[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
David Woodhouse
dwmw2 at infradead.org
Wed Jul 22 21:34:53 UTC 2015
On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote:
> On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
> >
> > The more I look at this 'signed timestamp' scheme, the more pointless
> > it seems in this situation. We basically don't *care* about the wall
> > -clock time, *and* we don't really know it. If we're going to trust
> > anyone to say " was the time at which the signature was
> > generated", then we might as well forget the whole nonsense about an
> > expiry time and just trust that same third party to provide a
> > signature... or not.
>
> The whole point of this signed timestamp is that the signature
> doesn't expire and that you don't have to care about the wall
> clock.
... which is much more simply achieved by just not caring about the
validity times of the certificate in the first place.
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/3b984094/attachment.bin>
More information about the openssl-dev
mailing list