You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Miroslav Nachev <mi...@space-comm.com> on 2007/03/01 16:11:47 UTC

JAVASEC - RFC-3280 4.2.1.14. CRL Distribution Points

Hi,

I found that I can not do the certificate validation because in the 
checked certificate for the distribution point are associated 
"onlySomeReasons":
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://crl.infonotary.com/crl/qsign-company-ca.crl
     CRL Reason=Key Compromise, Affiliation Changed, Cessation of 
Operation, Certificate Hold (56)
[2]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               
URL=ldap://ldap.infonotary.com/dc=qsign-company-ca,dc=infonotary,dc=com
     CRL Reason=Key Compromise, Affiliation Changed, Cessation of 
Operation, Certificate Hold (56)

The CRL Checker in JDK6 assume that the distribution point contain 
revocations for all reason codes and that conflict the certificate can 
not be validated.

My question is why you assume that ALL certificates in the world MUST 
contain all CRL reason codes? Is this some unwritten rule?


Best Regards,
Miroslav Nachev