OCSP service dependant on time valid CRLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I was researching how expired CRLs affect revocation checking via openssl.

* TEST #1: *The first test was to find out what status is returned when i
verify a certificate against the CRL:

[dan at canttouchthis PKI]$ openssl verify -CAfile CAS/cabundle.pem -CRLfile
CRLS/ABC-expired.crl -crl_check CERTS/0x500c8bd-revoked.pem




*CERTS/0x500c8bd-revoked.pem: C = us, O = ORG, OU = LAB, OU = ABC, OU =
D002, CN = test error 12 at 0 depth lookup:CRL has expiredC = us, O = ORG,
OU = LAB, OU = ABC, OU = D002, CN = test error 23 at 0 depth
lookup:certificate revoked*

as you can see the client *WAS* informed the certificate was *revoked*,
even though the CRL was expired.


*TEST #2: *Next test was using OCSP:

[dan at canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080



*Response verify OK CERTS/0x500c8bd-revoked.pem: unknown This Update: Dec 9
20:48:26 2015 GMT*

as you can see the client *was NOT *informed the certificate was revoked.

We are using a 3rd party vendors OCSP service, and I am of the opinion that
an OCSP service should provide a revoked response regardless of the time
validity of the CRL.

I have read RFC 2560 & 6960 many times, and have not been able to find
explicit guidance on this scenario. I am interested in the community
opinion on this issue, and any pertinent mandatory guidance.

My end goal is either to convince our vendor to provide a revoked status
regardless of the CRLs expiration OR justify why an OCSP service should
ignore issuers with expired CRLs. I'm looking forward to any feedback
provided.

--Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/0b9ad628/attachment.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux