One thing that hits smime in a way that it doesn't hit openssl's other
uses (SSL net services) is that you may want to verify an smime message
long after the SSL cert has expired. IMHO it is not, strictly speaking,
the same thing to say that a cert is expired and can't be used to generate
_new_ messages as opposed to a cert being expired and suddenly is useless
to validate any messages that it ever signed.
With this in mind, I would propose one of 3 things:
1. smime should not disuse expired certs. This is probably the least
palatable option.
2. smime should have a way to check the date field of an incoming message
and use _that_ to check for expiration. This sounds to me like the best
solution.
3. smime should have a -noexpire flag to disable bombing out expired
certs.
Just a thought.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
