At 10:00 AM +0000 3/14/07, Gervase Markham wrote:
Paul Hoffman wrote:
A related question that I was intending to do some research on: if
a trust anchor ("trusted root" in this thread) has an expiration
date in the past, doe NSS still treat it as a trust anchor, or does
it ignore it?
I can't say for certain because I haven't seen the code, but I would
certainly hope it ignores it!
I would hope that NSS *would* use this information because it is what
the CA has asserted about itself. RFC 3280 does not require that the
processor use this information.
Then again, this situation almost never arises, because CAs create
roots for a duration of 30 years, and then deprecate them after five
years or so.
That is not a good way to set a security policy. There are many
reasons why an organization might want to push a locally-generated
trust root to its users, but would not want that trust root to be
valid forever, particularly if they don't fully trust their ability
to keep the private key secret for the long term.
So, does someone who knows how to read the appropriate part of the
code have an answer about this?
--Paul Hoffman
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
