Eddy,
Eddy Nigg wrote:
On 01/09/2009 03:41 AM, Julien R Pierre - Sun Microsystems:
FYI, if a certificate is expired, NSS won't even bother performing a
revocation check on it, either CRL or OCSP.
Are you sure?
Yes. The validity check is one of the earliest ones that happens on the
cert.
See
http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c#1091
Also
http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c#1326
There are a few new cert validation in libpkix for NSS 3.12 , but I
think still the expiration check remains an early one, and it definitely
is optimized to do revocation checks only when needed.
Ie. the expiration of the cert is more critical information than its
revocation status
I think that's wrong as I explained in the previous mail.
Well, we'll just have to agree to disagree :) IMO revocation really
doesn't matter if you already know the certificate is invalid at the
time you are checking it. It's like trying to check a dead person's pulse.
Yet the PSM UI lets you click to override the expiration of a cert, but
not for revocation. I don't think it makes much sense to override either
case.
Well...I think expiration has some use for control panels and such
stuff, without it one would have a hard time updating the cert in case
it was forgotten. The same is true for overriding an eventual exception
for initial cases (on a temporary basis). It happens to me every time I
install a new server.
Time zone issues, perhaps. Or time sync. I have seen those kinds of
problems before. They shouldn't last very long though.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
