--On May 11, 2006 1:23:45 PM -0500 Paul Nelson <email@hidden> wrote:
I need to determine that a certificate is valid and has not been revoked.
No matter what settings I make in the Keychain preferences, I never see
any attempt by the Mac to verify that the certificate has not been
revoked. I am tracing network activity, and expect the Mac to use OCSP
or CRL to check the certificate.
A Mac will (attempt to) fetch a CRL or engage in OCSP only if the
certificate contains suitable extensions pointing at the respective
servers. You also need to turn on the preference in Keychain Access (or
explicitly ask for revocation policies when calling the SecTrust API). And
both CRLs and OCSP responses are cached. So in order to see a network
transaction, you need all of
- the certificate has the necessary extension
- the preference is turned on
- there is no cached CRL or OCSP response available
- the network configuration allows access to the server
Cheers
-- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
