[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
Aleksey Sanin
aleksey at aleksey.com
Tue Dec 20 12:34:03 PST 2005
No, according to XML Sig spec, you MUST check
the CRL from XML document. I from the general
point of view, it does make sense to also check
the "stored" CRL (if any).
Aleksey
Edward Shallow wrote:
> Re:
> I'm not sure it's necessary to check for CRL from XML document if valid CRL
> is installed, though it's necessary to check for CRL from XML if chain
> status is CERT_TRUST_REVOCATION_STATUS_UNKNOWN ...
>
> Dmitry
>
> This makes sense given that Verification Authorities tend to keep very
> up-to-date CRL lists which have new entries posted within the "Next Update"
> timeframe of the current CRL.
>
> As such the order would be
>
> 1) check for valid non-expired CRL from store (assuming something is keeping
> them up to date in that store)
>
> 2) check CRL in document only if nothing exists in 1) above
>
> Ed
>
>
>
More information about the xmlsec
mailing list