Thanks Jeff, My response inline. On Thu, Feb 14, 2013 at 5:31 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> On Thu, Feb 14, 2013 at 5:58 AM, Ashok C <ash....@gmail.com> wrote: > > Hi, > > > > As part of implementing certificate expiry related alarms for my SSL > > application, I would kindly require few suggestions and clarifications > from > > the community. > Does that include OSCP checking? On a continuous basis? The CA will > not warrant a certificate if its on a CRL. It does not matter when you > get the list. > Did you mean OCSP? If yes, no. I'm not considering OCSP. Also, currently I'm not considering CRLs also. > > > 1. What are the different allowed time zones in a certificate? As per the > > RFC, I understand that only GMT and Generalized time are allowed, but > can I > > consider this as a mandate? I remember seeing certificates containing the > > date information in other time zones, so wanted to confirm this. > Time Zones are strictly presentation. The only time is GMT or UTC. It > does not matter if its the fellow in the bearskin hat looking up at > noon or an atomic clock. > Ok, that's good news :) > > > 2. I was planning to implement midnight check for certificate expiry. But > > can this be a problem? As I understand, certificates need not expire at > > midnight but basically at any point of time. > The CA will not warrant a certificate if its beyond notAfter. > Yes, I got this point. So ideally I should raise the alarm then and there I guess. Right? > > > Let us say the end entity certificate expires at 12:00:01 AM, so my > expiry > > alarm will be raised potentially after 23:59:59 hours. > > What is the impact of me not raising this alarm immediately? And I would > > want to understand the impact to both a server application as well as a > > client application separately. In my point of view, server/client will > not > > be able to establish SSL connections during this time period(~24 hours), > but > > how big would be this impact? > > There are two hidden issues: (1) what precisely is warranted, and (2) > what liability is in play. Good luck in pinning a CA on liability (100 > page plus CPSs). > Not clear what you exactly meant here. Could you please put it in more simpler terms? Thanks. > > Jeff > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
