[openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled
Alexander Gostrer
agostrer at gmail.com
Wed Jul 22 22:02:26 UTC 2015
Maybe it is the time to introduce the 64-bit UNIX time? Anything else looks
like a patch.
Regards,
Alex.
On Wed, Jul 22, 2015 at 2:34 PM, David Woodhouse <dwmw2 at infradead.org>
wrote:
> On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote:
> > On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote:
> > >
> > > The more I look at this 'signed timestamp' scheme, the more pointless
> > > it seems in this situation. We basically don't *care* about the wall
> > > -clock time, *and* we don't really know it. If we're going to trust
> > > anyone to say " was the time at which the signature was
> > > generated", then we might as well forget the whole nonsense about an
> > > expiry time and just trust that same third party to provide a
> > > signature... or not.
> >
> > The whole point of this signed timestamp is that the signature
> > doesn't expire and that you don't have to care about the wall
> > clock.
>
> ... which is much more simply achieved by just not caring about the
> validity times of the certificate in the first place.
>
> --
> dwmw2
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150722/12ac368b/attachment.html>
More information about the openssl-dev
mailing list