openssl cms verification date

Martin Bonner Martin.Bonner at entrust.com
Fri Feb 9 08:29:01 UTC 2024


Tomas Mraz wrote:
>> I already have a patch to provide for verifying the signature at
>> signature time. Shall I send a pull request?

> Yes, sure.

That sounds like "If you send the PR, we will merge it".  I think that would be
a _terrible_ idea.  To repeat what has been said before:  unless the signature
date is signed by a trusted timestamping authority, it must be assumed to be
attacker controlled.

Unless the patch includes code to verify the signature date, it would be a
mistake to include it by default.

OTOH, a patch to verify signature dates and if valid, use them, would be
wonderful.

Martin Bonner
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.


More information about the openssl-users mailing list