aleksey at aleksey.com
Tue Dec 20 12:34:03 PST 2005
No, according to XML Sig spec, you MUST check
the CRL from XML document. I from the general
point of view, it does make sense to also check
the "stored" CRL (if any).
Edward Shallow wrote:
> I'm not sure it's necessary to check for CRL from XML document if valid CRL
> is installed, though it's necessary to check for CRL from XML if chain
> status is CERT_TRUST_REVOCATION_STATUS_UNKNOWN ...
> This makes sense given that Verification Authorities tend to keep very
> up-to-date CRL lists which have new entries posted within the "Next Update"
> timeframe of the current CRL.
> As such the order would be
> 1) check for valid non-expired CRL from store (assuming something is keeping
> them up to date in that store)
> 2) check CRL in document only if nothing exists in 1) above
More information about the xmlsec