This is a bug that PSM treats a deltaCRL as a full CRL. It ignores the criticality of the delta CRL extension. Here is how to reproduce: 0. get a new profile 1. to get a cert, go to http://cfu [Enrollment] [Directory] to enroll for a cert. uid="test1", password="test1". 2. to revoke the cert, go to https://cfu [Revocation] and revoke the test1 cert 3. wait 20+ minutes, go to http://cfu [Retrieval][import crl], "Display the CRL information," select "deltaCRL", you should see your cert in there. 4. go to http://cfu [Retrieval][import crl] and "Import the latest deltaCRL to your browser. when I "Manage Cerfificates" on N6, I expect to see the cert just revoked to be "verified", because N6 currently does not understand deltaCRL, and thus should detact the criticality of the extension and leave it; however, I saw the cert NOT verified, which tells me that N6 is not doing the right thing, and worse, is treating a deltaCRL as a full CRL. FYI, it has been confirmed that the binary imported into the browser indeed is a deltaCRL with "critical" bit turned on.
a few things to ponder: we could A. at download, detect the unrecognized extension, and just throw it away and tell user that it's not viable or B. allow to download, but not use it.
Assignee: ssaux → rangansen
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → Future
Actually, NSS does not handle/support delta CRLs right now. So, what should happen is that a delta CRL should never the allowed to be imported unless they are supported [Bug# 103946]. Making this bug depend on 103946.
Depends on: 103946
*** Bug 95640 has been marked as a duplicate of this bug. ***
*** Bug 95469 has been marked as a duplicate of this bug. ***
I think this bug has been fixed because the underlying NSS bug 103946 has been fixed. NSS and PSM still don't recognize delta CRLs, but they no longer treat delta CRLs as full CRLs.
I think so - it doesn't let me download delta crls any more..
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
*** Bug 95641 has been marked as a duplicate of this bug. ***
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.