-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confusing behavior when allow_fetching is True #20
Comments
I do believe the wording in the comment is incorrect - there should be no "also". It's been a while since I've worked on this project, so I don't have everything off of the top of my head. That said, if allow fetching was |
Then we seem to agree on the expected behavior. Should I try to fix it and provide a pull request? |
The docstring of
context.ValidationContext
states that if the value of theallow_fetching
parameter isTrue
"and certificates contain the location of a CRL or OCSP responder, an HTTP request will be made to obtain information for revocation checking". The word "allow" seems to indicate that this HTTP request is merely an additional way of obtaining information about revocation status. Moreover, also the following comment (especially the word "also") suggests that CRL or OCSP data requested via HTTP are not the only source of revocation status information ifallow_fetching
isTrue
:certvalidator/certvalidator/context.py
Lines 87 to 90 in 5bc5c39
The docstring of the
crls
andocsps
parameters explain that pre-fetched/cached CRL and/or OCSP data can be passed toValidationContext
.Putting all together, it seems that setting the
allow_fetching
parameter toTrue
may result in fetching CRL or OCSP data in addition to checking pre-fetched/cached data.Contrary to this expectation, if
ValidationContext._allow_fetching
isTrue
, pre-fetched/cached CRL and OCSP data (passed by thecrls
andocsps
parameters) are completely ignored. (See thecrls
andocsps
properties and theretrieve_crls
andretrieve_ocsps
methods ofValidationContext
.) If that is the intended behavior, it should be clarified in the documentation. Otherwise - and I would except this more intuitive - the two sources of revocation information should be merged when this is appropriate.The text was updated successfully, but these errors were encountered: