webpki Optionally expire TrustAnchors

Oct 21 '16 19:10 ctz

Are you sure these are the semantics you want?

Yes. This is a separate thing from the wosign/startcom rules. I have that on a separate branch, but it's not done yet.

I'll sort out the rest of the things and drop a note when this PR is updated.

Cheers, Joe

Oct 27 '16 20:10 ctz

Ready for your attention again.

I've replaced the raw validity with a single not_after integer, reusing the existing validity parsing bits in verify_cert.

Oct 29 '16 22:10 ctz

Thanks for the comments. I've pushed the fixes.

Nov 06 '16 11:11 ctz

Do you still think this is useful? My recollection is fuzzy now, but I seem to remember thinking we wouldn't need this, depending on how the StartCom (et al.) stuff turned out.

If we still need this, I think we should land it on top of the Time refactoring (PR #44).

Aug 18 '17 23:08 briansmith

My primary use-case for this is preventing programs that compile-in webpki-roots from supporting those roots past their real notAfter dates.

There was a separate unrelated thing about startcom, which was saying per-TrustAnchor "don't validate certs after a certain notBefore date". That's definitely not required any more.

Aug 20 '17 09:08 ctz

@ctz Back when you first submitted this PR I was working on a project where I needed to cram as much stuff as I could into a tiny amount of space, and I kept putting off reviewing this PR until I was sure that this wouldn't create a problem for that project. Now that project is long-over and it would be no problem to take this PR, if you are interested in rebasing it.

Mar 25 '19 18:03 briansmith

Note: I renamed the "master" branch to "main". Sorry for the inconvenience. This PR has had its base branch updated to "main" but you'll need to deal with the change in your local repo yourself.

Jan 14 '21 01:01 briansmith