Index: b/src/crlcache.c
===================================================================
--- b/src/crlcache.c
+++ b/src/crlcache.c
@@ -2432,6 +2432,7 @@
   char *issuer = NULL;
   ksba_name_t distpoint = NULL;
   ksba_name_t issuername = NULL;
+  ksba_crl_reason_t reasons = 0;
   char *distpoint_uri = NULL;
   char *issuername_uri = NULL;
   int any_dist_point = 0;
@@ -2444,7 +2445,7 @@
   seq = 0;
   while ( !(err = ksba_cert_get_crl_dist_point (cert, seq++,
                                                 &distpoint,
-                                                &issuername, NULL )))
+                                                &issuername, &reasons )))
     {
       int name_seq; 
       gpg_error_t last_err = 0;
@@ -2460,62 +2461,75 @@
 
       xfree (issuername_uri); issuername_uri = NULL;
 
-      /* Get the URIs.  We do this in a loop to iterate over all names
-         in the crlDP. */
-      for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++)
+      if (reasons != 0 && reasons != (KSBA_CRLREASON_UNSPECIFIED |
+              KSBA_CRLREASON_KEY_COMPROMISE | KSBA_CRLREASON_CA_COMPROMISE |
+              KSBA_CRLREASON_AFFILIATION_CHANGED | KSBA_CRLREASON_SUPERSEDED |
+              KSBA_CRLREASON_CESSATION_OF_OPERATION |
+              KSBA_CRLREASON_CERTIFICATE_HOLD |
+              KSBA_CRLREASON_PRIVILEGE_WITHDRAWN |
+              KSBA_CRLREASON_AA_COMPROMISE) )
         {
-          xfree (distpoint_uri); distpoint_uri = NULL;
-          distpoint_uri = ksba_name_get_uri (distpoint, name_seq);
-          if (!distpoint_uri)
-            continue;
-          
-          if (!strncmp (distpoint_uri, "ldap:", 5)
-              || !strncmp (distpoint_uri, "ldaps:", 6))
-            {
-              if (opt.ignore_ldap_dp)
-                continue;
-            }
-          else if (!strncmp (distpoint_uri, "http:", 5)
-                   || !strncmp (distpoint_uri, "https:", 6))
-            {
-              if (opt.ignore_http_dp)
-                continue;
-            }
-          else
-            continue; /* Skip unknown schemes. */
-          
-          any_dist_point = 1;
-          
-          if (opt.verbose)
-            log_info ("fetching CRL from `%s'\n", distpoint_uri);
-          err = crl_fetch (ctrl, distpoint_uri, &reader);
-          if (err)
-            {
-              log_error (_("crl_fetch via DP failed: %s\n"),
-                         gpg_strerror (err));
-              last_err = err;
-              continue; /* with the next name. */
-            }
-          
           if (opt.verbose)
-            log_info ("inserting CRL (reader %p)\n", reader);
-          err = crl_cache_insert (ctrl, distpoint_uri, reader); 
-          if (err)
-            {
-              log_error (_("crl_cache_insert via DP failed: %s\n"),
-                         gpg_strerror (err));
-              last_err = err;
-              continue; /* with the next name. */
-            }
-          last_err = 0;
-          break; /* Ready. */
+            log_info ("incomplete distribution point not supported\n");
+             /* Not supported; CRLs paritioned by reasons would require
+                database change and addressing of cached CRL by issuer AND
+                reasons or duplicate issuer keys. */
         }
-      if (last_err)
+      else
         {
-          err = last_err;
-          goto leave;
-        }
-      
+          /* Get the URIs.  We do this in a loop to iterate over all names
+             in the crlDP. */
+          for (name_seq=0; ksba_name_enum (distpoint, name_seq); name_seq++)
+            {
+              xfree (distpoint_uri); distpoint_uri = NULL;
+              distpoint_uri = ksba_name_get_uri (distpoint, name_seq);
+              if (!distpoint_uri)
+                continue;
+              
+              if (!strncmp (distpoint_uri, "ldap:", 5)
+                  || !strncmp (distpoint_uri, "ldaps:", 6))
+                {
+                  if (opt.ignore_ldap_dp)
+                    continue;
+                }
+              else if (!strncmp (distpoint_uri, "http:", 5)
+                       || !strncmp (distpoint_uri, "https:", 6))
+                {
+                  if (opt.ignore_http_dp)
+                    continue;
+                }
+              else
+                continue; /* Skip unknown schemes. */
+              
+              any_dist_point = 1;
+              
+              if (opt.verbose)
+                log_info ("fetching CRL from `%s'\n", distpoint_uri);
+              err = crl_fetch (ctrl, distpoint_uri, &reader);
+              if (err)
+                {
+                  log_error (_("crl_fetch via DP failed: %s\n"),
+                             gpg_strerror (err));
+                  last_err = err;
+                  continue; /* with the next name. */
+                }
+              
+              if (opt.verbose)
+                log_info ("inserting CRL (reader %p)\n", reader);
+              err = crl_cache_insert (ctrl, distpoint_uri, reader); 
+              if (err)
+                {
+                  log_error (_("crl_cache_insert via DP failed: %s\n"),
+                             gpg_strerror (err));
+                  last_err = err;
+                  continue; /* with the next name. */
+                }
+              last_err = 0;
+              break; /* Ready. */
+            }
+        } /* This was complete DP */
+      err = last_err;
+
       ksba_name_release (distpoint); distpoint = NULL;
 
       /* We don't do anything with issuername_uri yet but we keep the
@@ -2523,6 +2537,9 @@
       issuername_uri =  ksba_name_get_uri (issuername, 0); 
       ksba_name_release (issuername); issuername = NULL;
 
+      if (!last_err && any_dist_point)
+        break; /* We have inserted new complete CRL sucessfully. Thats enough,
+                  other DPs can't contain more comprehensive CRL. */
     }
   if (gpg_err_code (err) == GPG_ERR_EOF)
     err = 0;