[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: Re: [strongSwan-dev] [PATCH 1/2] Check start date when evaluating validity of CRL
From: Thomas Egerer <thomas.egerer () secunet ! com>
Date: 2012-03-06 10:10:34
Message-ID: 4F55E29A.1020404 () secunet ! com
[Download RAW message or body]
Hello Andreas,
On 03/05/2012 08:45 PM, Andreas Steffen wrote:
> Hello Thomas,
>
> I'm not sure. "thisUpdate" for CRLs is not the same as "notBefore"
> for certificates. In my opinion "thisUpdate" should be the date
> the CRL was released and if this date lies in the future then probably
> the NTP time synchronisation went wrong. If we know that a given
> certificate is going to be revoked in 10 minutes time then we
> should heed this advice. This is why I omitted a "thisUpdate" check
> on purpose since the "thisUpdate" date is merely informational and
> should only help in selecting the most recent CRL if a version 2
> crlNumber is not available.
I get your point. Makes very much sense to me. Thanks,
Thomas
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic