All,
We have a code signing facility that has signed a lot of code using a certificate that recently expired. Now, validation of the signed code fails because one of the certs in the chain has expired (not the root cert, and not the signing cert).
So, should the verification routine be changed to recognize that the code was signed *before* the cert expired, thereby considering the signature "valid"? Or should we re-sign the thousands of objects using a new cert? It will be a pain to re-sign each time a cert in the chain expires. Are there any official standards that say what it means when a cert in a validation chain is expired? What are the security issues in trying to ascertain the date that an object was signed so that we can compare the "signed-on" date against the validity dates of the certs in the chain (vs. using the current time of the system)?? What other solutions are there?
cj ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
