Non-Expired speaks-for credential signed by expired cert makes portal inaccessible

[MarshallBrinn]

We had a weird case. I had a speaks-for credential signed by my old cert (expired 7/2/2014). I made a new cert (expired 7/2015). And the speaks-for credential itself expires 6/2015. The portal was happy with this credential but the CH was not and we got an AUTHORIZATION_ERROR.

I think this is an edge case and probably not worth fixing per se.

But the issue was that I was dead in the water on the portal. I couldn't use the portal to delete or recreate my speaks-for credential. We should always make that a possibility, or catch when there are errors associated with your S-F credential and make the option available at that time.

Imported from trac ticket #1082, created by mbrinn on 07-10-2014 at 13:27, last modified: 07-14-2014 at 09:40

[ahelsing]

The code that generates speaks for credentials should not be generating credentials that expire after the certificate expiration. That seems a bug in the signer tool.

Additionally, code that validates speaks for credentials should be validating the signing cert as well. I assume that the CH is doing so, hence the error. I believe GCF does so as well.

I suspect that the portal is not doing any validation of credentials.

So I think there are really 2 issues:

1. Restrict speaks for expiration in signing tool to that of the signing cert
2. As Marshall says, have the portal notice the authorization error to allow a user to delete/recreate their speaks for credential

Trac comment by ahelsing on 07-14-2014 at 09:40