oss-sec mailing list archives

Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday

From: "David W. Hodgins" <davidwhodgins () gmail com>
Date: Tue, 12 Mar 2024 09:57:07 -0400

On Tue, 12 Mar 2024 00:28:49 -0400, Demi Marie Obenour <demi () invisiblethingslab com> wrote:
<snip>

macOS, iOS, Windows, and possibly Android have system certificate
verifiers that can handle this easily.  For desktop and server Linux,
should a CRLite package be included in system package managers?  Would
it be feasible for WebPKI and {Open,Boring,Libre}SSL to handle CRLite,
or does this mean that NSS should be used for certificate verification?


Isn't that the purpose of the crlutil command in the nss package?
From "man 1 crlutil" ...

DESCRIPTION
       The Certificate Revocation List (CRL) Management Tool, crlutil, is a command-line utility that can list, 
generate, modify, or delete CRLs within the NSS security database file(s) and list, create,
       modify or delete certificates entries in a particular CRL.

https://manpages.org/crlutil

Regards, Dave Hodgins

Current thread:

Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 11)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Demi Marie Obenour (Mar 12)
  - Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday David W. Hodgins (Mar 12)
  - Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 12)
    - Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Steffen Nurpmeso (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Armin Kuster (Mar 12)
  - Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 12)