To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=83905 Issue #|83905 Summary|certificate shown as valid without checking the certif |icate chain Component|framework Version|680m237 Platform|All URL| OS/Version|Unix, X11 Status|NEW Status whiteboard| Keywords| Resolution| Issue type|DEFECT Priority|P3 Subcomponent|code Assigned to|tkr Reported by|jl
------- Additional comments from [EMAIL PROTECTED] Fri Nov 23 14:37:01 +0000 2007 ------- SecurityEnvironment_NssImpl :: verifyCertificate (xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx) produces detailed error codes if the verification of a certificate fails. In particular it uses the logging capability of CERT_VerifyCertificates in order to find out what exact error occurred. It uses these errors SEC_ERROR_REVOKED_CERTIFICATE SEC_ERROR_EXPIRED_CERTIFICATE SEC_ERROR_CERT_USAGES_INVALID SEC_ERROR_UNTRUSTED_ISSUER SEC_ERROR_UNTRUSTED_ISSUER CERT_VerifyCertificates DOES NOT document in any way what happend if one of these errors occurrs. This is an implementation detail. Currently, the function immediately returns when the certificate has expired. No further checking is done. Even if the certificate was revoked, its root certificate is invalid (chain checking), or it is not trusted, the user is only displayed that it is expired. The user may decided that an expired certificate is not too bad and uses it. He / she does not know that it may be TOTALLY BAD. So users may be lead into using an "eval"certificate. Because of the current implementation we should only return the information valid or not valid. --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
