[Help-gnutls] Respecting the validity period of Root CA certificates [was: Re: Is gnutls using the shell model or the chain model for a certificate validation]

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Nov 13 16:26:46 CET 2008


On Wed 2008-11-12 04:06:38 -0500, Simon Josefsson wrote:

> When trusting a CA certificate, I don't think the expiry date in that
> certificate matters -- you are only trusting that the public key
> corresponds to the CA.

On Thu 2008-11-13 02:11:59 -0500, Scott Schaeffner wrote:

>  Document rfc5280 "Internet X.509 Public Key Infrastructure
>  Certificate and Certificate Revocation List (CRL) Profile" explains
>  in section 6 the "Certification Path Validation".
>
>  Section 6.1.3. (a)(2) states that the timestamp of the
>  validation(system date) has to be within the validity period of all
>  certificates in the validation path.

The trusted root CA's certificate is the last (or first, depending on
your perspective) cert in the validation path.  It seems to me that
Scott's find suggests that the validity period of the root certificate
*is* relevant.

On Wed 2008-11-12 04:06:38 -0500, Simon Josefsson wrote:

> This is illustrated by older X.509 implementations that accepted
> trust CA's not encoded as certificates but just public keys and
> issuer name.  Nowadays I think everyone requires a proper X.509
> certificate even for the trusted CA's, to be able to validate
> various X.509 extension limitations.

I think that those older X.509 implementations were simply incomplete.
Now that we're requiring proper X.509 certificates for root
authorities, we should not ignore the additional semantic content in
those certificates.

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081113/cc27f4bb/attachment.pgp>


More information about the Gnutls-help mailing list