Hello Steve,
Dr. Stephen Henson wrote:
On Wed, Sep 15, 2004, Goetz Babin-Ebell wrote:
Dr. Stephen Henson wrote:
On Tue, Sep 14, 2004, Goetz Babin-Ebell wrote:
I still would propose the following logic: a) CRL is valid (regarding issuance time) if thisUpdate >= checkTime and thisUpdate <= now. b) CRL is considered to be able to deliver revocation information if thisUpdate <= notAfter from the certificate (because after that time the certificate might be removed from the CRL).
That could certainly be added as a verify flag but I'm a bit wary of doing that by default.
Would something like the attached patch be acceptable ? (please ignore versin info in the diff)
This patch also adds checking of the revokation time against the checkTime
I'm not sure about that last bit and timezones. Although RFC3280 et al prohibit CAs from using timezones its not clear whether an implementation has to process them correctly.
Since the CA that issued the CRL is the same that issued the cert, would it be that wrong to assume that they would use the same time format in the CRL and the cert ?
The only problem I see here is the one hour in spring and fall at the sumer time / winter time switch.
Would it be acceptable to add the code with a big remark like "This needs a proper ASN1_TIME_cmp() because..."
Bye
Goetz
-- Goetz Babin-Ebell, software designer, TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany Office: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 www.trustcenter.de www.betrusted.com
smime.p7s
Description: S/MIME Cryptographic Signature