Index: net/cert/cert_verify_proc.h |
diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h |
index 4feae19182551e01de6c6e1d22e7e78e50a758f6..371cd10ef08307d5941a5487b92df56adc2bc988 100644 |
--- a/net/cert/cert_verify_proc.h |
+++ b/net/cert/cert_verify_proc.h |
@@ -102,6 +102,17 @@ class NET_EXPORT CertVerifyProc |
// ranges. |
static bool IsHostnameNonUnique(const std::string& hostname); |
+ // The CA/Browser Forum's Baseline Requirements specify maximum validity |
+ // periods (https://cabforum.org/Baseline_Requirements_V1.pdf): |
+ // |
+ // For certificates issued after 1 July 2012: 60 months. |
+ // For certificates issued after 1 April 2015: 39 months. |
Ryan Sleevi
2013/08/19 17:57:50
This is not correct. After 1 April 2015, it IS per
palmer
2013/08/21 01:26:25
Shall we just go with 60 months then?
Ryan Sleevi
2013/08/21 20:07:41
I'm fine landing this as the plan of record, and g
palmer
2013/08/21 22:24:15
Can you suggest accurate wording for the comment?
|
+ // |
+ // There are no guidelines for certificates issued before the BRs were |
+ // set, but we clamp them at 120 months, and they must expire within 7 |
+ // years after the BRs (i.e. by July 2019). |
Ryan Sleevi
2013/08/19 17:57:50
comment nit: rephrase this part without the pronou
palmer
2013/08/21 01:26:25
Done. Your fixation is odd. :)
|
+ static bool HasTooLongValidity(const X509Certificate& cert); |
Ryan Sleevi
2013/08/19 17:57:50
There's no need to make this a static function, as
palmer
2013/08/21 01:26:25
I see it as being like |IsHostnameNonUnique| and s
Ryan Sleevi
2013/08/21 20:07:41
Glad you just volunteered to write unit tests ;) T
palmer
2013/08/21 22:24:15
Done.
|
+ |
DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); |
}; |