(ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)