Confusing behavior when allow_fetching is True #20
Comments
|
I do believe the wording in the comment is incorrect - there should be no "also". It's been a while since I've worked on this project, so I don't have everything off of the top of my head. That said, if allow fetching was |
Then we seem to agree on the expected behavior. Should I try to fix it and provide a pull request? |
The docstring of
context.ValidationContextstates that if the value of theallow_fetchingparameter isTrue"and certificates contain the location of a CRL or OCSP responder, an HTTP request will be made to obtain information for revocation checking". The word "allow" seems to indicate that this HTTP request is merely an additional way of obtaining information about revocation status. Moreover, also the following comment (especially the word "also") suggests that CRL or OCSP data requested via HTTP are not the only source of revocation status information ifallow_fetchingisTrue:certvalidator/certvalidator/context.py
Lines 87 to 90 in 5bc5c39
The docstring of the
crlsandocspsparameters explain that pre-fetched/cached CRL and/or OCSP data can be passed toValidationContext.Putting all together, it seems that setting the
allow_fetchingparameter toTruemay result in fetching CRL or OCSP data in addition to checking pre-fetched/cached data.Contrary to this expectation, if
ValidationContext._allow_fetchingisTrue, pre-fetched/cached CRL and OCSP data (passed by thecrlsandocspsparameters) are completely ignored. (See thecrlsandocspsproperties and theretrieve_crlsandretrieve_ocspsmethods ofValidationContext.) If that is the intended behavior, it should be clarified in the documentation. Otherwise - and I would except this more intuitive - the two sources of revocation information should be merged when this is appropriate.The text was updated successfully, but these errors were encountered: