[strongSwan-dev] [PATCH 1/2] Check start date when evaluating validity of CRL

Thomas Egerer thomas.egerer at secunet.com
Tue Mar 6 11:10:34 CET 2012

Hello Andreas,

On 03/05/2012 08:45 PM, Andreas Steffen wrote:
> Hello Thomas,
> I'm not sure. "thisUpdate" for CRLs is not the same as "notBefore"
> for certificates. In my opinion "thisUpdate" should be the date
> the CRL was released and if this date lies in the future then probably
> the NTP time synchronisation went wrong. If we know that a given
> certificate is going to be revoked in 10 minutes time then we
> should heed this advice. This is why I omitted a "thisUpdate" check
> on purpose since the "thisUpdate" date is merely informational and
> should only help in selecting the most recent CRL if a version 2
> crlNumber is not available.
I get your point. Makes very much sense to me. Thanks,


More information about the Dev mailing list