Closed Bug 1593141 Opened 4 months ago Closed 3 months ago

add `notBefore` or similar "beginning-of-validity-period" parameter to mozilla::pkix::TrustDomain::CheckRevocation

Categories

(NSS :: Libraries, enhancement, P1)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(1 file)

To check a certificate's CRLite status, we need:

  1. its issuer distinguished name
  2. its issuer's subject public key info
  3. its serial number
  4. the beginning of its validity period (as a proxy for "we can't guarantee this certificate was known to CT before this time", to prevent false positives)

mozilla::pkix::TrustDomain::CheckRevocation readily has items 1-3, but not 4. It would be relatively straightforward to add this as a parameter to that function.

This allows TrustDomain implementations to make decisions based on when the
validity period of a certificate began. For instance, if an implementation has
revocation information that is valid and complete as of a particular time, but
a certificate's validity period begins after that time, the implementation may
decide to disregard this revocation information on the basis that the
information it has available cannot possibly apply to that certificate.

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48
You need to log in before you can comment on or make changes to this bug.