S/MIME certificates with LDAP-only CRL uri

Werner Koch wk at gnupg.org
Mon Feb 27 17:42:02 CET 2023


Hi!

I spent some time looking into this.  The CRL is issued by a certificate

  CN=dgnservice CRL2101 13:PN,O=DGN Deutsches Gesundheitsnetz Service GmbH,C=DE

However that certificate is not available:  I only found the previous one:

  ldapsearch -H ldap://ldap.dgnservice.de:389 -b 'O=DGN Deutsches Gesundheitsnetz Service GmbH,C=DE' -x -v -LLL "CN=dgnservice CRL2101 12:PN"

without the certificate we can't verify the CRL.  Switching to OCSP does
also not work due to a missing certificate.

We have seen this problem already last year; see
https://dev.gnupg.org/rG90caa7ad598be123707f4d4651f9a64a74347626

Alexander: Maybe you can to ask DGN why they don't distribute that cert
but announce it in the CRL.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230227/bd205e67/attachment.sig>


More information about the Gnupg-users mailing list