You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a TODO (and create associated issue) to cross-validate the CRLSignerCertificate and CRLSignerDelegator per spec:
. If a matching `RevocationSet` is found, determined if `serialNumber` is a member of the set.
.. If the entity type whose revocation status is being verified is a PAI, then the subject PAI's issuer (a PAA) SHALL fulfill one of the following two cases, otherwise return immediately:
... The Subject and Subject Key of the PAI certificate's issuer matches exactly the CRLSignerCertificate's subject (i.e. the CRLSignerCertificate is a PAA).
... The Subject and Subject Key of the PAI certificate's issuer matches exactly the PAA which is the issuer of the CRLSignerCertificate (i.e. the CRLSignerCertificate is a CRL signer delegated by a PAA).
.. If the entity type whose revocation status is being verified is a DAC, then:
... If the `CRLSignerDelegator` is present, then the subject DAC's issuer (a PAI) SHALL match the `CRLSignerDelegator` in both Subject Key and Subject, otherwise return immediately.
... If the `CRLSignerDelegator` is absent, then the subject DAC's issuer (a PAI) SHALL match the `CRLSignerCertificate` in both Subject Key and Subject, otherwise return immediately.
Those checks are not currently do, and MUST be done later once this is supported in revocation set construction.
Those checks are not currently do, and MUST be done later once this is supported in revocation set construction.
Originally posted by @tcarmelveilleux in #33651 (comment)
The text was updated successfully, but these errors were encountered: