Sun's CertPathValidator can't handle separate cert and CRL signing keys

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: P3
    • 5.0
    • Affects Version/s: 1.4.1, 1.4.2
    • Component/s: security-libs
    • tiger
    • generic
    • generic, solaris_7


      ###@###.### 2002-07-08

      Sun's PKIX CertPathValidator implementation assumes that a CRL is signed by the
      CA that issued the corresponding certificate. This may not always be the case.

      Section 6.3.3, Step (f) of RFC 3280 states:

         (f) Obtain and validate the certification path for the complete CRL
         issuer. If a key usage extension is present in the CRL issuer's
         certificate, verify that the cRLSign bit is set.

            Assignee:
            Sean Mullan
            Reporter:
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: