Re: X509_verify_cert(): verify with time and CRL

2004-10-07 Thread Goetz Babin-Ebell
Hello Steve, Dr. Stephen Henson wrote: On Wed, Sep 15, 2004, Goetz Babin-Ebell wrote: Dr. Stephen Henson wrote: On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote: I still would propose the following logic: a) CRL is valid (regarding issuance time) if thisUpdate = checkTime and thisUpdate = now. b)

Re: X509_verify_cert(): verify with time and CRL

2004-09-16 Thread Peter Sylvester
The following point is unclear to me: a) CRL is valid (regarding issuance time) if thisUpdate = checkTime and thisUpdate = now. As far as I understand; The X509 and 3280 validation algorithm only have ONE point in time, which is consider either as 'now' or 'time to check' according you

Re: X509_verify_cert(): verify with time and CRL

2004-09-16 Thread Dr. Stephen Henson
On Thu, Sep 16, 2004, Goetz Babin-Ebell wrote: Hi Steve, Dr. Stephen Henson wrote: On Wed, Sep 15, 2004, Goetz Babin-Ebell wrote: Would something like the attached patch be acceptable ? (please ignore versin info in the diff) This patch also adds checking of the revokation time

Re: X509_verify_cert(): verify with time and CRL

2004-09-15 Thread Goetz Babin-Ebell
Hi Steve, Dr. Stephen Henson wrote: On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote: I still would propose the following logic: a) CRL is valid (regarding issuance time) if thisUpdate = checkTime and thisUpdate = now. b) CRL is considered to be able to deliver revocation information if

Re: X509_verify_cert(): verify with time and CRL

2004-09-15 Thread Dr. Stephen Henson
On Wed, Sep 15, 2004, Goetz Babin-Ebell wrote: Hi Steve, Dr. Stephen Henson wrote: On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote: I still would propose the following logic: a) CRL is valid (regarding issuance time) if thisUpdate = checkTime and thisUpdate = now. b) CRL is considered

Re: X509_verify_cert(): verify with time and CRL

2004-09-14 Thread Goetz Babin-Ebell
Hi Steve, Dr. Stephen Henson wrote: On Mon, Sep 13, 2004, Goetz Babin-Ebell wrote: ther might be a problem in X509_verify_cert() (at least 0.9.7d): if you set a verification time and the CRL was not yet valid at this time, the error X509_V_ERR_CRL_NOT_YET_VALID will be generated. (see check_crl()

X509_verify_cert(): verify with time and CRL

2004-09-13 Thread Goetz Babin-Ebell
Hello folks, ther might be a problem in X509_verify_cert() (at least 0.9.7d): if you set a verification time and the CRL was not yet valid at this time, the error X509_V_ERR_CRL_NOT_YET_VALID will be generated. (see check_crl() in x509_verify.c) It seems to me that a logic like: If check_time (and

Re: X509_verify_cert(): verify with time and CRL

2004-09-13 Thread Dr. Stephen Henson
On Mon, Sep 13, 2004, Goetz Babin-Ebell wrote: Hello folks, ther might be a problem in X509_verify_cert() (at least 0.9.7d): if you set a verification time and the CRL was not yet valid at this time, the error X509_V_ERR_CRL_NOT_YET_VALID will be generated. (see check_crl() in