[Ejbca-develop] Who should decide?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Dear all,

Last week I was in a discussion about the acceptance of certificates.

As you all here have a solid experience with certificates, and whether
or not one should accept one, i would like to know about your P.O.V.

The situation is as following:
If you have a certificate that is neither expired nor revoked it is
obvious that one should be able to use it for client-authentication

But in this case something went wrong during issuing [they should have
been using ejbca instead of some vague proprietary system], and the
validity-period was set to three months instead of three years.... Often
you see that the cert gets revoked automatically, but not in this case.

a) If i use such certificate for openvpn, the client does not care, but
it is up to the server-side to decide whether it will accept the
connection or not.

b) if i use such certificate for https, i noticed that the client (in
this case firefox) bluntly refuse to try to start the connection,
because the validity date has expired.

Both parties know & trust  each other, but the cert can not be re-issued
(the best solution) because it is glued inside a smartcard.

So what is the proper behavior?
Situation A) where the server decide what to accept or not, or B) where
the decision is taken out of their hands?

I am curios about the opinion of a "trusted third party" ;-)

Hans