In my opinion it is preferable your last solution because it gives the
verifier the decisione where to accept or not the signer's certificate
and, thus, message signature.
If you are going to evaluate the time you would have to distinguish
between the time the message was signed, sent, walked around the net,
reached his last server and was opened by you software, crossing
different countries worldwide. And how will you trust that time?
Again, maybe one day you will want to verify a message that simply was
never sent, I mean not an e-mail message but simply a signed text of
some sort. You need to the time the text was signed.
I realy would like to have the last word and decide to trust or not a
message signature and certificate, and I think that a command line flag
of meaning "don't care if cert is actually expired" would be useful.
Other comments?
Pietro
> One thing that hits smime in a way that it doesn't hit openssl's other
> uses (SSL net services) is that you may want to verify an smime
message
> long after the SSL cert has expired. IMHO it is not, strictly
speaking,
> the same thing to say that a cert is expired and can't be used to
generate
> _new_ messages as opposed to a cert being expired and suddenly is
useless
> to validate any messages that it ever signed.
>
> With this in mind, I would propose one of 3 things:
>
> 1. smime should not disuse expired certs. This is probably the least
> palatable option.
>
> 2. smime should have a way to check the date field of an incoming
message
> and use _that_ to check for expiration. This sounds to me like the
best
> solution.
>
> 3. smime should have a -noexpire flag to disable bombing out expired
> certs.
>
> Just a thought.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
