[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
David Woodhouse
dwmw2 at infradead.org
Wed Jul 22 15:09:48 UTC 2015
On Wed, 2015-07-22 at 14:58 +0000, Victor Wagner via RT wrote:
> Isn't it better to check if certificate was valid at the time of
> signing?
Is there a benefit to that which would make it worth the additional
complexity?
> Typically compiler somehow puts compilation timestamp into compiled
> binaries. So, I think, this time should be used as argument to
> X509_VERIFY_PARAM_set_time instead of wall clock time.
For the UEFI build we try to avoid all non-repeatable things like that
being included in the binaries. I'm still worrying about how to
approach the patch at the end of the list¹ which removes all those
instances of __FILE__ and __LINE__... I have a vague recollection of
there being a discussion on this list about that, fairly recently, and
I need to go back and find it.
> Or, may be there is something like CMS signing attributes with
> signing time.
Did I not send the patch which fixes the OPENSSL_NO_CMS build yet? :)
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
¹ http://git.infradead.org/users/dwmw2/openssl.git/commitdiff/b599f07d
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/07c5f405/attachment.bin>
More information about the openssl-dev
mailing list