Currently the defined maximum for NSS is *infinite*.
If there's any crl available for checking, however old, the check will *never* return crl outdated. This is not configurable.
This in my opinion makes the CRL checking in NSS ineffective.
When the NSS chech says "check OK", a user that wants to know if all CRL used in the check were really up to day, needs to reimplement almost the whole certificate chain verification to do that.
This was recognised as a problem in bugzilla. And probably there's nobody available to correct that. But I can't get the logic of saying "it's not a problem".
Indeed, this is bugzilla 233806 . And while today is my last day at AOL, I will still be working on NSS at Sun from tomorrow. I can't say what the priority of this bug will be over there, but I can tell you that there is a good chance this bug will get fixed, inside or outside my job responsibilities.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
