openssl cms verification date
Tomas Mraz
tomas at openssl.org
Fri Feb 9 09:17:25 UTC 2024
The change will be reviewed and discussed when the PR is created in the
GitHub. There is no point in discussing hypotetical contents of a patch
here.
Regards,
Tomas Mraz, OpenSSL
On Fri, 2024-02-09 at 08:29 +0000, Martin Bonner via openssl-users
wrote:
> Tomas Mraz wrote:
> > > I already have a patch to provide for verifying the signature at
> > > signature time. Shall I send a pull request?
>
> > Yes, sure.
>
> That sounds like "If you send the PR, we will merge it". I think
> that would be
> a _terrible_ idea. To repeat what has been said before: unless the
> signature
> date is signed by a trusted timestamping authority, it must be
> assumed to be
> attacker controlled.
>
> Unless the patch includes code to verify the signature date, it would
> be a
> mistake to include it by default.
>
> OTOH, a patch to verify signature dates and if valid, use them, would
> be
> wonderful.
>
> Martin Bonner
> Any email and files/attachments transmitted with it are intended
> solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must
> not copy, distribute or disclose of the information it contains.
> Please notify Entrust immediately and delete the message from your
> system.
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list