[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
David Woodhouse via RT
rt at openssl.org
Wed Jul 22 15:36:40 UTC 2015
On Wed, 2015-07-22 at 14:52 +0000, Tim Hollebeek wrote:
> The way this is supposed to work is by using a timestamp from a
> trusted timestamp server to show the certificate was valid at the
> time the code was signed.
That would be great. Unfortunately, if the UEFI firmware were suddenly
to start insisting upon that then a lot of operating systems would no
longer boot.
I don't think it's practical to add this requirement for secure boot at
this stage; the UEFI firmware will probably continue to just disable
the time check — even if it's a local patch as it is at the moment.
But I'm *trying* to eliminate those local patches, to make it easier to
keep OpenSSL up to date. It occurs to me that UEFI firmware might be
the *largest* deployment of OpenSSL, so it's unfortunate that the
patches it needs are out-of-tree :)
FWIW the Linux kernel also specifically avoids checking timestamps
altogether when validating signed modules.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/cdd3ed9c/attachment.bin>
More information about the openssl-dev
mailing list