On Wed, Sep 15, 2004, Goetz Babin-Ebell wrote: > Hi Steve, > > Dr. Stephen Henson wrote: > >On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote: > > > >>I still would propose the following logic: > >>a) CRL is valid (regarding issuance time) > >> if thisUpdate >= checkTime and thisUpdate <= now. > >>b) CRL is considered to be able to deliver revocation > >> information if thisUpdate <= notAfter from the certificate > >> (because after that time the certificate > >> might be removed from the CRL). > > > >That could certainly be added as a verify flag but I'm a bit wary of doing > >that by default. > > Would something like the attached patch be acceptable ? > (please ignore versin info in the diff) > > This patch also adds checking of the revokation time against the checkTime >
I'm not sure about that last bit and timezones. Although RFC3280 et al prohibit CAs from using timezones its not clear whether an implementation has to process them correctly. The current code does by virtue of the way it can add and subtract timezone offsets from the check time. However something better would be needed to compare two ASN1_TIME structures. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
