Menu
▾
▴
Re: [Ejbca-develop] Who should decide?
|
From: Tomas G. <to...@pr...> - 2014-11-14 18:55:21
|
My spontaneous opinion would definitely be B), where the expired certificate is not accepted. A new card have to be issued. No risk of configuring wrongly on the server side. Cheers, Tomas On 2014-11-13 23:33, Hans Witvliet wrote: > Dear all, > > > Last week I was in a discussion about the acceptance of certificates. > > As you all here have a solid experience with certificates, and whether > or not one should accept one, i would like to know about your P.O.V. > > The situation is as following: > If you have a certificate that is neither expired nor revoked it is > obvious that one should be able to use it for client-authentication > > But in this case something went wrong during issuing [they should have > been using ejbca instead of some vague proprietary system], and the > validity-period was set to three months instead of three years.... Often > you see that the cert gets revoked automatically, but not in this case. > > a) If i use such certificate for openvpn, the client does not care, but > it is up to the server-side to decide whether it will accept the > connection or not. > > b) if i use such certificate for https, i noticed that the client (in > this case firefox) bluntly refuse to try to start the connection, > because the validity date has expired. > > Both parties know & trust each other, but the cert can not be re-issued > (the best solution) because it is glued inside a smartcard. > > So what is the proper behavior? > Situation A) where the server decide what to accept or not, or B) where > the decision is taken out of their hands? > > I am curios about the opinion of a "trusted third party" ;-) > > Hans > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
