Skip to content
Snippets Groups Projects
Commit 26178d7b046a authored by David Benjamin's avatar David Benjamin
Browse files

Fix up crl_delta_crl_indicator.pem. (#5283)

The CRL is missing a CRL number and should mark the delta CRL extension
as critical. RFC 5280 says the following:

Section 5.2.3:

> CRL issuers conforming to this profile MUST include this extension
> [CRL number] in all CRLs and MUST mark this extension as
> non-critical.

Section 5.2.4:

> The delta CRL indicator is a critical CRL extension that identifies a
> CRL as being a delta CRL.

> When a conforming CRL issuer generates a delta CRL, the delta CRL
> MUST include a critical delta CRL indicator extension.

Sadly, RFC 5280 is often unclear about the difference between issuer
requirements and verifier requirements, but test certificates should
conform to issuer requirements where possible, in case the underly
library becomes stricter. Section 5.2.4 includes further text which
implies a delta CRL without a CRL number is unusable for a verifier
anyway:

> A complete CRL and a delta CRL MAY be combined if the following four
> conditions are satisfied:
>
> [...]
>
>   (d)  The CRL number of the complete CRL is less than the CRL number
>        of the delta CRL.  That is, the delta CRL follows the complete
>        CRL in the numbering sequence.

Note I have not updated the signature in crl_delta_crl_indicator.pem.
The test does not care, and it is unclear which key to sign it with.
parent 18198361c47e
No related branches found
No related tags found
No related merge requests found
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment