[xmlsec] Verify signature after certificate expired
Aleksey Sanin
aleksey at aleksey.com
Wed Oct 9 16:58:18 PDT 2002
I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC 1424,
RFC 2459), and I found that:
1) signature verification requires "valid" certificate;
2) "valid" certificate is application specific;
3) the application may accept "invalid" certs and show application
specific
warning to user.
To clarify item 2): the application may decide that "expired cert" is
valid cert as well
as "cert found in CRL" is valid cert or "cert has wrong purpose" is
valid cert.
IMHO, this is wrong but I do understand that there may be good reasons
to do this.
In application to XMLSec library, this means that when I don't like the
idea of
accepting expired certificates, I will try to look at OpenSSL and find out
how difficult it would be to disable this check. If this could be done
w/o huge problems
then I'll add a config parameter to xmlSecKeysManager (and xmlsec
application)
that controls whether it accepts expired certs or not. However, if I'll
found that this check
is in the core of OpenSSL certs verification process and there is no
simple way
of disabling it then I'll leave this to application (as you know the
cert verification
could be completelly handled by the application). Of course, if anyone
can submit
a patch to xmlsec that'll do this then I'll be happy to apply it (after
code review,
of course :) ).
Any suggestions, comments?
Aleksey.
More information about the xmlsec
mailing list