Check CRLs also for manifests
There is a chicken-egg here since manifests reference the CRL themselves.
We may also have two CRLs available, in which case we check against the
one with the newer thisUpdate time.
The RFC situation is a bit of a mess with abundant complexity, unclear
recommendations and requirements and draft specs that also need to be
considered. This is a first version that works with future improvements
to be landed later.
Joint work with claudio, prompted by a question by job
ok claudio job
projects / openbsd / commit