[openssl-users] Doubt regarding O-SSL and setting the duration of certificates

Michael Richardson mcr at sandelman.ca
Wed Sep 13 13:31:51 UTC 2017 

Robert Moskowitz <rgm at htt-consult.com> wrote:
    > The devices never test out the lifetime of their certs. That is up to

Exactly...
(Do you think about the MacGyver/StarTrek/A-Team/Leverage/MissionImpossible
plot line that goes along with each engineering decision?...)

    > validating servers. And the iDevID is not really intended for operational
    > use. Rather it is the security bootstrap for the lDevID. See the work being
    > done in the ANIMA workgroup as an example of what to do with this. Michael
    > Richardson, who recently joined this list is working on the related Internet
    > Draft(s).

    > I should test out a cert beyond 2038 on my armv7 32 bit Cubieboard. Will try
    > that tomorrow....

    > I HAVE made certs with this value and I am displaying their content. But that
    > system is off right now. I will get one of the samples also tomorrow.

    > And yes, the industry does need to think some about this...

I suspect that the value: literal value 99991231235959Z will simply come to
mean "the end of time", even after the year 10,000.  It has a well known
DER encoding, and one can memcmp() it.
Perhaps we will define an OID which means "no expiry", and start including
that.  I don't think the expiry date is an optional part.

I will also have example vouchers, voucher requests and ECDSA ("prime256v1")
certs with known private keys (so you can replicate my work) for the ANIMA
BRSKI document, perhaps next week.  I'd rather publish Curve25519/EdDSA
examples, but it's too bleeding edge for the moment.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170913/824c0785/attachment.sig>

More information about the openssl-users mailing list