[cryptography] validating SSL cert chains & timestamps
david-sarah at jacaranda.org
Mon Dec 20 23:24:17 EST 2010
On 2010-12-20 18:46, travis+ml-rbcryptography at subspacefield.org wrote:
> So a co-worker ran into this lately;
> libnss, at least on Linux, checks that the signing cert (chain) is valid
> at the time of signature - as opposed to present time. (It may check
> present time as well - not sure on that).
# The algorithm presented in this section validates the certificate
# with respect to the current date and time. A conformant implementation
# MAY also support validation with respect to some point in the past.
# 6.1.3 Basic Certificate Processing
# The basic path processing actions to be performed for certificate i
# (for all i in [1..n]) are listed below.
# (a) Verify the basic certificate information. The certificate
# MUST satisfy each of the following:
# (1) The certificate was signed with the
# working_public_key_algorithm using the working_public_key and
# the working_public_key_parameters.
# (2) The certificate validity period includes the current time.
# (3) At the current time, the certificate is not revoked and is
# not on hold status. This may be determined by obtaining the
# appropriate CRL (section 6.3), status information, or by out-
# of-band mechanisms.
There are no other checks relating to validity period, so NSS is noncompliant.
File a bug.
(I checked for existing reports of this in Product: NSS, but couldn't find
any. https://bugzilla.mozilla.org/show_bug.cgi?id=216695 might be relevant,
I'm not sure.)
> This makes for problems if you renew the cert, since the new cert will
> have a creation date of the current time, after the object was signed.
> Can anyone think of why this would be a good thing?
No, it's a bad thing. There are enough false-positive cert errors without
adding yet another cause of them.
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 292 bytes
Desc: OpenPGP digital signature
More information about the cryptography