<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
The devices never test out the lifetime of their certs. That is up
to the validating servers. And the iDevID is not really intended
for operational use. Rather it is the security bootstrap for the
lDevID. See the work being done in the ANIMA workgroup as an
example of what to do with this. Michael Richardson, who recently
joined this list is working on the related Internet Draft(s).<br>
<br>
I should test out a cert beyond 2038 on my armv7 32 bit Cubieboard.
Will try that tomorrow....<br>
<br>
I HAVE made certs with this value and I am displaying their
content. But that system is off right now. I will get one of the
samples also tomorrow.<br>
<br>
And yes, the industry does need to think some about this...<br>
<br>
<div class="moz-cite-prefix">On 09/12/2017 06:51 PM, Frank Migge
wrote:<br>
</div>
<blockquote type="cite" cite="mid:59B864F9.3050807@frank4dd.com">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
This is an interesting statement.<br>
<br>
>> should use the GeneralizedTime value 99991231235959Z (10)
in the notAfter field ...<br>
>> Solutions verifying a DevID are expected to accept this
value indefinitely<br>
<br>
Isn't using that large a time value in certificates problematic?
Not all systems can handle it today. At best, they may gracefully
decline it as invalid. Windows up to version 10 is unable to
display it, and fails to work with such a cert.<br>
<br>
Even closer into the future, 20 years from now, I am not sure how
far the industry came in dealing with the upcoming year 2038
problem on 32bit systems. It is indirectly related to OpenSSL when
system time is used, converted to or from. Particularly in IOT/ICS
industry situations with scaled down CPUs, long device lifespans
and support requirements, functional validation with future time
settings would definitely be a good idea on the test plan.<br>
<br>
Frank<br>
<blockquote style="border: 0px none;"
cite="mid:86389fab-e4e6-5fde-5e71-723717647295@htt-consult.com"
type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%;">
<a moz-do-not-send="true"
href="mailto:rgm@htt-consult.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Robert Moskowitz</a></div>
<div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:
right;"> <font color="#9FA2A5"><span
style="padding-left:6px">Wednesday, September 13, 2017
12:57 AM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
IEEE 802.1ARce (latest draft addendum) specifies:<br>
<br>
8.7 validity<br>
<br>
The time period over which the DevID issuer expects the device
to be used.<br>
<br>
All times are stated in the Universal Coordinated Time (UTC)
time zone. Times up to and including<br>
23:59:59 December 31, 2049 UTC are encoded as UTCTime as
YYMMDDHHmmssZ. Times later than<br>
23:59:59 December 31, 2049 UTC are encoded as GeneralizedTime
as YYYYMMDDHHmmssZ.<br>
<br>
The time the DevID is created is encoded in the notBefore
field of DevID certificates. Each DevID chain<br>
certificate has a notBefore value that encodes a time that is
the same as or prior to that of any DevID<br>
certificate that relies on the chain for certificate
validation.<br>
<br>
The latest time a DevID is expected to be used is encoded in
the notAfter field of the DevID certificate.<br>
Each DevID chain certificate has a notBefore value that
encodes a time that is the same as or later than that of any
DevID certificate that relies on the chain for certificate
validation.<br>
<br>
Devices possessing an IDevID are expected to operate
indefinitely into the future and should use the<br>
GeneralizedTime value 99991231235959Z (10) in the notAfter
field of IDevID certificates. Solutions<br>
verifying a DevID are expected to accept this value
indefinitely. Values in notAfter fields are treated as<br>
specified in RFC 5280.<br>
<br>
Footnote: (10) <br>
This value corresponds to one second before the year 10 000;
note the creation of an opportunity for the Y10K bug fix
industry.<br>
<br>
=====================<br>
<br>
It is really rare to find humor in IEEE specifications!<br>
<br>
Bob<br>
<br>
<div class="moz-cite-prefix">On 09/12/2017 11:39 AM, Alejandro
Pulido wrote:<br>
</div>
<br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%;">
<a moz-do-not-send="true"
href="mailto:rgm@htt-consult.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Robert Moskowitz</a></div>
<div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:
right;"> <font color="#9FA2A5"><span
style="padding-left:6px">Tuesday, September 12, 2017
11:30 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
Depends on the question....<br>
<br>
'Infinite' duration is used in IEEE 802.1AR Device
Identities. The concept is the vendor installs the
certificate in read-only memory. It is expected to be good
for the life of the device.<br>
<br>
<div class="moz-cite-prefix">On 09/11/2017 05:32 AM, Alejandro
Pulido wrote:<br>
</div>
<br>
</div>
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr">
<div style="width:100%;border-top:1px solid
#EDEEF0;padding-top:5px">
<div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:49%;">
<a moz-do-not-send="true"
href="mailto:alexxplus@hotmail.com" style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Alejandro Pulido</a></div>
<div
style="display:inline-block;white-space:nowrap;vertical-align:middle;width:48%;text-align:
right;"> <font color="#9FA2A5"><span
style="padding-left:6px">Monday, September 11, 2017
6:32 PM</span></font></div>
</div>
</div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<style style="display:none;" type="text/css"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div dir="ltr" style="color: rgb(102, 102, 102); font-family:
Tahoma,Geneva,sans-serif,'EmojiFont','Apple Color Emoji',
'Segoe UI Emoji', NotoColorEmoji, 'Segoe UI Symbol',
'Android Emoji', EmojiSymbols; font-size: 12pt;"
id="divtagdefaultwrapper">
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma">Dear team of OpenSSL,</font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma"> </font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma">First of all,
congratulations for your invaluable work!</font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma"> </font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma">I have a question
regarding the issue of certificates X.509 with infinite
duration and I don't know where to submit it.</font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma"> </font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma">Please, could you help me?</font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma"> </font></div>
<div style="margin-top: 0px; margin-bottom: 0px;"><font
style="font-family: Tahoma,serif,"EmojiFont";"
color="#666666" face="Tahoma">Thank you very much and
kind regards</font></div>
<p><br>
</p>
<p><br>
</p>
<div id="Signature"><font color="#2672ec" size="3"><b><i>Alejandro
J Pulido Duque</i></b></font>
</div>
</div>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>