crypto/x509/pkix: change the semantics of the expiration of a CRL #22568
Labels
Comments
nhooyr
changed the title
|
/cc @agl @FiloSottile |
|
Change https://golang.org/cl/71972 mentions this issue: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm talking about changing this function:
go/src/crypto/x509/pkix/pkix.go
Line 251 in d6ebbef
Presently, the way
CertificateList.HasExpiredworks is by checking whether the now time.Time argument is after the next update. However RFC 5280 Section 5, defines the nextUpdate field as the date by which the next CRL will be issued. Thus, at the nextUpdate time, the next CRL must have been issued and so the one we have now is expired. Thus,CertificateList.HasExpiredshould consider a CRL expired if nextUpdate is equal to now.I've already submitted a patch for this at https://go-review.googlesource.com/c/go/+/71972
The text was updated successfully, but these errors were encountered: