[xmlsec] xmlSecMSCryptoX509StoreConstructCertsChain
Edward Shallow
ed.shallow at rogers.com
Tue Dec 20 12:28:11 PST 2005
Re:
I'm not sure it's necessary to check for CRL from XML document if valid CRL
is installed, though it's necessary to check for CRL from XML if chain
status is CERT_TRUST_REVOCATION_STATUS_UNKNOWN ...
Dmitry
This makes sense given that Verification Authorities tend to keep very
up-to-date CRL lists which have new entries posted within the "Next Update"
timeframe of the current CRL.
As such the order would be
1) check for valid non-expired CRL from store (assuming something is keeping
them up to date in that store)
2) check CRL in document only if nothing exists in 1) above
Ed
More information about the xmlsec
mailing list