You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following up from #193 (comment), we are using the certificate's timestamp to verify itself. This will always pass the time verification because a certificate's "not before" time always falls in the range of "not before" to "not after".
Instead, we should only use current time to verify a certificate's validity. I've started making the change, but some tests are failing, so I wanted to check if I'm missing something and this behavior is what you had expected from the policy flag?
Using a certificate's NBF will always pass the time verification. We
should be using only the current time to try to verify a certificate's
validity. This is likely to only work with long-lived certificates or
where verification happens immediately after signing.
Fixessigstore#276
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Following up from #193 (comment), we are using the certificate's timestamp to verify itself. This will always pass the time verification because a certificate's "not before" time always falls in the range of "not before" to "not after".
Instead, we should only use current time to verify a certificate's validity. I've started making the change, but some tests are failing, so I wanted to check if I'm missing something and this behavior is what you had expected from the policy flag?
@codysoyland @steiza @cmurphy
The text was updated successfully, but these errors were encountered: