<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
I believe you are wrong here. The certificate must be valid when signature
is verified.<br>
Where "valid" includes:<br>
1) certificate is signed by another "valid" cert or trusted root cert<br>
2) certificate is not in the CRL <br>
3) the certificate purpose matches the action you are going to do (sign,
verify, etc.)<br>
4) the certificate is not expired<br>
All 4 items are important. I do not have an X509 spec around so I could not
prove my point.<br>
However, RFC 2560 (<a class="moz-txt-link-freetext" href="http://rfc.sunsite.dk/rfc/rfc2560.html">http://rfc.sunsite.dk/rfc/rfc2560.html</a>):<br>
<pre style="page-break-after: always;"> An OCSP responder MAY choose to retain revocation information beyond
a certificate's expiration. The date obtained by subtracting this
retention interval value from the producedAt time in a response is
defined as the certificate's "archive cutoff" date.</pre>
Please note that when certificate is expired the OSCP may remove the CRL
from memory!<br>
<br>
Aleksey<br>
<br>
<br>
<br>
<br>
Moultrie, Ferrell (ISSAtlanta) wrote:<br>
<blockquote type="cite"
cite="mid121184A7DB1F9143BB5E3FACCB548757599CA6@atlmaiexcp02.iss.local">
<pre wrap="">Aleksey:
Very important question here -- I want to make sure I understand your
reply. In general, it is not permitted to *sign* data after the signing
certificate has expired but it is allowed to *verify* data after
expiration. An example:
I sign my code today allowing the user to verify that it is uncorrupted
when he installs/runs it. My certificate expires in three months. If you
don't honor the signature any more at that point, then his code stops
working -- a very bad thing.
Another example:
I sign an e-mail to you today. Three months later my cert expires. Six
months later you try to read my e-mail and you're told the signature is
invalid. A bad thing.
As these two examples illustrate, it is *not* standard practice to
invalidate signatures because the signer's cert has expired. The only
date restrictions should be:
1) Signers cert *must* be valid as of the date the data was signed;
2) Root cert(s) *must* be valid as of the date they signed the
subsidiary cert (in fact, I believe proper practice is that CA's
shouldn't sign certs that extend beyond their own validity date).
The key concept is that user signing's *don't*, *shouldn't*, *mustn't*
expire just because the user's cert has expired. At that point, he can't
sign anything else until he renews his cert but everything he signed
still remains valid forever because it was valid when he signed it and
it hasn't changed.
Is there a problem here or did I just misunderstand something?
Thanks!
Ferrell
-----Original Message-----
From: Aleksey Sanin [<a class="moz-txt-link-freetext" href="mailto:aleksey@aleksey.com">mailto:aleksey@aleksey.com</a>]
Sent: Wednesday, October 09, 2002 11:05 AM
To: Roman Bouchner
Cc: <a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
Subject: Re: [xmlsec] Verify signature after certificate expired
From the general security point of view the data are *not valid* if the
cert is expired.
If you really want to do this then you should take a look at the OpenSSL
cert
verification function and remove date check. However, this is
DANGEROUSE!
Aleksey.
Roman Bouchner wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello
I would like to verify signed data however signer's certificate has
already expired. I want only verify data integrity.
If I use function xmlSecDSigValidate, it returns negative value, so I
cannot determine if data was changed or not.
If I change local date it does work, however it is not right way I
think..
How I can solve this problems?
Thanks:)
Roman Bouchner
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
</pre>
</blockquote>
<br>
</body>
</html>