Chain validated with out-of-date CRL (PKITS tests 4.4.11, 4.4.12)



11 years ago
8 years ago


(Reporter: Slavomir Katuscak, Unassigned)


(Depends on: 1 bug)

Firefox Tracking Flags

(Not tracked)




11 years ago
PKITS tests 4.4.11 (Invalid Old CRL nextUpdate) and 4.4.12 (Invalid pre2000 CRL nextUpdate) fails for NSS.

In intermediate CA's CRL is nextUpdate set to the past, indicating that CA has already issuad updated revocation information. Chain is validated also with this out-of-date CRL.
The relevant standards do NOT define a CRL's nextUpdate field as an expiration
date for the CRL.  Despite that fact, NIST has a policy that requires the 
CRL's nextUpdate field to be treated as a CRL expiration date, and their test suite tests for conformance with NIST's policy.

Note that NSS explicitly chooses not to interpret the CRL's nextUpdate field
as an expiration date for the CRL.  So this NIST test failure is deliberate.

We could resolve this bug as INVALID or WONTFIX.  However, the new cert path 
validation function CERT_PKIXVerifyCert is defined such that it can be 
instructed to enforce NIST's revocation policy.  I don't know if that feature
is implemented at this time or not.  Once it is implemented, this bug could
become an RFE to have vfychain set that option in its calls to CERT_PKIXVerifyCert.


11 years ago
Depends on: 412468

Comment 2

11 years ago
This cannot be resolved until vfychain supports using CERT_PKIXVerifyCert with
the NIST CRL policy. See bug 412468 .

Comment 3

10 years ago
The use of the nextUpdate field of CRLs as a "validity date" has already been discussed on the PKIX forum. See
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---

Comment 5

8 years ago
Bugs that are currently assigned to Julien => assigning to nobody.
Search for 20100628-kaie-jp
Assignee: bugzilla+nospam → nobody
You need to log in before you can comment on or make changes to this bug.