[Help-gnutls] Respecting the validity period of Root CA certificates [was: Re: Is gnutls using the shell model or the chain model for a certificate validation]

[Daniel Kahn Gillmor]

On Wed 2008-11-12 04:06:38 -0500, Simon Josefsson wrote:

> When trusting a CA certificate, I don't think the expiry date in that
> certificate matters -- you are only trusting that the public key
> corresponds to the CA.

On Thu 2008-11-13 02:11:59 -0500, Scott Schaeffner wrote:

>  Document rfc5280 "Internet X.509 Public Key Infrastructure
>  Certificate and Certificate Revocation List (CRL) Profile" explains
>  in section 6 the "Certification Path Validation".
>
>  Section 6.1.3. (a)(2) states that the timestamp of the
>  validation(system date) has to be within the validity period of all
>  certificates in the validation path.

The trusted root CA's certificate is the last (or first, depending on
your perspective) cert in the validation path.  It seems to me that
Scott's find suggests that the validity period of the root certificate
*is* relevant.

On Wed 2008-11-12 04:06:38 -0500, Simon Josefsson wrote:

> This is illustrated by older X.509 implementations that accepted
> trust CA's not encoded as certificates but just public keys and
> issuer name.  Nowadays I think everyone requires a proper X.509
> certificate even for the trusted CA's, to be able to validate
> various X.509 extension limitations.

I think that those older X.509 implementations were simply incomplete.
Now that we're requiring proper X.509 certificates for root
authorities, we should not ignore the additional semantic content in
those certificates.

   --dkg

pgpvDRQOEX1Rj.pgp
Description: PGP signature