[xmlsec] Verify signature after certificate expired

Aleksey Sanin aleksey at aleksey.com
Wed Oct 9 16:58:18 PDT 2002

I had some time to read RFC (in particular, RFC 1422, RFC 1423, RFC 1424,
RFC 2459), and I found that:
    1) signature verification requires "valid" certificate;
    2) "valid" certificate is application specific;
    3) the application may accept "invalid" certs and show application 
     warning to user.
To clarify item 2): the application may decide that "expired cert" is 
valid cert as well
as "cert found in CRL" is valid cert or "cert has wrong purpose" is 
valid cert.
IMHO, this is wrong but I do understand that there may be good reasons 
to do this.

In application to XMLSec library, this means that when I don't like the 
idea of
accepting expired certificates, I will try to look at OpenSSL and find out
how difficult it would be to disable this check. If this could be done 
w/o huge problems
then I'll add a config parameter to xmlSecKeysManager (and xmlsec 
that controls whether it accepts expired certs or not. However, if I'll 
found that this check
is in the core of OpenSSL certs verification process and there is no 
simple way
of disabling it then I'll leave this to application (as you know the 
cert verification
could be completelly handled by the application). Of course, if anyone 
can submit
a patch to xmlsec that'll do this then I'll be happy to apply it (after 
code review,
of course :) ).

Any suggestions, comments?



More information about the xmlsec mailing list