httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45708] CRL verification fails if CA have distinct AKID for CRL and client certificates
Date Tue, 06 Jul 2010 18:10:34 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

--- Comment #8 from Erwann Abalea <erwann.abalea@keynectis.com> 2010-07-06 14:10:32
EDT ---
(In reply to comment #2)
> *** Bug 45683 has been marked as a duplicate of this bug. ***

This is technically not really a duplicate of this bug. In this bug (#45863),
the described situation doesn't conform to the X.509 standard if the 2 CRLs
cover the whole set of certificates (i.e. if they're not partitioned, which
actual mod_ssl code doesn't deal with).

The proposed patch will solve their error, by masking it, which is sub-optimal.
It's OK if the 2 CRLs are "full ones" (not partitioned), and if they contain
the same revocation information (i.e. the exact same list of revoked
certificates).
If this is not the case, then this CA doesn't do its job correctly, which is
not Apache/mod_ssl's fault.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message