RE: Non-self-signed trusted certificates in SFL 2.4

["Horvath, Tom" <Tom.Horvath@xxxxxxxxxxxxxx>]

John,

DigitalNet has repaired the problem you found in the CRL processing code
concerning unknown revocation status for certificates that chain up to a
trust anchor that is not self-signed. A patch for CML version 2.4 should
be available on our website shortly. 

The patch contains the following files:

smp/cml/cmapi/inc/cmapi_cpp.h
smp/cml/cmapi/src/CM_Certificate.cpp
smp/cml/crlsrv_dll/src/CRL_Mgr.cpp

Please let me know if you have any more issues.

Thanks,
Tom Horvath
DigitalNet

-----Original Message-----
From: owner-imc-sfl@xxxxxxxxxxxx [mailto:owner-imc-sfl@xxxxxxxxxxxx] On
Behalf Of John Stark
Sent: Friday, July 16, 2004 3:45 PM
To: imc-sfl@xxxxxxx
Subject: Non-self-signed trusted certificates in SFL 2.4


Hello,

I have been testing some code that I have just ported from SFL 2.3 to
2.4.
In SFL 2.3 it was possible to use the CML to validate a certification
path
from a user certificate to a trusted certificate that was not
self-signed.
This did not work with SFL 2.0.1.  However, with SFL 2.4 it does not
work
either.  The problem would appear to be that the CML doesn't trust the
CRL
that was also signed with the non-self-signed CA certificate, and
because it
doesn't trust the CRL it reports the revocation status of the user
certificate as unconfirmed.

Can anyone comment on this please?

John Stark
Tel: +44 1223 566732
Mobile: +44 7968 110628
E-mail: jas@xxxxxxxxxxxx
Web: http://www.metanate.com