CRL checking (incorrect state input) Extract from: draft-ietf-pkix-rfc3280bis-01.txt : « This algorithm assumes that all of the needed CRLs are available in a local cache. « This algorithm begins by assuming the certificate is not revoked. The algorithm checks one or more CRLs until either the certificate status is determined to be revoked […] ». The current text is incorrect : “If the revocation status remains undetermined, then return the cert_status UNDETERMINED”. In practice all the needed CRLs may not be in the cache, so the algorithm should start (and finish) with « UNDETERMINED ». |