Hello Thomas, I'm not sure. "thisUpdate" for CRLs is not the same as "notBefore" for certificates. In my opinion "thisUpdate" should be the date the CRL was released and if this date lies in the future then probably the NTP time synchronisation went wrong. If we know that a given certificate is going to be revoked in 10 minutes time then we should heed this advice. This is why I omitted a "thisUpdate" check on purpose since the "thisUpdate" date is merely informational and should only help in selecting the most recent CRL if a version 2 crlNumber is not available.
Kind Regards Andreas On 05.03.2012 18:40, Thomas Egerer wrote: > --- > Hello *, > > shouldn't CRLs with a validity starting date in the future, be > revoked? > > Cheers, > > Thomas > > src/libstrongswan/plugins/openssl/openssl_crl.c | 2 +- > src/libstrongswan/plugins/x509/x509_crl.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
