Hi, Just FYI. A certificate number 0x0123 was issued to portal/wk-pc1.dl.ac.uk in 2003 and revoked because the email address was not correct. As Robert discovered during the GridPP meeting, there is some buggy code that checks the CA against its own CRL (tut, tut) and as the CA happens to have serial 0x0123 (but issued by a completely different CA, of course), the code erroneously thought the UK CA had been revoked! So Suleman unrevoked the 0x0123 (which we'd only do because it's long dead, it actually still should be revoked) but was loath to push out a new and strange CRL on a Friday afternoon (as it was then). Because he used one of my scripts which also happens to add an extension (if you remember, to debug yet another bug in software relying on certificates. Why can't people just use the standard libraries that have actually been written by mostly sane people and tested!?) I forgot to publish it yesterday, so published it this morning. It has 0x0123 unrevoked, and an extension. We should probably have CRL extensions permanently; I don't think anyone is using older versions of Netscape any more, but you never know. We *could* also remove expired certificates from the CRL; they would not matter for authentication, only for people resurrecting expired certificates (e.g. through CertWizard) and for signature checking (you don't trust a digital signature made after the expiry date.) Cheers --jens -- Dr Jens Jensen Mad Scientist, Scientific Computing Department, STFC (www.stfc.ac.uk) Rutherford Appleton Laboratory, Harwell Oxford Campus, OX11 0QX, UK T/F +44(0)1235 446104/5945