[openssl-users] Doubt regarding O-SSL and setting the duration of certificates

Robert Moskowitz rgm at htt-consult.com
Tue Sep 12 15:57:41 UTC 2017


IEEE 802.1ARce (latest draft addendum) specifies:

8.7 validity

The time period over which the DevID issuer expects the device to be used.

All times are stated in the Universal Coordinated Time (UTC) time zone. 
Times up to and including
23:59:59 December 31, 2049 UTC are encoded as UTCTime as YYMMDDHHmmssZ. 
Times later than
23:59:59 December 31, 2049 UTC are encoded as GeneralizedTime as 
YYYYMMDDHHmmssZ.

The time the DevID is created is encoded in the notBefore field of DevID 
certificates. Each DevID chain
certificate has a notBefore value that encodes a time that is the same 
as or prior to that of any DevID
certificate that relies on the chain for certificate validation.

The latest time a DevID is expected to be used is encoded in the 
notAfter field of the DevID certificate.
Each DevID chain certificate has a notBefore value that encodes a time 
that is the same as or later than that of any DevID certificate that 
relies on the chain for certificate validation.

Devices possessing an IDevID are expected to operate indefinitely into 
the future and should use the
GeneralizedTime value 99991231235959Z (10) in the notAfter field of 
IDevID certificates. Solutions
verifying a DevID are expected to accept this value indefinitely. Values 
in notAfter fields are treated as
specified in RFC 5280.

Footnote: (10)
This value corresponds to one second before the year 10 000; note the 
creation of an opportunity for the Y10K bug fix industry.

=====================

It is really rare to find humor in IEEE specifications!

Bob

On 09/12/2017 11:39 AM, Alejandro Pulido wrote:
>
> Hello!
>
>
> Thanks for the response.
>
> I was thinking of setting the duration fo the certificate to infinite,
>
> i.e. the Validity period set to infinite.
>
> Because in the information I have, the only possibility is to set the 
> duration (in days) with the command, but the command doesn't allow to 
> put other value rather an integer.
>
>
> Thanks again
>
>
>
> */Alejandro J Pulido Duque/*
> ------------------------------------------------------------------------
> *De:* Robert Moskowitz <rgm at htt-consult.com>
> *Enviado:* martes, 12 de septiembre de 2017 14:30:20
> *Para:* openssl-users at openssl.org; Alejandro Pulido
> *Asunto:* Re: [openssl-users] Doubt regarding O-SSL and setting the 
> duration of certificates
> Depends on the question....
>
> 'Infinite' duration is used in IEEE 802.1AR Device Identities. The 
> concept is the vendor installs the certificate in read-only memory.  
> It is expected to be good for the life of the device.
>
> On 09/11/2017 05:32 AM, Alejandro Pulido wrote:
>> Dear team of OpenSSL,
>> First of all, congratulations for your invaluable work!
>> I have a question regarding the issue of certificates X.509 with 
>> infinite duration and I don't know where to submit it.
>> Please, could you help me?
>> Thank you very much and kind regards
>>
>>
>>
>> */Alejandro J Pulido Duque/*
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170912/e588db24/attachment.html>


More information about the openssl-users mailing list