After looking through the X.509 CRL baseline format version 2, I have some questions.
In each TBSCertList, why is the "signature" tag named "signature" when it is not the actual signature but rather only the algorithm identifier... and further, why is said algorithm identifier tag required when the actual signature is not present? See attached screenshot from the RFC showing this as so.
Also, why is the algorithm identifier required for each TBSCertList when the whole CertificateList is signed instead? And further, the RFC says that both the "signatureAlgorithm" tag in CertificateList must exactly match the "signature" tag in TBSCertList - why is this so? Isn't this a bit redundant or is there a specific reason?
