| Subject: | issuerAltName, issuingDistributionPoint, certificateIssuer can't be added to a CRL |
issuerAltName is valid (in some cases mandatory) in a CRL per RFC3280 ss 5.3.2:
"Issuer Alternative Name"
The issuer alternative names extension allows additional identities
to be associated with the issuer of the CRL. Defined options include
an rfc822 name (electronic mail address), a DNS name, an IP address,
and a URI. Multiple instances of a name and multiple name forms may
be included. Whenever such identities are used, the issuer
alternative name extension MUST be used; however, a DNS name MAY be
represented in the issuer field using the domainComponent attribute
as described in section 4.1.2.4.
The issuerAltName extension SHOULD NOT be marked critical.
(Note the MUST)
Although it would be ideal to be able to extract the issuerAltName from the signing certificate (previous bug report), it should be possible to add it to the CRL in any case.
issuingDistributionPoint (5.2.5) "critical", but optional.
Crypt::OpenSSL::CA does not support these extensions.
Also, certificateIssuer (5.3.4) is an optional entry extension, which you document as "unimplemented". Why?
Support should be added.
Comments in the code indicate that the permitted CRL extensions are hard-coded due to an OpenSSL limitation c.a. 0.9.8c - which is now ancient history. If these limitations have been removed, generalizing the CRL set_extension method to match the certificate's set_extension method would be a good thing, as other, private CRL extensions are permitted.
Thanks.