So a friend ran into this lately; libnss, at least on Linux, checks that the signing cert (chain) is valid at the time of signature - as opposed to present time. (It may check present time as well - not sure on that)
This makes for problems if you renew the cert, since the new cert will have a creation (start) date of the current time, after the object was signed. Can anyone think of why this would be a good thing? If one actually trusted the signature date, someone could lie by backdating the object. Also, we're unsure how to create a new cert that's still valid for the range - I think we're gonna have the person set their system clock back, since I don't think openssl command line actually prompts for a creation date. -- Good code works on most inputs; correct code works on all inputs. My emails do not have attachments; it's a digital signature that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ If you are a spammer, please email j...@subspacefield.org to get blacklisted.
pgpS5s8DPhrKJ.pgp
Description: PGP signature
