[cryptography] validating SSL cert chains & timestamps

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Mon Dec 20 13:46:30 EST 2010


So a co-worker ran into this lately;

libnss, at least on Linux, checks that the signing cert (chain) is valid
at the time of signature - as opposed to present time.  (It may check
present time as well - not sure on that).

This makes for problems if you renew the cert, since the new cert will
have a creation date of the current time, after the object was signed.

Can anyone think of why this would be a good thing?
-- 
Good code works on most inputs; correct code works on all inputs.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20101220/a2f9b0b8/attachment.asc>


More information about the cryptography mailing list