Jean-Marc Desperrier wrote:
[...] Otherwise I'm surprised at the way they use the CRL DP/CRL IDP extensions[...]
OK, so when writing that, I was making a stupid error confusing the content of two extensions in the cert.
The content of the IssuingDistributionPoint is in fact perfectly correct, pointing to http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL2.crl just like does the cRLDistributionPoints in the cert itself.
So HK Post issued CRLs correctly apply only to certificates that claim that the CRL DP that applies to them is http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL2.crl
NB: What is required is not actually downloading the crl from that url, it's just that the url inside the cert and inside the crl you found are identical.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
