Anri Lau wrote:
> Hi Luzt,
>
> On 18/04/2008, *Lutz Jaenicke* <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>> wrote:
>
> Anri Lau wrote:
> > Hi All,
> >
> > Anyone know how many rules should be performed when build TLS
> > connection?
> > I have some test case. The certificate time is not valid, validation
> > failed. But the certificate passed if the validity dates of the
> child
> > certificate are not contained within the validity
> > dates of the parent certificate.
> >
> > As i know, both of above are the standard rules of digital
> certificate.
>
> I am not sure whether I understand you correctly. If the validity
> dates of
> the child certificate are not contained within the parent
> certificate, there
> should be no date at which both of them are valid at the same time!?
> Or do you mean that they somewhat overlap and the current date is
> within the overlapping region?
>
>
> This rule is independent of current time. e.g. If the validity dates
> of the parent certificate is 2008/04/18~2009/04/18 and the ones of
> child certificate is 2008/06/18~2009/06/18 or 2008/03/18~2009/03/18,
> the certificate chain should be invalid. The validity dates of child
> certificate should be between the ones of parent(2008/04/18~2009/04/18).
Ok, so we are facing a violation of policies at the CA. At the date of
certificate verification we are however checking whether all components
of the certificate chain are valid at this day.
Even though the overlapping dates are a violation of the standard the
question is whether we actually should actually enforce this inside the
library. It might lead to a communication failure with site a lot of
"poor souls" set up without taking care of this fact...
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
