[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
David Woodhouse via RT
rt at openssl.org
Wed Jul 22 21:01:10 UTC 2015
On Wed, 2015-07-22 at 22:40 +0200, Kurt Roeckx wrote:
> On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote:
> > On Wed, 2015-07-22 at 14:52 +0000, Tim Hollebeek wrote:
> > > The way this is supposed to work is by using a timestamp from a
> > > trusted timestamp server to show the certificate was valid at the
> > >
> > > time the code was signed.
> >
> > That would be great. Unfortunately, if the UEFI firmware were
> > suddenly
> > to start insisting upon that then a lot of operating systems would
> > no
> > longer boot.
>
> Which operating systems would that be? As far as I know Windows 7
> required this if you wanted to have your drivers stay valid for
> longer than 2 years and Windows 10 just always requires it. So I
> would hope that they actually do this for all of their own
> software.
Perhaps they do, although the UEFI bootloader they use is a somewhat
different beast.
But there are plenty of other OS bootloeders which are signed for
so-called "secure boot", other than Microsoft's. And I would be utterly
shocked if they all have trusted timestamps, given that the UEFI
firmware in all current machines does not require such.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/e1a9f589/attachment-0001.bin>
More information about the openssl-dev
mailing list