[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Ron Rivest wrote:
> Yes, the idea is that during the first phase (between the not-before and
> the good-until), no checks are needed, and that if you do a check during
> the second phase (between the good-until and the not-after) you get back
> a new certificate with new not-before/good-until/not-after dates...
Hasn't this effectively been proposed before (though I forget in what
context) in the form of a "check every n days" rule? OTOH, doing it this
way is cleaner, clearer and more guaranteed not to go wrong.
The next question, though, is, if it is after the good-until date, but I
can't, or won't, check the cert, what is its status? If it is OK to use
the cert anyway, then why have it (good-until, that is), and if it
isn't, then how is it different from the not-after date?
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: firstname.lastname@example.org |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache