Bug 4619 - tl-ldap-certalias tool does not handle CRL validation the correct way.
Summary: tl-ldap-certalias tool does not handle CRL validation the correct way.
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: 4.0.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Karl Mikaelsson
Depends on:
Reported: 2013-04-25 09:26 CEST by Henrik Andersson
Modified: 2019-09-24 12:57 CEST (History)
0 users

See Also:
Acceptance Criteria:

Patch for fixing the logics of revocation (1.34 KB, patch)
2013-04-25 10:01 CEST, Henrik Andersson

Description Henrik Andersson cendio 2013-04-25 09:26:32 CEST
A customer does have certificates with 2 distribution points for crl, tl-ldap-certalias tool will revoke the cert if not both of those distribution points are accessible which is the wrong approach.

The logics need to be changed so that only first available CRL is good enough and not all distributions points.
Comment 1 Henrik Andersson cendio 2013-04-25 10:01:56 CEST
Created attachment 475 [details]
Patch for fixing the logics of revocation
Comment 2 Henrik Andersson cendio 2013-04-26 08:03:49 CEST
After some more in depth digging multiple distribution points are not automatically used as failover, here follows a summary of how i interpret the loosy standard.

A distribution point has an optional reasons field. If this field is omitted the distribution point should handle all reasons for revocations and by that a revocation lookup is valid by only check against the specific distribution point.

A distribution point can handle just a few specific revocation reasons and there can be more distribution points handling the rest of the reasons.

This means that we need to take care of this in following logic.

If a distribution point have no reasons field then its said that this distribution point should be used for all reasons and is enough for valid revocation check.

If distribution point have a reasons field we should fetch all other distribution points to make a complete revocation check against several CRL lists.

For more info see '  CRL Distribution Points' in rfc3280:


Note You need to log in before you can comment on or make changes to this bug.