[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate Path Validation
Denis Pinkas wrote:
>
> Santosh and Sharon,
>
> > Sharon: Not only do I agree with you, but an appropriate
> interpretation of
> > both the X.509 and RFC 3280 is that aside from getting the following
> > information from the trust anchor, no fields in the base trust anchor
> > certificate (e.g., validity period) need to be processed:
> >
> > * Issuer DN
> > * Signature Algorithm
> > * Public key
> > * Parameters, if applicable
>
> It is just obvious that the trust anchor shall be valid for the time the
> checking is being done.
>
> Note the basic path validation described in RFC3280 does *not* allow
> validation in the past since it still says:
>
> "6.1.1 Inputs. This algorithm assumes the following seven inputs are
> provided to the path processing logic: (...) (b) the current
> date/time."
>
> :-(
However, the third paragraph in section 6.1 says:
"The algorithm presented in this section validates the certificate
with respect to the current date and time. A conformant
implementation MAY also support validation with respect to some point
in the past. Note that mechanisms are not available for validating a
certificate with respect to a time outside the certificate validity
period."
Jeff