[xmlsec] Verify signature after certificate expired
aleksey at aleksey.com
Wed Oct 9 16:58:18 PDT 2002
I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC 1424,
RFC 2459), and I found that:
1) signature verification requires "valid" certificate;
2) "valid" certificate is application specific;
3) the application may accept "invalid" certs and show application
warning to user.
To clarify item 2): the application may decide that "expired cert" is
valid cert as well
as "cert found in CRL" is valid cert or "cert has wrong purpose" is
IMHO, this is wrong but I do understand that there may be good reasons
to do this.
In application to XMLSec library, this means that when I don't like the
accepting expired certificates, I will try to look at OpenSSL and find out
how difficult it would be to disable this check. If this could be done
w/o huge problems
then I'll add a config parameter to xmlSecKeysManager (and xmlsec
that controls whether it accepts expired certs or not. However, if I'll
found that this check
is in the core of OpenSSL certs verification process and there is no
of disabling it then I'll leave this to application (as you know the
could be completelly handled by the application). Of course, if anyone
a patch to xmlsec that'll do this then I'll be happy to apply it (after
of course :) ).
Any suggestions, comments?
More information about the xmlsec