You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Miroslav Nachev <mi...@space-comm.com> on 2007/03/14 09:16:08 UTC
JAVASEC - CRL DP Validation - what is the correct
I have dilemma concerning RFC-3280 interpretation about how to use CRL
Reason Flags in Certificate CRL Distribution Points (CRLDP) and CRL Entry.
By default if Reasons are not specified in the Certificate CRLDP, then
we assume that all reasons are specified. This is the easy way and JDK
Sun's implementation works fine with this issue. Unfortunately not all
CA use this way and some of them specified the possible CRL Reasons in
each issued Certificate like that:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.infonotary.com/crl/qsign-company-ca.crl
CRL Reason=Key Compromise, Affiliation Changed, Cessation of
Operation, Certificate Hold (56)
[2]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap://ldap.infonotary.com/dc=qsign-company-ca,dc=infonotary,dc=com
CRL Reason=Key Compromise, Affiliation Changed, Cessation of
Operation, Certificate Hold (56)
My question is:
What will happen if the reason(s) in some CRLEntry of some CRL file for
some Certificate is not specified in the possible reasons of CRLDP of
the same Certificate?
How must be this implemented:
1. The certificate is treat as revoked independently that the reason of
CRLEntry doesn't exists in Certificate CRLDP?
2. The certificate is treat as valid (unrevoked) because the reason in
CRLEntry doesn't match with the possible reasons in Certificate CRLDP?
3. The certificate can not be validated?
Also, I would like to give me some idea from where can I use Java LDAP
client with GPL or another license because I need to use for CRL retrieving.
I can not use the "sun.security.provider.certpath.LDAPCertStore"
implementation from Sun's JDK because some of the nested classes are not
public and because of Sun's JRL license which is not Open Source.
Any suggestions?
Regards,
Miro.