> Will be then the multiple OCSP inclusion? (This time ok, the software can
> only check the first, but later the others too.)
Yes, including multiples of these things won't hurt. Firefox won't
crash or refuse to connect because multiple URIs for these things exist.
It will just ignore some of them.
> The CAIssuer implementation is the same? Getting only the first? Is the
> inclusion of more than one problematic?
I don't know if it will try more than one, but the presence of more than
one will not be a problem.
For caissuer and ocsp url, then this will be the solution. But my opinion
is different when talkin CRLDistpoint.
>> This same also implies for CDP.
>
> (I thought on the RFC, which is allows, that you have multiple access
> points for CRL.)
Yes, by different protocols (e.g. by http or by LDAP). Initially, NSS
will only support fetching by http.
I think it is false:
I have read the RFC again and again, and compare with the AIA, i think the RFC
has some problem in it.
"If the DistributionPointName contains multiple values, each name describes a
different mechanism to obtain the same CRL. For example,
the same CRL could be available for retrieval through both LDAP and
HTTP."
for example:
the CRLDistribpoints can have multiple DistributionPoints in it, and the Points
can have multiple pointnames.
the multiple pointnames should be different from different mechanism. the
multiple distribpoints can have the same mechanism, no restrictions int he RFC.
If my investigation was correct, openssl makes the sequence of the URIs on the
Distributionpoint level, and the Generalnames is only a Generalname int he
Distribpointname field.
I have attached a picture about it, i cant extract better this block.
So my opinion, that you can include multiple http in CDP, if these are grouped
like this.
Any other opinion?
[cid:image001.png@01C9A8CE.E4C49E70]
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs
rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs
System. More information: http://www.filtermax.hu
________________________________________________________________________
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs
rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs
System. More information: http://www.filtermax.hu
________________________________________________________________________________________--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
