[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
Victor Wagner
vitus at wagner.pp.ru
Wed Jul 22 14:49:10 UTC 2015
On Wed, 22 Jul 2015 13:09:48 +0000
"Woodhouse, David via RT" <rt at openssl.org> wrote:
> There are various circumstances in which it makes no sense to be
> checking the start and end times of a certificate's validity.
>
> When validating OS kernel drivers, or indeed when validating the OS
> kernel itself when the firmware loads it, we *really* don't want to
> have a built-in obsolescence date after which the system will no
> longer function. That would be a bad thing even if we *could*
> reliably trust the system's real time clock at this stage in the boot
> sequence.
Isn't it better to check if certificate was valid at the time of
signing?
Typically compiler somehow puts compilation timestamp into compiled
binaries. So, I think, this time should be used as argument to
X509_VERIFY_PARAM_set_time instead of wall clock time.
Or, may be there is something like CMS signing attributes with signing
time.
s
More information about the openssl-dev
mailing list