Re: Certificate Expiry

On 25 Jan 2012, at 17:11, Baptiste Lafontaine wrote:

> 2012/1/25 Mischa Tuffield <mischa@mmt.me.uk>:
>> Hello,
>> 
>> After Melvin pointed me at his/a calendar APP (very cool btw) [1], I noticed that I managed to authenticate with my WebID[2] even though my cert had expired on 2012-01-17, am guessing this is not a feature and it shouldn't be the case.
>> 
>> I have tested this expired cert on the following services, which I found on the WebID Test Suite[3]:
> 
> Isn't it the role of the TLS stack to make this verification ?

If you don't change the TLS stack yes. If you rely on what the Issuer says, 
as most systems do, including BrowserId, then it is extremely important
to listen to what the issuer is saying about the certificate, since the
issuer is not guaranteeing anything beyond a certain time frame. As a result
all serious CA based systems verify this very carefully.


> 
>> https://auth.fcns.eu/auth/index.php?verbose=on (Failed to notice that my cert was expired)
>> https://id.myopenlink.net/webid_demo.html?webid=http%3A%2F%2Fmmt.me.uk%2Ffoaf.rdf%23mischa (Failed to notice that my cert was expired)
>> https://foafssl.org/test/WebId (This service noticed that my cert was expired)
>> https://resourceme.bergnet.org/test.php (My browser didn't even ask me for a cert in this case)
>> https://webid.turnguard.com:8443/WebIDTestServer/onlywithcert (This service noticed that my cert was expired)
>> 
>> I just thought I would say :)
>> 
>> Great work everyone,
>> 
>> Mischa *needs to generate a new cert I guess $todoList++.
>> 
>> [1] http://calendar.data.fm/
>> [2] http://mmt.me.uk/foaf.rdf#mischa
>> [3] http://www.w3.org/2005/Incubator/webid/wiki/Test_Suite#Some_WebID_Verification_Sites
>> _____________________________
>> Mischa Tuffield PhD
>> http://mmt.me.uk/
>> http://mmt.me.uk/foaf.rdf#mischa
>> 
>> 
>> -----BEGIN PGP SIGNATURE-----
>> 
>> iQIcBAEBAgAGBQJPICFzAAoJEJ7QsE5R8vfvIR0QALVjKBoU8+WheQJyQ+bAG7et
>> uHfzUJVZ78ZqEGaoUyLmvR3Lwp+oGMYYe4IGE5XFi5SgEejdALNAKCWw6Rlckp4G
>> yoaM2nMix8dSRuhOcdzwI5TQFHyDf7hcvWKcF+WQaDwv74YlhdW+90OMIbf34HPI
>> F0x+xHwPllU5/wK+I9Wz7c8nADZd8dNLUd+Maw1ZLFmso/fAb0wLsxRFU6lZ/Zeu
>> XF1bBcrJfeJth52PNclYYdP+VR9szNSYOsLBwJvOXb3nhwJEEN+txeKn4iafo7ai
>> yiDwBIO5rTtv7oPC3P31PVqj/cYcZE2oiwpnPLt4Q1mJuDdfNAvsSj2O+Crf1Bpe
>> wm90JXJqJ+JiScuI8DNBmWaObvtNssOLNz1sYfxKBXNkuSAKnWUyUx4yermpDSZC
>> muWa6svB00GA+IEKMqb8Ko3rRZNxTGs4cgHIP2S+5s7a3oed6y/rshXzNDATe8ST
>> Z65McgOsJJ+jhYhtvsRUFkLcrTqLonn+KOThSanx82NFms/yQzrotOtaj6KJy0Gk
>> HF3QCIwFy1vDL2QLcUSXAUfGSBgWO3DwxkTmoEWmZGG2C5+F8WWbj/y8L6k6OkLS
>> sSJDq9jOGEbanhv6UkbLatPq5gOwIm7kGNjI+g6aTZcaXZURmLxe2gM0Y+PC4fGJ
>> sUgBwyP2MCEVLBNQpgaC
>> =bXGS
>> -----END PGP SIGNATURE-----
>> 
> 

Social Web Architect
http://bblfish.net/

Received on Thursday, 26 January 2012 12:28:34 UTC