call it CA1g1)
- U1, U2, U3 are