On Thu, Feb 14, 2013 at 5:58 AM, Ashok C <ash....@gmail.com> wrote: > Hi, > > As part of implementing certificate expiry related alarms for my SSL > application, I would kindly require few suggestions and clarifications from > the community. Does that include OSCP checking? On a continuous basis? The CA will not warrant a certificate if its on a CRL. It does not matter when you get the list.
> 1. What are the different allowed time zones in a certificate? As per the > RFC, I understand that only GMT and Generalized time are allowed, but can I > consider this as a mandate? I remember seeing certificates containing the > date information in other time zones, so wanted to confirm this. Time Zones are strictly presentation. The only time is GMT or UTC. It does not matter if its the fellow in the bearskin hat looking up at noon or an atomic clock. > 2. I was planning to implement midnight check for certificate expiry. But > can this be a problem? As I understand, certificates need not expire at > midnight but basically at any point of time. The CA will not warrant a certificate if its beyond notAfter. > Let us say the end entity certificate expires at 12:00:01 AM, so my expiry > alarm will be raised potentially after 23:59:59 hours. > What is the impact of me not raising this alarm immediately? And I would > want to understand the impact to both a server application as well as a > client application separately. In my point of view, server/client will not > be able to establish SSL connections during this time period(~24 hours), but > how big would be this impact? There are two hidden issues: (1) what precisely is warranted, and (2) what liability is in play. Good luck in pinning a CA on liability (100 page plus CPSs). Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
