From 1fa9ffd934429f140edcfbaf76d2f32cc21e449b Mon Sep 17 00:00:00 2001
From: Rob Percival <robpercival@google.com>
Date: Thu, 8 Sep 2016 16:02:46 +0100
Subject: Check that SCT timestamps are not in the future

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
---
 doc/man3/SCT_validate.pod | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'doc/man3/SCT_validate.pod')

diff --git a/doc/man3/SCT_validate.pod b/doc/man3/SCT_validate.pod
index 98ae61822e..9868a282b5 100644
--- a/doc/man3/SCT_validate.pod
+++ b/doc/man3/SCT_validate.pod
@@ -54,9 +54,11 @@ status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
 If the SCT is of an unsupported version (only v1 is currently supported), the
 validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION.
 
-If the SCT's signature is incorrect, the validation status will be
-SCT_VALIDATION_STATUS_INVALID. Otherwise, if all checks have passed, the
-validation status will be SCT_VALIDATION_STATUS_VALID.
+If the SCT's signature is incorrect, its timestamp is in the future (relative to
+the time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation
+status will be SCT_VALIDATION_STATUS_INVALID.
+
+If all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID.
 
 =head1 NOTES
 
-- 
cgit v1.2.3