No, according to XML Sig spec, you MUST check
the CRL from XML document. I from the general
point of view, it does make sense to also check
the "stored" CRL (if any).
Aleksey
Edward Shallow wrote:
Re:
I'm not sure it's necessary to check for CRL from XML document if valid CRL
is installed, though it's necessary to check for CRL from XML if chain
status is CERT_TRUST_REVOCATION_STATUS_UNKNOWN ...
Dmitry
This makes sense given that Verification Authorities tend to keep very
up-to-date CRL lists which have new entries posted within the "Next Update"
timeframe of the current CRL.
As such the order would be
1) check for valid non-expired CRL from store (assuming something is keeping
them up to date in that store)
2) check CRL in document only if nothing exists in 1) above
Ed
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
