[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
Kurt Roeckx
kurt at roeckx.be
Wed Jul 22 21:29:14 UTC 2015
On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
>
> The more I look at this 'signed timestamp' scheme, the more pointless
> it seems in this situation. We basically don't *care* about the wall
> -clock time, *and* we don't really know it. If we're going to trust
> anyone to say " <THIS> was the time at which the signature was
> generated", then we might as well forget the whole nonsense about an
> expiry time and just trust that same third party to provide a
> signature... or not.
The whole point of this signed timestamp is that the signature
doesn't expire and that you don't have to care about the wall
clock.
Kurt
More information about the openssl-dev
mailing list