Scott Schaeffner <[EMAIL PROTECTED]> writes: > I meanwhile found a reference that uses the shell model validation without > naming it explicitly as shell model. > Document rfc5280 "Internet X.509 Public Key Infrastructure Certificate and > Certificate Revocation List (CRL) Profile" explains in section 6 the > "Certification Path Validation". > > Section 6.1.3. (a)(2) states that the timestamp of the validation(system > date) has to be within the validity period of all certificates in the > validation path. > > It uses the validation method that was named "shell model" in the referenced > presentation. Currently I do not have any references concerning the "chain" > validation model, however as the presentation was made by the > Bundesnetzagentur which is a state agency in Germany, I guess it is used. > > The general question for us was which validation model shall we use for our > implementation. We will go for the shell model that is also used in the > rfc5280.
I think using the RFC 5280 algorithm won't be a bad choice. At least you can point at the RFC authors when someone discovers a logical flaw in it. ;) /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
