No, the CA certificate does _not_ give a CRL distribution point (the root CA does so it could revoke the intermediate CA if need be). Basically, should option (3) mean "require a CA's CRL, if it exists, to always be present" or "require a CRL for all CAs, even if they don't produce one". I think OCSP support is a different question. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/716#issuecomment-443797991 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1