Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-10-2012, 11:22 AM   #1
Registered: Jan 2006
Location: USA
Posts: 574

Rep: Reputation: 62

anyone know if the latest rev of x509 cert requires a reachable CRL for the cert to be valid when a browser checks the cert chain. isnt "validity" based on verifying the cert chain up to some trusted CA?

is the CRL part of a x509 a requirement?

does any of this change if its TLS vs other types of encryption schemes?

from the x509 rfc 5280

The CRL distribution points extension identifies how CRL information
is obtained. The extension SHOULD be non-critical, but this profile
RECOMMENDS support for this extension by CAs and applications

Last edited by Linux_Kidd; 12-10-2012 at 11:27 AM.
Old 12-12-2012, 08:59 AM   #2
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
As far as I understand PKI (which isn't much) the signing CA is responsible for providing a CRL. Every time a web browser encounters a certificate it must determine if it is not revoked. Since web browsers come with a pack of CA certificates loaded it determines the signing CA from the certificate and then use OCSP as a "shortcut" for checking. I think the easiest counter question would be "how else would you determine the validity of a certificate?" and the last paragraph of RFC 3280 says "If the revocation status remains undetermined, then return the cert_status UNDETERMINED.". So if you don't have a local CRL or can't use 'net-based verification then you can't determine the validity, right? TLS here provides only encapsulation. It doesn't change the method nor content of what gets checked. Evidence of that is clients having to manually approve self-signed certs. I don't run my own PKI so somebody correct me if I'm wrong.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
problem when importing CRL into Firefox tklima Linux - Software 2 08-02-2010 11:27 AM
Why does TLS port accespt both TLS and plain TCP? kenneho Linux - Server 4 02-08-2009 08:30 AM
errno: TLS definition in /lib64/ section .tbss mismatches non-TLS reference johnpaulodonnell Programming 2 07-25-2008 05:37 AM
crl.pem and Oulook PcHammer Linux - Software 0 01-27-2005 03:39 AM
crl update is overdue --> What for? in IPSEC cmisip Linux - Security 3 12-02-2003 08:58 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:16 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration