I have seen engines that do
not deal with extension criticality in CRLs, some of the java implementations
I have seen in-fact; these would trust these partial CRLs as a full CRL. Now I
know folks will say thats a bad implementation, and I am not arguing that what
these clients have done is right but its yet another example of how CRLs fail
in this area due to the history of implementations out there.
Another example is where the client does
properly deal with critical extensions in the CRL, in this
case almost all implementations I have seen would show the
CRL as bad and fail validation (as it should), I dont know of one that would
try the next URL in the CDP to see if it was the full CRL. And even if it did
thats extra data to be downloaded to discover its not the rigth
CRL.
Ryan
Ryan M. Hurst wrote:
>[...] there is not way to tell from a CDP if the
>data on the other end represents a partitioned CRL or a full one.
>
>
But then clean client should check the content of the IDP extension
after getting the CRL and check it's distribution point matches the
distribution field of the CDP, and if not refuse the CRL, and supposedly
try the next crldp inside the cert.
RFC3280 6.3.3 (b)(2)(i)
I'm a bit sceptic it really works, but if the CRL's IDP is marked
critical as it should, maybe a good number of client will duly reject
the CRL when they can not support that case.