4619 – tl-ldap-certalias tool does not handle CRL validation the correct way.

Bug 4619 - tl-ldap-certalias tool does not handle CRL validation the correct way.

Summary: tl-ldap-certalias tool does not handle CRL validation the correct way.

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Smart card (show other bugs)
Version:	4.0.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	LowPrio
Assignee:	Karl Mikaelsson

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-04-25 09:26 CEST by Henrik Andersson
Modified:	2019-09-24 12:57 CEST (History)
CC List:	0 users

See Also:
Acceptance Criteria:

Attachments
Patch for fixing the logics of revocation (1.34 KB, patch) 2013-04-25 10:01 CEST, Henrik Andersson	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Henrik Andersson cendio

2013-04-25 09:26:32 CEST

A customer does have certificates with 2 distribution points for crl, tl-ldap-certalias tool will revoke the cert if not both of those distribution points are accessible which is the wrong approach.

The logics need to be changed so that only first available CRL is good enough and not all distributions points.

Comment 1 Henrik Andersson cendio

2013-04-25 10:01:56 CEST

Created attachment 475 [details]
Patch for fixing the logics of revocation

Comment 2 Henrik Andersson cendio

2013-04-26 08:03:49 CEST

After some more in depth digging multiple distribution points are not automatically used as failover, here follows a summary of how i interpret the loosy standard.

A distribution point has an optional reasons field. If this field is omitted the distribution point should handle all reasons for revocations and by that a revocation lookup is valid by only check against the specific distribution point.

A distribution point can handle just a few specific revocation reasons and there can be more distribution points handling the rest of the reasons.

This means that we need to take care of this in following logic.

If a distribution point have no reasons field then its said that this distribution point should be used for all reasons and is enough for valid revocation check.

If distribution point have a reasons field we should fetch all other distribution points to make a complete revocation check against several CRL lists.


For more info see '4.2.1.14  CRL Distribution Points' in rfc3280:

http://www.ietf.org/rfc/rfc3280.txt

Note You need to log in before you can comment on or make changes to this bug.