Joe Birr-Pixton
Joe Birr-Pixton
Ready for your attention again. I've replaced the raw validity with a single `not_after` integer, reusing the existing validity parsing bits in `verify_cert`.
Thanks for the comments. I've pushed the fixes.
My primary use-case for this is preventing programs that compile-in `webpki-roots` from supporting those roots past their real `notAfter` dates. There was a separate unrelated thing about startcom, which was...
Consider https://github.com/est31/rcgen perhaps.
I think I'd prefer the approach where `Error::CertExpired` becomes `Error::CertExpired(Time)`, allowing the validation to be explicitly retried with a time just before expiry. This means someone needing this behaviour needs...
I'd like to make a start on this, if you haven't already?
In retrospect this crate provides the wrong abstraction to solve these problems -- getting some root certificates to use with webpki is one thing, but if we really want to...
So, to clarify, I think the extent that we fix this here should be limited to a denylist of known-bad root certificates that have special handling in the platform verifier....
I believe this crate won't work with literal IP addresses as yet; so I'm a bit confused by this PR.
Thanks for the detailed report! I don't presently have a mac to make progress on this, do you have any suggestions of improvements we can make here? It looks from...