Don't expire certs used as channel IDs.

net/ssl/server_bound_cert_service.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SSL_SERVER_BOUND_CERT_SERVICE_H_
 #define NET_SSL_SERVER_BOUND_CERT_SERVICE_H_
 
 #include <map>
 #include <string>
 #include <vector>
@@ skipping 11 matching lines @@
 namespace base {
 class TaskRunner;
 }
 
 namespace net {
 
 class ServerBoundCertServiceJob;
 class ServerBoundCertServiceRequest;
 class ServerBoundCertServiceWorker;
 
-// A class for creating and fetching server bound certs.
+// A class for creating and fetching server bound certs. These certs are used
+// to identify users' machines; their public keys are used as channel IDs in
+// http://tools.ietf.org/html/draft-balfanz-tls-channelid-00.
+// As a result although certs are set to be invalid after one year, we don't
+// actually expire them. Once generated, certs are valid as long as the users
+// want. Users can delete existing certs, and new certs will be generated
+// automatically.
+
 // Inherits from NonThreadSafe in order to use the function
 // |CalledOnValidThread|.
 class NET_EXPORT ServerBoundCertService
     : NON_EXPORTED_BASE(public base::NonThreadSafe) {
  public:
   class NET_EXPORT RequestHandle {
    public:
     RequestHandle();
     ~RequestHandle();
 
@@ skipping 29 matching lines @@
       ServerBoundCertStore* server_bound_cert_store,
       const scoped_refptr<base::TaskRunner>& task_runner);
 
   ~ServerBoundCertService();
 
   // Returns the domain to be used for |host|.  The domain is the
   // "registry controlled domain", or the "ETLD + 1" where one exists, or
   // the origin otherwise.
   static std::string GetDomainForHost(const std::string& host);
 
-  // Tests whether the system time is within the supported range for
-  // certificate generation.  This value is cached when ServerBoundCertService
-  // is created, so if the system time is changed by a huge amount, this may no
-  // longer hold.
-  bool IsSystemTimeValid() const { return is_system_time_valid_; }
-
   // Fetches the domain bound cert for the specified origin of the specified
   // type if one exists and creates one otherwise. Returns OK if successful or
   // an error code upon failure.
   //
   // |requested_types| is a list of the TLS ClientCertificateTypes the site will
   // accept, ordered from most preferred to least preferred.  Types we don't
   // support will be ignored. See ssl_client_cert_type.h.
   //
   // On successful completion, |private_key| stores a DER-encoded
   // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate, and
@@ skipping 50 matching lines @@
 
   // inflight_ maps from a server to an active generation which is taking
   // place.
   std::map<std::string, ServerBoundCertServiceJob*> inflight_;
   base::WeakPtrFactory<ServerBoundCertService> weak_ptr_factory_;
 
   uint64 requests_;
   uint64 cert_store_hits_;
   uint64 inflight_joins_;
 
-  bool is_system_time_valid_;
-
   DISALLOW_COPY_AND_ASSIGN(ServerBoundCertService);
 };
 
 }  // namespace net
 
 #endif  // NET_SSL_SERVER_BOUND_CERT_SERVICE_H_