Does anyone have experience with using OS X [10.6.5] for validating
certificates with CRL locations defined with either the first or only location
in an LDAP format that has the host omitted?
These URLs are in the format with the three “/” marks, for example: ldap:///o=University of Michigan,c=US
Per RFC 4516 these are OK to use but the client must have
prior knowledge of the appropriate LDAP server.
In testing of 10.6.5, with CRL revocation checking required enabled,
I have found that when Keychain Access is set to evaluating
certificates that have such LDAP formatted CRL locations as the first or only
location, the evaluation crashes the entire Keychain Access Application. I'm thinking this can cause issues with machines that deal with Active Directory, which is often configured with that prefered ldap format in the CRL location fields of certificates.
I know the crash is a bug, and I have reported it, but does
anyone know if there is something that can be done to give OS X a clue on how
to handle these “ldap:///” formatted CRLs listings? Is there something that can be done to give it knowledge of the LDAP server to avoid assist in evaluation and perhaps avoid the crash.