[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Test failure of ‘chainverify’
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Test failure of ‘chainverify’ |
Date: |
Sun, 14 Mar 2010 23:05:23 +0100 |
User-agent: |
Thunderbird 2.0.0.23 (X11/20090817) |
Daniel Kahn Gillmor wrote:
>> I do not think
>> that certificates which are directly on the trusted list should be
>> rejected if they are expired or signed with a weak algorithm. There
>> might be a slight argument for the expiry check because the expiration
>> might happen behind the notice of the user who put it to the trusted
>> list and arguably the expiration time signals that the
>> private-key/certificate should not be used after the time.
>
> I think that trusting listed certificates after their internally-stated
> expiry could be a surprising experience for users (in a bad way).
>
> Maybe we need a way for a user to communicate to the library that she
> wants to trust a given certificate beyond its internal expiry?
I've thought of it and the less intruding change that I found, that
could solve this issue, is the introduction of a flag to disable time
checks for the trusted certificate list. Otherwise always check the
trusted list certificates for expiration during verification.
I've committed it with 897cbce62c0263a498088ac3e465aa5f05f8719c.
I thought it was quite important to be included to the release.
> However, ignoring weak digests does not mean we should ignore *all* weak
> algorithm checks for these certificates. For example, if a 512-bit RSA
> key would not be acceptable elsewhere in the chain, we should not accept
> it in the trusted root list.
This is a different issue. Current we have no such checking...
regards,
Nikos