-
- Downloads
Fix up crl_delta_crl_indicator.pem. (#5283)
The CRL is missing a CRL number and should mark the delta CRL extension as critical. RFC 5280 says the following: Section 5.2.3: > CRL issuers conforming to this profile MUST include this extension > [CRL number] in all CRLs and MUST mark this extension as > non-critical. Section 5.2.4: > The delta CRL indicator is a critical CRL extension that identifies a > CRL as being a delta CRL. > When a conforming CRL issuer generates a delta CRL, the delta CRL > MUST include a critical delta CRL indicator extension. Sadly, RFC 5280 is often unclear about the difference between issuer requirements and verifier requirements, but test certificates should conform to issuer requirements where possible, in case the underly library becomes stricter. Section 5.2.4 includes further text which implies a delta CRL without a CRL number is unusable for a verifier anyway: > A complete CRL and a delta CRL MAY be combined if the following four > conditions are satisfied: > > [...] > > (d) The CRL number of the complete CRL is less than the CRL number > of the delta CRL. That is, the delta CRL follows the complete > CRL in the numbering sequence. Note I have not updated the signature in crl_delta_crl_indicator.pem. The test does not care, and it is unclear which key to sign it with.
Loading
Please register or sign in to comment