JAVASEC - CRL DP Validation - what is the correct

[Miroslav Nachev <mi...@space-comm.com>]

I have dilemma concerning RFC-3280 interpretation about how to use CRL 
Reason Flags in Certificate CRL Distribution Points (CRLDP) and CRL Entry.
By default if Reasons are not specified in the Certificate CRLDP, then 
we assume that all reasons are specified. This is the easy way and JDK 
Sun's implementation works fine with this issue. Unfortunately not all 
CA use this way and some of them specified the possible CRL Reasons in 
each issued Certificate like that:
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://crl.infonotary.com/crl/qsign-company-ca.crl
     CRL Reason=Key Compromise, Affiliation Changed, Cessation of 
Operation, Certificate Hold (56)
[2]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               
URL=ldap://ldap.infonotary.com/dc=qsign-company-ca,dc=infonotary,dc=com
     CRL Reason=Key Compromise, Affiliation Changed, Cessation of 
Operation, Certificate Hold (56)

My question is:
What will happen if the reason(s) in some CRLEntry of some CRL file for 
some Certificate is not specified in the possible reasons of CRLDP of 
the same Certificate?
How must be this implemented:
1. The certificate is treat as revoked independently that the reason of 
CRLEntry doesn't exists in Certificate CRLDP?
2. The certificate is treat as valid (unrevoked) because the reason in 
CRLEntry doesn't match with the possible reasons in Certificate CRLDP?
3. The certificate can not be validated?

Also, I would like to give me some idea from where can I use Java LDAP 
client with GPL or another license because I need to use for CRL retrieving.
I can not use the "sun.security.provider.certpath.LDAPCertStore" 
implementation from Sun's JDK because some of the nested classes are not 
public and because of Sun's JRL license which is not Open Source.
Any suggestions?


Regards,
Miro.