On Mon, Sep 13, 2004, Goetz Babin-Ebell wrote: > Hello folks, > > ther might be a problem in X509_verify_cert() (at least 0.9.7d): > if you set a verification time and > the CRL was not yet valid at this time, > the error X509_V_ERR_CRL_NOT_YET_VALID will be generated. > (see check_crl() in x509_verify.c) > > It seems to me that a logic like: > If check_time (and X509_V_FLAG_USE_CHECK_TIME) are set: > accept the CRL if it is (now or after the check_time) valid. > And if the certificate is set in the CRL, > return X509_V_ERR_CERT_REVOKED if no revocationDate > is set or if it is older than the check_time. > (in cert_crl() in x509_verify.c) > > But this opens another can of worms: > > If the certificate expired before the CRL was issued > the revocation entry might be dropped from the CRL... > > > Any Ideas how to handle this ? >
There are other issues as well. I know of one CA can suspend a certificate in a CRL and later remove the suspension. For that reason the supplied revocation information has to be valid at the time specified. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
