[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain

Aleksey Sanin aleksey at aleksey.com
Tue Dec 20 12:34:03 PST 2005


No, according to XML Sig spec, you MUST check
the CRL from XML document. I from the general
point of view, it does make sense to also check
the "stored" CRL (if any).

Aleksey

Edward Shallow wrote:
> Re:
> I'm not sure it's necessary to check for CRL from XML document if valid CRL
> is installed, though it's necessary to check for CRL from XML if chain
> status is CERT_TRUST_REVOCATION_STATUS_UNKNOWN ...
> 
> Dmitry
> 
> This makes sense given that Verification Authorities tend to keep very
> up-to-date CRL lists which have new entries posted within the "Next Update"
> timeframe of the current CRL.
> 
> As such the order would be 
> 
> 1) check for valid non-expired CRL from store (assuming something is keeping
> them up to date in that store)
> 
> 2) check CRL in document only if nothing exists in 1) above
> 
> Ed
> 
> 
> 


More information about the xmlsec mailing list