allow_fetching=True together with moment #27
Description
I was wondering, in the comment you write:
If certificate validation should be performed based on a date and time other than right now. A datetime.datetime object with a tzinfo value. If this parameter is specified, then the only way to check OCSP and CRL responses is to pass them via the crls and ocsps parameters. Can not be combined with allow_fetching=True.
Why is this? What is wrong with fetching CRLs etc. with some defined moment? This restriction doesn't allow the CRL verification of any digital signature that has a timestamp certificate in it, since when there's a timestamp certificate, the moment is defined by that certificate, and not by current time.