Jean-Marc,
Jean-Marc Desperrier wrote:
What do you do with a piece of code signed by a certificate that you have as revoked once the certificate has expired?
And how do you solve that with OCSP ? You keep certs indefinitly in the OCSP responder ? Anyway the current signature implementation in Mozilla has no way of verifying signatures after the cert has expired.
FYI, this case doesn't work for CRLs either, because softoken only keeps one CRL per issuer - the newest one. There is a bugzilla RFE on that .
Even if if the token supported older CRLs, or if multiple CRLs were available from different tokens, currently the CRL cache algorithm always uses the latest CRL also for the lookup.
Both could be changed, but this still would offer no guarantee that a proper revocation check was done. To make sure one has the latest revocation information for a particular expired cert, one needs to acquire the latest CRL issued before or at the expiration date of that cert.
That means the client has to keep one full CRL for each expired cert he is interested in checking - and clearly it's not affordable, as the cert database will grow without bounds. This requirement could be relaxed if the client had a way to know how long the CA keeps certs on its CRL after the certs expire. The default according to specs is that they get dropped off the CRL immediately at expiration.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
