[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cert considered invalid when intermediate is expired

From: James Cloos
Subject: Re: cert considered invalid when intermediate is expired
Date: Sun, 28 Oct 2012 08:57:07 -0400
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2.50 (gnu/linux)

>>>>> "NM" == Nikos Mavrogiannopoulos <address@hidden> writes:

NM> If the intermediate certificate is expired why would you consider it
NM> valid? You may ignore expiration failures if your application doesn't
NM> care, but gnutls cannot ignore them.

The presumption people normally make is that the validity period of a
cert specifies when it can sign, not when it can verify.

If the cert was valid when the signature was made, validation is expected
to continue to work for the lifetime of the signed cert.

As an example, one might want to issue signing certs to one's employees
which are valid for one shift but used to sign documents which are valid
for several years.  This ensures that were a signing cert compromised,
there would be a very small window of opportunity and a small number of
DoSed victims (ie, who have to come back for a fresh sig because the
compromised signing cert was revoked).

Obviously the ability to overtly revoke certs helps the above use case

The thought process is that only the ee cert is being *used*; the rest
of the chain were used when they made thier sigs and are now just verifying.

The specs very well may say otherwise, that the validity period specifies
when verification is permitted.  But that is not the typical expectation.

James Cloos <address@hidden>         OpenPGP: 1024D/ED7DAEA6

reply via email to

[Prev in Thread] Current Thread [Next in Thread]