TLS and CRL
anyone know if the latest rev of x509 cert requires a reachable CRL for the cert to be valid when a browser checks the cert chain. isnt "validity" based on verifying the cert chain up to some trusted CA?
is the CRL part of a x509 a requirement?
does any of this change if its TLS vs other types of encryption schemes?
from the x509 rfc 5280
The CRL distribution points extension identifies how CRL information
is obtained. The extension SHOULD be non-critical, but this profile
RECOMMENDS support for this extension by CAs and applications
As far as I understand PKI (which isn't much) the signing CA is responsible for providing a CRL. Every time a web browser encounters a certificate it must determine if it is not revoked. Since web browsers come with a pack of CA certificates loaded it determines the signing CA from the certificate and then use OCSP as a "shortcut" for checking. I think the easiest counter question would be "how else would you determine the validity of a certificate?" and the last paragraph of RFC 3280 says "If the revocation status remains undetermined, then return the cert_status UNDETERMINED.". So if you don't have a local CRL or can't use 'net-based verification then you can't determine the validity, right? TLS here provides only encapsulation. It doesn't change the method nor content of what gets checked. Evidence of that is clients having to manually approve self-signed certs. I don't run my own PKI so somebody correct me if I'm wrong.
|All times are GMT -5. The time now is 10:53 AM.|