Closed Bug 1593141 Opened 5 years ago Closed 5 years ago

add `notBefore` or similar "beginning-of-validity-period" parameter to mozilla::pkix::TrustDomain::CheckRevocation

Categories

(NSS :: Libraries, enhancement, P1)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(1 file)

bug 1593141 - add validity period beginning argument to mozilla::pkix::TrustDomain::CheckRevocation r?jcj
47 bytes, text/x-phabricator-request
Details | Review

To check a certificate's CRLite status, we need:

  1. its issuer distinguished name
  2. its issuer's subject public key info
  3. its serial number
  4. the beginning of its validity period (as a proxy for "we can't guarantee this certificate was known to CT before this time", to prevent false positives)

mozilla::pkix::TrustDomain::CheckRevocation readily has items 1-3, but not 4. It would be relatively straightforward to add this as a parameter to that function.

This allows TrustDomain implementations to make decisions based on when the
validity period of a certificate began. For instance, if an implementation has
revocation information that is valid and complete as of a particular time, but
a certificate's validity period begins after that time, the implementation may
decide to disregard this revocation information on the basis that the
information it has available cannot possibly apply to that certificate.

https://hg.mozilla.org/projects/nss/rev/e8f2720c8254a5327260dec70153a3c3b7c745b9

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: