[xmlsec] Verify signature after certificate expired

Aleksey Sanin aleksey at aleksey.com
Wed Oct 9 11:38:32 PDT 2002

Rich, Moultrie,

I have to disagree with you. The document signed with cert means that
    1) the document was signed by a person to whom the cert was issued;
    2) the document was not changed since the time it was signed.
The expired cert could not provide you first item (I hope the reasons 
are clear).
And in this case you might use plain RSA/DSA public key instead of cert.

Since you've mentioned S/MIME as an example I would like to cite RFC
(RFC 2312 : S/MIME Version 2 Certificate Handling):

   Some of the many places where signature and certificate checking
   might fail include:

   - no Internet mail addresses in a certificate match the sender of a
   - no certificate chain leads to a trusted CA
   - no ability to check the CRL for a certificate
   - an invalid CRL was received
   - the CRL being checked is expired
>> - the certificate is expired
   - the certificate has been revoked

If you really want to handle expired certs in a different way then you 
need to re-write OpenSSL
cert verification callback and take the risk.


Rich Salz wrote:

> Yes, it is important to be able to verify something after the 
> credentials have expired.  As long as the signature was *generated* 
> during the validity period, then you can verify it.  There is a reason 
> why PKCS7, and XML-DSIG, include the ability to put CRL's into a 
> signature:  so you can show -- at the time the sig was generated -- 
> that the cert was not revoked.
> Hope this helps.
>     /r$

More information about the xmlsec mailing list