Don't eagerly reject expired or revoked certificates. #60
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Even if a certificate is expired or revoked, it doesn't mean that
it is completely useless. If a signature was made before the
certificate expired, or before any soft revocation, then it may
still be valid.
- This is safe, because we still check that a certificate is valid
when we check a signature.
- Fixes #59.
The pull request's base (149a109) authenticates the pull request's head (df0fed3). |
|
The rpm test appears to fail, because we are running on Ubuntu and not Fedora. See this issue. As everything passes in my Fedora VM, I'm going to merge this. Medium term, we should switch our CI from Ubuntu to Fedora, as per this issue. |
|
/fast-forward |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Even if a certificate is expired or revoked, it doesn't mean that it is completely useless. If a signature was made before the certificate expired, or before any soft revocation, then it may still be valid.
This is safe, because we still check that a certificate is valid when we check a signature.
Fixes It should be possible to import and use expired certificates #59.