[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cert considered invalid when intermediate is expired
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: cert considered invalid when intermediate is expired |
|
Date: |
Sun, 28 Oct 2012 15:23:03 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120805 Icedove/10.0.6 |
On 10/28/2012 01:57 PM, James Cloos wrote:
>>>>>> "NM" == Nikos Mavrogiannopoulos <address@hidden> writes:
>
> NM> If the intermediate certificate is expired why would you consider it
> NM> valid? You may ignore expiration failures if your application doesn't
> NM> care, but gnutls cannot ignore them.
>
> The presumption people normally make is that the validity period of a
> cert specifies when it can sign, not when it can verify.
>
> If the cert was valid when the signature was made, validation is expected
> to continue to work for the lifetime of the signed cert.
>
> As an example, one might want to issue signing certs to one's employees
> which are valid for one shift but used to sign documents which are valid
> for several years. This ensures that were a signing cert compromised,
> there would be a very small window of opportunity and a small number of
> DoSed victims (ie, who have to come back for a fresh sig because the
> compromised signing cert was revoked).
This is a totally different use case than a TLS certificate chain
verification. You can do that by considering the expired certificates as
trusted while you verify the documents. That verification is application
specific.
In the TLS chain verification chain however, there is no way to know
whether the intermediate certificate is expected to be expired or
somebody managed to obtain the private key of an old expired CA
certificate and signed new certificates.
regards,
Nikos