On Tue, Apr 22, 2008 at 12:59 AM, Lutz Jaenicke <[EMAIL PROTECTED]> wrote: > Ok, so we are facing a violation of policies at the CA. At the date of > certificate verification we are however checking whether all components > of the certificate chain are valid at this day. > Even though the overlapping dates are a violation of the standard the > question is whether we actually should actually enforce this inside the > library. It might lead to a communication failure with site a lot of > "poor souls" set up without taking care of this fact...
We've had this argument over on Mozilla's NSS group. The 'root certificate' is generally held, by Mozilla products, to be simply a convenient container for holding the trust anchor, which is the public key. I've taken the argument that the holder of the private key should be able to specify how long it wants that public key to be trusted, after which it won't guarantee that it will hold the private key any longer -- i.e., the 'expiration date' of the root certificate should be a statement of policy about the root. Unfortunately, my argument was ignored. There's "what the standard says" and "what real-world implementations of the standard do". Unfortunately, the real-world implementations don't follow the rules. Is there any way to get a PEDANTIC_CERTIFICATE_RULES option? -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
