[xmlsec] Verify signature after certificate expired

Aleksey Sanin aleksey at aleksey.com
Thu Oct 10 00:53:12 PDT 2002


I understand the problem with using 0.9.7 and I am waiting for it
for a very long time myself :) I've changed XMLSec library so now
this "expired certs feature" is supported for both 0.9.6 and 0.9.7.
Also I added a test case to my suite to test it. The code is not
complicated but it's new code and I would appreciate if you will
try this new feature in your environment. I would be glad to help
you and fix any bugs you find. The fixed XMLSec version should
be in tonight's snapshot or you can get it from GNOME CVS.

Thank you in advance,
Aleksey

Moultrie, Ferrell (ISSAtlanta) wrote:

>Aleksey:
>  I *must* have this stuff -- there's not really another way to do this
>without using a never-expiring cert from a private CA -- and that has
>it's own set of risks and hazards that are commisurate with, or greater
>than, the risk you point out of not expiring a signature after it's
>released. For a code and/or data signing application intended *only* to
>say that the data was valid at the time it was signed -- and should
>remain valid forever -- not having a signature expire is the
>proper/desired/required behavior. 
>For your notes below:
>  (1) My XML has a timestamp in a predictable format that correspond
>precisely to the time of signing so this isn't an issue in my case. Not
>a problem.
>  (2) Yucky because this is extra work in the application which I was
>avoiding -- but that's still not a big problem since verification setup
>time isn't absolutely critical to my application.
>  (3) I believe I understand your POV and the tradeoffs -- they just
>don't change how my application *must* behave.
>
>  If you can either prototype the required code for 0.9.6g or give me as
>good a pointer as you can to what should be done and where, I'll check
>it out and test it with my application. I'm very appreciative of what
>you've done so far -- but I just can't use 0.9.7 in our general-release
>applications at this time. Too much testing -- too many unknowns -- too
>hard to explain if it turns out to have a critical security
>issue/bug/etc. Thanks again for whatever you can do to help me move
>forward. Finding out about this today is painful/inconvenient -- but
>much better than finding out about it next year when all our
>applications suddenly shut down. Hopefully QA would have found this soon
>(I just turned the X509 stuff over to them) but if we'd missed it, it
>would have been very painful. 
>Ferrell
>
>  
>





More information about the xmlsec mailing list